Auditor uncovers ‘spying’ risk in Covid-19 contact tracing system

An audit has identified significant weaknesses in the privacy safeguards of Western Australia’s Covid-19 contract tracking system.

Caroline Spencer, Auditor General of Western Australia

A report filed last week by state Auditor General Caroline Spencer reviewed WA Health’s Covid-19 Unified Public Health System (PHOCUS), which collects information about people who have tested positive for the covid and their contacts.

The state government contracted external vendors in April 2020 to provide the cloud-based system, which collects information from a variety of sources including check-ins, public transport e-ticketing systems, ride-sharing services , pathology laboratories and video surveillance.

As of March this year, it had data on 128,600 covid-positive people as well as 41,400 close and casual contacts and 50,400 travellers.

Ms Spencer said the department allowed unnecessary access to the system, with the supplier able to access the system more than a year after its contract ended.

There was also inadequate monitoring of system users, which increased the risk of inappropriate access to highly sensitive personal data, including pregnancy and medication information.

Sources of Information Collected by the PHOCUS Contact Tracing System (WA OAG)

“I expected to find robust access controls for such sensitive medical and personal information, but we found a number of significant weaknesses,” Ms Spencer said.

“WA Health does not adequately record and monitor who has accessed the information to detect inappropriate changes or spying.”

WA also gave the community little information about the types of information collected by PHOCUS and did not specify that the information was stored indefinitely.

“This lack of transparency can have unintended consequences, including an erosion of trust in government institutions,” she said.

The audit also revealed a risk of inaccurate data due to poor data management.

Absence of privacy laws in WA

Ms Spencer said WA Health needs to ensure its privacy practices comply with Commonwealth privacy laws, as the state does not have its own comprehensive legislation.

The report recommends improving transparency, addressing supplier contract risks and developing contract management plans.

In any emerging crisis, government responses must consider the impacts on trust in government and the importance of upholding the universal human right to privacy of information.

Caroline Spencer

Ms Spencer noted that WA had accepted the report’s recommendations and was working to address some of the identified weaknesses.

No violations, says WA Health

WA Health says it was forced to implement the system under time pressure, but there were no privacy breaches.

“No privacy breaches have occurred in relation to the system, continuous data cleaning and quality control is undertaken, no inaccuracies in the status of cases impacting management have been found and no inappropriate use of the system has been recorded,” he said.

The $2.8 million PHOCUS system was designed so that it could be reused for other infectious diseases.

“Our recommendations will help protect not only the information in PHOCUS, but also future information, if the system is used for other diseases,” Spencer said.

Comment below to have your say on this story.

If you have a story or whistleblower, contact us at [email protected]

Subscribe to the government news newsletter