Auditor finds risk of ‘snooping’ in Covid-19 contact tracing system

An audit has identified significant weaknesses in privacy safeguards in Western Australia’s Covid-19 contract tracing system.

WA Auditor General Caroline Spencer

A report tabled by the state’s Auditor General Caroline Spencer last week looked at WA Health’s Public Health Covid-19 Unified System (PHOCUS), which gathers information about people who have tested positive for covid and their contacts.

The state government engaged external vendors in April 2020 to deliver the cloud-based system, which gathers information from a range of sources including check-ins, public transport e-ticketing systems, ride share services, pathology labs and CCTV.

As of March this year it held data about 128,600 covid-positive people as well as 41,400 close and casual contacts and 50,400 travellers.

Ms Spencer said the department had allowed unnecessary access to the system, with the vendor able to access the system more than a year after the end of its contract.

There was also inadequate monitoring of who was using the system, increasing the risk of inappropriate access to highly sensitive personal data including information about pregnancy and medication.

Sources of information collated by the PHOCUS contact tracing system (WA OAG)

“I expected to find robust access controls for such sensitive medical and personal information however we found a number of significant weaknesses,” Ms Spencer said.

“WA Health does not adequately log and monitor who has accessed information to detect inappropriate changes or snooping.”

WA had also given the community little information about the types of information PHOCUS collected and hadn’t made clear that the information was stored indefinitely.

“This lack of transparency can lead to unintended consequences, including erosion of trust in government institutions,” she said.

There was also a risk of inaccurate data because of poor data management, the audit found.

Lack of privacy laws in WA

Ms Spencer said WA Health needs to ensure its privacy practices are consistent with commonwealth privacy laws, given that the state doesn’t have any comprehensive legislation of its own.

The report recommends improving transparency, addressing risks in vendor contracts and developing contract management plans.

In any emerging crisis, government responses should consider impacts on trust and confidence in government and the importance of upholding the universal human right to information privacy

Caroline Spencer

Ms Spencer noted that WA had accepted the recommendations of the report was working to address some of the weaknesses identified.

No breaches, says WA Health

WA Health says it was forced to implement the system under time pressure, however there hadn’t been any privacy breaches.

“No breach of privacy has occurred in relation to the system, continuous data cleansing and quality checking is undertaken, no inaccuracies in case status impacting management were found and no inappropriate use of the system was recorded,” it said.

The $2.8 million PHOCUS system was designed so it can be re-used for other infectious diseases.

“Our recommendations will help to protect, not only information in PHOCUS, but future information, if the system is used for other diseases,” Ms Spencer said.

Comment below to have your say on this story.

If you have a news story or tip-off, get in touch at editorial@governmentnews.com.au.  

Sign up to the Government News newsletter

One thought on “Auditor finds risk of ‘snooping’ in Covid-19 contact tracing system

  1. Surprise, surprise. When ‘o’ when will the gov be able to operate and be involved in operations of this variety (software) where it is actually secure… In all seriousness, I don’t think any standard gov systems have been found to be secure. In VIC, they too were found to have breached QR data. And, I think it was NSW Police who had used QR data to support a case, trying to prove the location of said person…

    TRUST – they just don’t have it!!

Leave a comment:

Your email address will not be published. All fields are required