The Covidsafe app: speed at the expense of transparency and accountability

Photo: Markus Winkler via Unsplash

Australia’s COVIDSafe app was launched by the Australian Government in April 2020. The app uses Bluetooth technology to record “contact events” or “digital handshakes” between app users, which are stored on users’ phones for 21 days. Contact events include the encrypted ID of the other contact user, the Bluetooth signal strength during the event, and its duration and time (but not location data). If a user tests positive, this information is uploaded to the National COVIDSafe Data Store (a cloud-based data repository supported by Amazon Web Services and administered by the Digital Transformation Agency), where it can be decrypted for use by state contact tracers.

The app has been hampered by concerns about its security, privacy, and effectiveness. Amendments to the federal Privacy Act (1987) created a legislative framework for protecting the privacy of app data and preventing ‘function creep’, i.e., the risk of data being used for purposes other than contact tracing, such as law enforcement. This framework follows the same format as other privacy laws in Australia (such as legislation that applies to the MyHealth Record System), setting out a series of permitted uses, collections, and disclosures of app data related to contact tracing and maintaining the data store and the app. All other collections, uses, or discloses are prohibited, as is uploading app data from a user’s device to the data store without their consent, retaining or disclosing data to someone outside Australia (unless for contact tracing purposes), and decrypting app data on a user’s device.

Crucially, the legislation protects voluntary use, for example, by making it an offence to require someone to download or use the app, or to refuse to provide them with goods or services because they’re not using it. The legislation also creates a mechanism for dismantling the system when it is no longer needed, and for deleting the information contained in the data store.

The basic legislative privacy protections on the app are sound, although commentators have identified some ways in which they could be strengthened, for example, by providing for the periodic removal of contact event data from the data store.

Where the system really falls down is in the design and operation of the app itself. This invokes the concept of privacy by design, i.e., building privacy protections into the physical design, architecture, and computer code of the device or system concerned. Privacy in the digital realm can be protected through multiple channels, including contractual mechanisms, legislation, and design-based solutions. The physical design of the system or device is at least as important – if not more so – than any legal frameworks that apply. This is often referred to as “code” or “architecture”-based regulation, and it’s interesting to consider whether or how the privacy and transparency concerns raised below could also be addressed through legislation.

Privacy advocates and tech experts have extensively canvassed the security and privacy flaws in the app, as well as technical problems that prevent it from operating effectively. This report, by a group of software developer and cybersecurity experts, provides a comprehensive and readable summary. Some of the early bugs included “phone model and name being constantly exposed and unique identifiers being available to track over time… undetectable, permanent long-term tracking of iOS and Android devices and attackers being able to control devices remotely” (p.7). The authors point out that many of the app’s technical challenges stem from the use of Bluetooth for a function it wasn’t originally intended for, i.e., continually and indefinitely scanning the environment for other devices, and then making connections with them.  

They also say that some of the technical issues with the app resulted from a lack of consultation with tech experts (and the wider community) during its development, as well as a lack of testing and verification.

Also concerning has been the DTA’s slow response to concerns raised by the tech community once the app was launched, as well as limited transparency in the scheme’s operation. This includes the DTA’s failure to release the number of active users, and the Government’s reluctance to release the full version of an independent report on the app’s operation, which found that the app imposed significant time costs on contact tracers for no little additional benefit. Some of this information was omitted in a shorter version of the report originally made publicly available.

The Government has taken steps to address some of the bugs in the app, including through the adoption of the “Herald” protocol in December 2020, although the authors of the report mentioned above say this protocol still has problems, and in fact reintroduced some issues that had been fixed previously. They call for the Government to adopt the Exposure Notification Framework developed by Apple and Google, which doesn’t create the same privacy and security challenges as the Covidsafe app.

There have also been developments in the responsiveness and transparency of the scheme. For example, the DTA has identified a contact point for security concerns, and in April 2020, it made publicly available the full source code for the app, which is hosted on a Github repository. But, according to researcher Emma Blomkamp, the early lack of community engagement was a missed opportunity to build public acceptability of the app or a ‘social licence to operate’ (particularly among Australia’s diverse communities) and to inform the public about the app’s operation and the privacy protections that would apply.

Trust in government is crucial to an effective response to the COVID-19 pandemic. By now, we all know that governments possess highly coercive powers for responding to public health emergencies. But to a significant extent, governments must rely on people voluntarily doing the right thing, including downloading the Covidsafe app and sharing their personal information with contact tracers. That’s much more likely to happen when people trust the government, and that trust is much more likely when there’s a transparent and accountable system in place, combined with rigorous privacy protections, both “code” and law based.

This is an area where a fast rollout shouldn’t have come at the expense of a responsive, transparent, or accountable one.


ABC v St George’s Healthcare NHS Trust: a new duty at the intersection of healthcare confidentiality and harm to others

 

DNA
Image: Flickr – Miki Yoshihito

The duty of confidentiality is crucial to building relationships of trust and confidence between patients and healthcare professionals, and to effective  healthcare systems more broadly. However, the law recognises that the duty of confidentiality is not absolute and sometimes needs to yield to other public interests. A recent UK case, ABC v St George’s Healthcare NHS Trust [2020] EWHC 455 (QB), concerned the need to balance the public interest in protecting the confidentiality of health information against the public interest in preventing serious harm to others.

The case arose out of a tragic set of facts. In 2007, ABC’s father shot and killed her mother. He was convicted of manslaughter by reason of diminished responsibility and detained under the UK’s Mental Health Act 1983 at a clinic at Springfield Hospital. The father (referred to as XX in the judgment) received care from a multidisciplinary team, headed by Dr Olumoroti, a consultant forensic psychiatrist. Despite the devastating impact of her father’s offence, ABC continued to be involved in her father’s care, and attended family therapy sessions at Springfield Hospital.

During his detention, XX was diagnosed with Huntington’s Disease (a genetic condition that ABC had a 50% chance of inheriting). XX refused to disclose the diagnosis to ABC or her sister, despite learning in September 2009 that the claimant was pregnant. The Springfield clinical team was informed of the claimant’s pregnancy but disagreed as to whether she should be told about her father’s diagnosis. Ultimately, Dr Omuloroti – as XX’s responsible physician – decided against disclosure.

ABC had her baby in April 2010, and in August of that year, a Mental Health Tribunal directed XX’s discharge. Dr Olumoroti and a social worker visited the claimant’s home, where Dr Olumoroti accidentally disclosed XX’s diagnosis. In a twist of fate, ABC’s sister was then in the early stages of her first pregnancy, but ABC did not want XX’s diagnosis disclosed to her.

In 2013, ABC tested positive for the genetic mutation for Huntington’s Disease. She developed a psychiatric illness as a result and was greatly concerned for her daughter’s future.

ABC brought actions against three healthcare trusts responsible for the clinicians involved in XX’s care, including the Springfield Hospital clinical team. ABC argued that the three defendants had been negligent in failing to alert her to the risk she had inherited the gene for Huntington’s Disease in time to terminate her pregnancy. She also argued there had been a breach of the UK Human Rights Act 1998, but this played a minor role in the case. ABC sought damages for the continuation of her pregnancy, psychiatric harm, and consequential loss.

The case was initially struck out, a ruling that was overturned by the UK Court of Appeal, and the case was finally heard by Justice Yip in the UK High Court. ABC was ultimately unsuccessful against all three defendants, but perhaps surprisingly, Justice Yip held that Springfield Hospital owed her a duty of care in negligence. That duty is the focus of this post.

Justice Yip held that the negligence complained of fell outside of any pre-existing duty of care. However, Her Honour was prepared to create a new duty, based on the application of the Caparo test, the UK’s test for creating a novel duty of care in negligence.

First, harm to the claimant (i.e., psychological harm and the loss of the opportunity to terminate her pregnancy) was clearly foreseeable and had actually been foreseen by the clinical team, as was apparent from the evidence at trial and medical records.

Second, there was a relationship of sufficient proximity between ABC and Springfield Hospital, central to which was the claimant’s participation in family therapy. This created a patient-practitioner relationship between ABC and the hospital (in respect of those sessions), a well-established duty of care. Although the duty didn’t require disclosure of the diagnosis, the relationship meant that the hospital held a significant amount of information about ABC. For example, the clinical team knew she had suffered psychological harm as a result of her father’s offence and were working with her to help her come to terms with it. Had they wished to disclose the diagnosis to her, the family therapy sessions provided an avenue for doing so.

On the third limb of the test, Justice Yip concluded that it was fair, just and reasonable to impose on Springfield Hospital a duty to:

… balance [ABC’s] interest in being informed of her genetic risk against her father’s interest in preserving confidentiality in relation to his diagnosis and the public interest in maintaining medical confidentiality generally… The scope of the duty extends not only to conducting the necessary balancing exercise but also to acting in accordance with its outcome. [188]-[189]

Justice Yip framed this duty of care not as one to simply disclose confidential information when a patient has refused consent, but as a duty to balance the interests the individual concerned against those of the patient, an exercise which may or may not lead to disclosure.

In the result of a legal challenge, the court would review the balancing exercise undertaken by the healthcare professional(s) concerned. There will only be a breach of the duty if the balancing exercise was not conducted properly and if it had been conducted properly, the defendant would have disclosed. The court will also set aside the defendant’s decision if the balancing exercise was conducted properly and the defendant would not have disclosed, but the decision is one that no responsible body of medical opinion would support.

The court’s role in cases involving this duty almost resembles a form of judicial review, where the court reviews whether the decision was reached by the correct procedure, rather than the correctness of the decision per se – unless the decision is completely unsupported by responsible medical opinion.

Generally speaking, it is uncommon (but not unheard of) for healthcare professionals to owe a duty to third parties outside the patient/practitioner relationship. But additionally, the duty in this case conflicts with the obligation of confidence owed to the patient themselves. Justice Yip pointed out that professional guidance (and existing legal authorities) already recognize that the obligation of confidence is not absolute and require a similar balancing exercise. Also, clinicians would be given considerable latitude in this balancing exercise by the courts.

Justice Yip was careful to stress that she was only deciding whether a duty of care arose on the particular facts of the case before her, which were unusual and created a relationship of close proximity between the defendant and the claimant – a central component in finding the duty existed. She was not creating a general duty of care owed by healthcare professionals to anyone who was not their patient, nor would the duty require healthcare professionals to chase down all the genetic relatives of their patient.

However, Justice Yip did not limit the duty to cases involving genetic information, but extended it any kind of confidential health information. Accordingly, it has significant ramifications for UK healthcare professionals in a range of fields.

Australia is yet to see a similar case which creates something resembling a legal obligation to consider whether to disclose confidential information to at risk individuals, when patients refuse consent (Australian legal authorities and professional guidelines permit – but don’t require – disclosure in these circumstances). Such a duty seems unlikely in the near future, given the unusual factual matrix in ABC v St George’s Healthcare NHS Trust, the different legal context in Australia, and our own High Court’s reluctance to create novel duties of care in negligence.

Immigration department breaches the privacy rights of asylum seekers

Picture of facilities at Nauru Detention Centre, available from: https://www.humanrights.gov.au/publications/forgotten-children-national-inquiry-children-immigration-detention-2014/12-children
Picture of facilities at Nauru Detention Centre, available from: https://www.humanrights.gov.au/publications/forgotten-children-national-inquiry-children-immigration-detention-2014/12-children

An article in The Guardian today claims that the Department of Immigration has sought access to confidential medical records of asylum seekers for ‘political purposes.’

The article reports on a briefing document written by a senior clinician at International Health and Medical Services (which delivers health services at mainland and offshore detention centres), which appears to show that the IHMS has disclosed asylum seekers’ health records to the immigration department for reasons not related to the health and welfare of individuals in detention.

As the article points out, this practice potentially breaches the Commonwealth Privacy Act, which prohibits the disclosure of health information to third parties (without the consent of the individual concerned), unless the disclosure is directly related to treatment of the individual (or in certain permitted circumstances, such as preventing a threat to public health or safety).

Further, the disclosure breaches clinicians’ duty of confidence towards their patients, and may also violate professional guidelines and codes of practice, such as the Medical Board of Australia’s Good Medical Practice code of conduct for doctors. Under the code, good medical practice includes protecting patients’ privacy and confidentiality, and ‘appropriately sharing information about patients for their health care.’

Disclosure of asylum seekers’ health records may seem like a relatively minor issue considering the many documented abuses perpetrated against individuals in detention.   But, privacy is an important underpinning to personal autonomy, and the right to control information about one’s self is key to self-determination. The unauthorised disclosure of asylum seekers’ medical records represents a significant infringement of asylum seekers’ rights, and forms part of a broader trend towards dehumanising people in detention centres.

In part, the Privacy Act was enacted to give effect to Australia’s obligations under article 17 of the International Covenant on Civil and Political Rights, which states that ‘No one shall be subjected to arbitrary or unlawful interference with his privacy, family, home or correspondence, nor to unlawful attacks on his honour or reputation’ [sic]. The unauthorised disclosure of asylum seeker’s health records puts Australia at odds with its international human rights commitments, as well as breaching domestic privacy laws.

The disclosure of medical records for ‘political purposes’ (whatever that may mean) illustrates the Catch-22 situation faced by clinicians working in detention centres. Health professionals working in these centres must deal with the tension between their ethical and legal duties to patients, and pressure from government and private employers to act in ways that compromise the health and wellbeing of asylum seekers. This issue also raises serious questions about the immigration department’s approach to privacy and its management of highly personal, and potentially very sensitive, health information.