Legislative Council - Fifty-Fourth Parliament, Second Session (54-2)
2021-10-14 Daily Xml

Contents

COVID-19 QR Code Security

The Hon. R.A. SIMMS (14:31): I seek leave to make a brief explanation before addressing a question without notice to the Minister for Health and Wellbeing on the topic of QR code data.

Leave granted.

The Hon. R.A. SIMMS: According to a report by the Auditor-General released this week, SA Health has been holding onto the QR code data it receives for contact tracing indefinitely. This is despite the Department of the Premier and Cabinet deleting QR check-in data after 28 days. My question to the minister therefore is: with more than 400 million check-ins since the system was first introduced in December 2020, can the minister explain why SA Health has deemed it appropriate to hold on to this data beyond the 28 days?

The Hon. S.G. WADE (Minister for Health and Wellbeing) (14:31): I thank the honourable member for his question. To make it clear, he seems to be under a misapprehension: SA Health has not retained—I think you referred to—more than 400 million. The latest data I have is there have been 429 million total check-ins, but there is no suggestion in the Auditor-General's Report that SA Health has retained those check-in records.

The check-in records are stored in a data facility of the Department of the Premier and Cabinet. There was an issue raised about the retention of data and I will address that, but I think it's important to note that the Auditor-General wrote in his cover letter that:

Overall, I concluded that reasonable controls were applied by the Department of the Premier and Cabinet and SA Health to protect people's contact details obtained through the COVID Safe check-in app.

The government is strongly committed to maintaining and securing people's rights to privacy. As with many parts of the response to the pandemic, the storage of data for QR codes is a matter for continuous improvement, and certainly the government, including SA Health, will action the recommendations of the Auditor-General.

Before I address the particular issue of how SA Health came to retain data, I think it's important that we conduct this conversation in a very calm way because literally the last thing any of us would want to do is to undermine the state's response to COVID-19 and I have no doubt that QR code check-ins will be very important for the future public health response. We have seen it only in the last couple of weeks when we have had—let's remember, day after day—positive cases, significantly truck drivers, and it has been very important for the tracing of people to have had QR code data.

One of the challenges highlighted by the recent events with truck drivers is that, again, lower socioeconomic individuals are more vulnerable because they are less likely to have a smartphone. Some of these truck stations are in or near Aboriginal communities, which themselves have vulnerabilities, so it is really important that we maximise QR codes and that we don't undermine it.

Let me stress: the government affirms our responsibility to maintain privacy. If I may, I will explain how it comes to be that SA Health would retain data. The SA Health COVID Operations and the state Command Centre, health, request discrete subsets of QR check-in data collected and managed by the Office for Data Analytics, which is part of DPC, according to their data retention policies.

These small subsets relating specifically to contacts of positive cases of COVID-19, or people exposed to COVID-19 at an exposure site, are then used for the purposes of contact tracing. The subset data is used to identify a group or cohort of people for public health action which could involve advising them to quarantine, contacting them by SMS or email, as well as communicating with them once they are quarantined.

SA Health is responsible for their wellbeing during quarantine. For this reason, phone numbers and names of people are kept in the system for management as a contact or case of COVID-19 and data used for contact tracing is entered into a secure database as a health record under the Health Care Act 2008, and also retained under records management privacy requirements for communicable disease case histories. Information provided to COVID Operations for contact tracing purposes is not provided to third parties.

I think it is really important to stress that, whilst there isn't a legislative regime to support the privacy of QR codes per se, once it transitions into the health space it is protected statutorily, on my understanding, by both the Health Care Act and the Public Health Act. Both of them have confidentiality requirements, and I can assure you that the public health team, particularly the contact tracing team, is acutely aware of its responsibilities to protect privacy. In fact, when the history of COVID-19 in South Australia is written, one of the themes will be the tension between the police in their investigative role and contact tracers in their public health role and, if you like, the circumstances in which the public health team is willing to share information with police.

I strongly emphasise both to the council and to the South Australian community that SA Health is dealing with your information fundamentally to protect you and those you might come in contact with. It is being managed under the health policies and legislation. We are certainly keen to take opportunities through the Auditor-General's Report to continuously improve what we do because we share the honourable member's desire for privacy for the South Australian community as well.