In the early days of the COVID-19 pandemic, when we were all grappling with social distancing and personal protective equipment, the idea of contact tracing had many scratching their heads. In the age of automation, a manual process involving a team of people making calls and conducting interviews to find those exposed to the virus can seem almost counterintuitive. Perhaps this is part of why, in 2020, we saw a dedicated push to find digital solutions to the challenges of COVID-19. Digital contact-tracing solutions, such as the Australian government’s COVIDSafe app, have proven to be problematic. However, the adoption of visitor registers that record which individuals have visited specific locations and their contact details have been far more helpful to contact tracers.
After the initial lockdowns, in an effort to get businesses, like retailers, bars and restaurants, back to work, a flurry of digital check-in solutions emerged to help businesses comply with new contact-tracing requirements. These systems provide QR codes, enable customers to sign in, maintain records and, if needed, disclose personal information to contact tracers. Many also request consent for direct marketing, either as an option or by bundled consent (that is, the customer must agree to receive marketing or they can’t check-in). In some states, such as New South Wales, electronic check-in services are now mandatory.
But what about privacy? A recent study conducted by the Consumer Policy Research Centre found that 94% of Australians are concerned about how their personal data is shared online. Can users trust the cavalcade of new app providers? Are these providers regulated? What happens to the data? Does keeping each other safe mean giving up our right to privacy — to not be tracked unnecessarily or receive unwanted marketing?
What laws apply?
Private sector organizations are covered by Australia’s federal privacy law, the Privacy Act 1988 (Cth). However, Section 6D states the Privacy Act does not apply to “small business operators,” which it defines as businesses with an annual turnover of less than A$3 million (with some exceptions).
So, do COVID-19 check-in app providers fall within this definition of a small business operator? The answer: It depends. Some are and so are not regulated by the Privacy Act. As such, they could use check-in data for other purposes — such as for marketing or analytics, to build consumer profiles or to sell to third parties — all without consequences.
Let’s take a closer look.
Paid apps
Generally speaking, paid check-in app providers generate QR codes so users can navigate to the right page. The providers then collect and hold users’ personal data and disclose it to contact tracers when required. Users generally give explicit consent to this data collection, and the business that is using the provider’s service pays a monthly fee.
Some providers are large, established businesses and may have an annual turnover of more than A$3 million, which excludes them from the category of a small business operator and subjects them to compliance with the Privacy Act.
Other providers are startups and may not draw a large revenue but by running a COVID-19 check-in app, they are arguably "disclosing personal information … for a benefit, service or advantage." This is commonly referred to as "trading in personal information" and excludes them from being considered a small business operator under Section 6D(4) unless they have the consent of the affected individuals (Section 6D(8)) — which, by and large, they do. Check-in apps usually include a consent request, and no one is being forced to dine at a restaurant or sit in a cafe; they choose to. Based on all this, these smaller providers probably still qualify as small business operators, exempt from the provisions of the Privacy Act.
Free apps
Some check-in apps are free to use so the provider is not receiving a "benefit, service or advantage" for disclosing or otherwise dealing with the check-in records. Many of those providers are likely to be startups with low revenue so they could also be considered small business operators under the Privacy Act.
The small business exemption is a significant gap in Privacy Act coverage, allowing organizations to collect large amounts of personal information but remain exempt from privacy regulations.
Australia is unusual in this respect. Other privacy regimes, like the EU General Data Protection Regulation, don’t have a similar carve-out.
How can we make sure privacy rights are protected?
State governments, such as those in NSW, Victoria and South Australia, are now offering their own free check-in solutions. They’re not covered by the Privacy Act, but their handling of personal information is regulated by their respective state’s privacy legislation. They also provide users with clear and specific assurances about security, guaranteeing that they will not use the data for secondary purposes, like marketing, and promising to delete data after 28 days if it’s not needed for contact tracing.
To date, there hasn’t been any legislative action to ensure that check-in providers are subject to privacy laws. NSW and Victoria are strongly recommending that businesses use the state-developed free check-in apps but haven’t required it. The Australian privacy regulator, the Office of the Australian Information Commissioner, recently concluded its consultation on draft guidance for COVID-19 check-in solutions. The current (draft) recommendation is that businesses choose their check‑in apps carefully — specifically, they use check-in providers that are subject to the Privacy Act — and other providers should voluntarily opt in to Privacy Act coverage (under Section 6EA).
It’s also notable that Australia is currently embarking on a review of the Privacy Act. An Issues paper has been released to seek community input into the review. One of the questions posed in the paper is whether the small business exemption should be amended. Indeed, recent experiences with the multiple check-in solutions underline why this question is more relevant than ever. It is likely the review will consider the small business exemption in detail — whether it continues to be relevant in the digital age or amending or removing it might create an unreasonable impost on small businesses or stifle innovation. Significantly, the OAIC itself has recommended that the small business exemption be removed.
Why does it matter?
For any digital service to be effective, the public needs to be able to trust it. Creating the conditions for trust requires transparency, clear rules and clear consequences for breaking the rules. If we can’t establish trusted relationships with users, users may act to protect themselves — by providing false names or contact details, for example, which ultimately makes everyone less safe.
Ensuring privacy rights are protected — and are seen to be protected — is key to building that trust. As we continue to develop digital solutions to public health problems, trust needs to be a key consideration in the design process.
The views expressed herein are those of the author(s) and not necessarily the views of FTI Consulting, its management, subsidiaries, affiliates or other professionals. FTI Consulting, including its subsidiaries and affiliates, is a consulting firm and is not a certified public accounting firm or a law firm. FTI Consulting is an independent global business advisory firm dedicated to helping organizations manage change, mitigate risk and resolve disputes: financial, legal, operational, political and regulatory, reputational and transactional. FTI Consulting professionals, located in all major business centers throughout the world, work closely with clients to anticipate, illuminate and overcome complex business challenges and opportunities.
Photo by Fusion Medical Animation on Unsplash