But not decrypted, access or used, IGIS says.
One or more of Australia’s key intelligence and security agencies “incidentally” collected data relating to the COVIDSafe contact tracing app in its first six months of operations. But there is no evidence to suggest that any of the data was decrypted, accessed or used, the Inspector-General of Intelligence and Security (IGIS) has found.
The finding is contained in IGIS’s first report to the Office of the Australian Information Commissioner on Covid app data [pdf], released on Monday. The report, which looks at agencies like ASIO and ASD, said the collection occurred “in the course of lawful collection of other data”, which is permissible under the Privacy Act.
A spokesperson for the IGIS told iTnews that the “execution of warrants” was one such instance in which the incidental collection of Covid app data could occur.
“Collection is considered ‘incidental’ if it is not possible or not practicable to collect the data covered by the warrant without also inadvertently collecting COVIDSafe app data,” the spokesperson said.
The IGIS would not indicate which of the six agencies within its jurisdiction had “incidentally” collected the data.
The report also said that agencies are taking “active steps to minimise the risks that they may collect Covid app data”, as well as ensure data “is not access, used or disclosed” or decrypted.
It also found agencies were “taking steps to ensure any Covid app data is deleted as soon as practicable”.
Under the Privacy Act, agencies that incidentally collect COVIDSafe app data during a “lawful collection of information” are required to delete it “as soon as practicable”.
Stict penalities of up to five years jail are in place for the collection, use, disclosure or decryption of COVIDSafe data for any purpose other than contact tracing.
IGIS is now planning to independently verify that COVIDSafe app data has been “deleted as soon as practicable after an agency becomes aware that it has been collected” over the next six months.
“IGIS anticipates those inspections being completed prior to the next report to the Information Commissioner,” the spokesperson added.