Towards a trustworthy COVIDSafe app

elevenM Principal Melanie Marks has joined other leading privacy experts in a submission to the Australian Government on what is required of new federal legislation that will govern the new COVIDSafe app. 


The COVIDSafe app has been introduced at an unprecedented moment and a time of national urgency. To ensure we garner the level of community trust necessary for the app to succeed, we also need unprecedented and urgent legislation that ensures the right privacy safeguards are in place.

This is the essence of a submission made to the Attorney General’s Department by Australia’s leading privacy thinkers.

The submission –  led by Peter Leonard (Principal, Data Synergies) and taking input from leading privacy practitioners including elevenM’s Melanie Marks – warns of a “backdoor” that could lead to leakage of data belonging to users of the COVIDSafe app, if new federal legislation governing the app is introduced without sufficient safeguards and coverage.

The paper lays out a series of suggestions to achieve the ultimate objective of ensuring the COVIDSafe app is safe for all citizens to use for its stated purpose of contact tracing.

State and Territory agencies – who will ultimately handle user data from the app – are currently not regulated by the Privacy Act. While the app states that a user’s data – which includes a log of other users of the app they have come in contact with – will only be used for contact tracing by State or Territory officials, the paper notes that enforcement of this currently relies merely on “agreement” and reassurances of “good intent”.

It argues for “legislated assurance” that the data won’t be potentially available to other government agencies, law enforcement and so on.

The paper recommends stronger safeguards and controls to ensure handling of COVIDSafe data by agencies is separated from other operations. It also calls for oversight of the legislation by a commissioner or ombudsman, and the encryption of all COVIDsafe app data in transit and at rest.

Read the full paper here.

Four principles for contact tracing technology

elevenM Principal Melanie Marks takes a closer look at proposals to use digital technology to support contact tracing, as governments seek better ways to manage the COVID-19 pandemic.


With reports that Australia may follow in Singapore’s footsteps to build a tracking and tracing app which allows governments and citizens to get ahead of the COVID-19 pandemic, we must ensure that innovation and laws are channeled towards the “right” intended outcomes.

The benefits of introducing greater data sharing at a time of crisis are obvious. However, there are also risks, so it’s critical we proceed in a considered way.

For me the key principles are:

  1. Do what you can to save lives.
  2. There shall be no scope creep.
  3. Permissions shall be wound back when the crisis passes.
  4. Post implementation review is essential (covering law and processes).

We need to build for the short term or at least for a series of stages, featuring “gates” where civil liberties are checked before continuing. And we need guarantees that new architectures being introduced will not be put to secondary purposes. For example, whilst we might consider it okay to trace the movements of a COVID-19 affected patient in order to prevent exposure to others (primary purpose), we should not accept that the tracing can be used to identify how far a person strays from home, in order to hit them with a fine (secondary purpose). This is especially so if we consider that channels of procedural fairness may be harder to access in the circumstances (Robodebt comes to mind).

I had a chance to discuss these ideas recently with Jeremy Kirk, together with Patrick Fair and Susan Bennett, in an article published in DataBreachToday. Click here to read more.