It’s unclear who owns personal data collected by South Australia’s COVID-SAfe Check-In app, an audit has revealed.
An auditor general’s report released this week concludes that there’s no clear asset owner for the app, database and associated IT environment, undermining the ability of the government to respond to security incidents.
The app, used to check-in to venues, was released last December after a rapid development period as a contract tracing tool in response the COVID-19 pandemic.
The audit looked at controls to manage personal details captured via the app, focusing on the Department of Premier and Cabinet, which developed the technology and operates the system, and SA Health, which manages contract tracing.
“While it could be assumed that the implementing agency is the information custodian, there is no formally designated owner of the COVID-SAfe Check-in app data base and supporting IT environment,” the report concludes.
“Without clarity of roles and responsibilities, delays can occur in resolving security incidents and remediating any associated control risks.”
The report recommends the establishment of an ‘information custodian” as a clear asset owner with responsibility for managing the information.
Controls can be strengthened
Under the system used in SA, in the case of a covid out break the state’s health operations unit can request contact details captured by the app from DPC.
The data is then transferred to SA Health through an encrypted portal.
Auditor general Andrew Richardson said the app was “vitally important” for enhancing contact tracing.
He also concluded that overall “reasonable controls were applied by DPC and SA Health to protect people’s contact details obtained through the COVID-SAfe Check-In app”.
However he found some controls could be strengthened to better protect security over personal details.
The audit found DPC destroyed check in data after 28 days but kept backups, while SA Health retained the data it received indefinitely.
“There is a risk that if backups are restored, the restored information may contain people’s contact details captured through the COVID‐SAfe Check‐In app that are older than 28 days,” he said.
He also recommended that SA health should be more transparent about its data retention.
“For clarity of community messaging about the retention of data, it would be helpful if SA Health’s public communications include information,” the audit said.
The audit also found that some components of the COVID-SAfe Check-In IT environment were not included in DPC’s overarching Cyber Security Program and that neither department had done a full risk assessment on the adequacy of the end-to-end COVID-SAfe Check-In controls.
At the time of the review, DPC indicated there had been few reported public complaints or issues with the app’s performance the report says.
Mr Richardson also noted that IT systems are subject to change and ongoing management of the app’s systems and security will be required.
Comment below to have your say on this story.
If you have a news story or tip-off, get in touch at firstname.lastname@example.org.
Sign up to the Government News newsletter