Webinars      Login/Register      Cart

InfoGovANZ

Information Governance Think Tank

Featured

For Governance, Integration Matters

by

Effective corporate governance is not a one-size-fits-all approach, as recognised by regulators and self-regulatory organisations around the world. Principles propounded by local advisory and governing bodies provide guidance on how to effectively and transparently manage an organization and ensure it is meeting its obligations to all stakeholders. We will examine how corporate governance principles can be enhanced and improved by the explicit integration of information governance into companies’ corporate governance schema.

 

Corporate Governance

Corporate governance is, in its most general terms, how a business is controlled, governed, and operated. Principles of good corporate governance include fairness, accountability, responsibility, and transparency. A company’s system of governance is its framework of rules, relationships, controls, and processes.

Company management and boards have myriad responsibilities. These range from planning for pandemics, natural disasters, and other major events that can affect a company’s basic ability to conduct business and disrupt operations; managing the company’s workforce and supply chain; ensuring compliance with data privacy and security regulations; and staying on top of constantly evolving regulatory and reporting requirements in the different locations in which they operate.

Recent hot topics in corporate governance range from proper compensation and remuneration, to environmental and social concerns, to effective financial and operational reporting, to disaster (actual and virtual) planning. In the remuneration sphere, questions include what kind of actions executives are being incentivized to take and how to address gender, racial, and seniority pay disparities. On the environmental front, relevant considerations include preparing for natural disasters such as the wildfires that ravaged Australia and California in 2019, protecting the company against climate-related litigation, and measuring and disclosing climate-related risks. The ongoing Covid-19 global pandemic is certainly the most pressing recent global example of an unforeseen risk that organizations must manage. As countries work to bring their economies out of recession, lawmakers are identifying enhanced reporting and governance as key to recovery. For example, the EU’s reconfigured Green Deal to revitalize the block’s economies includes additional financial and business operations reporting for companies that receive assistance in recovering from the economic impact of the pandemic.

Each of these areas of focus requires a well-conceived and -executed schema to manage the information assets of the organization, which can be achieved by creating a framework for an evolutionary information governance (IG) program.

Rules and Guidelines

Most countries have specific corporate governance rules for companies that are listed on that country’s exchange or are regulated by that country. For example, the Australian Exchange (“ASX”) Corporate Governance Council has laid out eight guiding principles for effective corporate governance of listed companies. In the Philippines, the Securities and Exchange Commission has enacted the Code of Corporate Governance for Publicly Listed Companies with 16 guiding principles and related direction for listed companies, and the Monetary Authority of Singapore (“MAS”) requires listed companies to “comply or explain'' with its Code of Corporate Governance and the 13 principles and multiple provisions listed therein. These codes and guidances are consistent with the corporate governance rules and guidelines of other organizations across the world, such as the US Business Roundtable, the US Council of Institutional Investors, the UK Financial Reporting Council, and the European Corporate Governance Institute.

In addition to guidelines styled as corporate governance, other national and international institutions have offered guidance on enhancing governance to ensure robust risk mitigation. For example, in response to widespread misconduct in the Australian financial system, the Royal Commission into Misconduct in the Banking, Superannuation and Financial Services Industry found that a strong corporate governance culture is key to “encourage [the] sound management of non-financial risks, and to reduce the risk of misconduct.” Other organisations have explicitly called out other areas required for effective governance. An example is the 2012 Report of the Basel Committee on Banking Supervision. In response to the 2008 financial crisis which had at its core bad data (improperly valued loan assets), the Basel Committee issued a standard (BCBS 239) for Global Systemically Important Banks. The standard consists of “principles for effective risk data aggregation and risk reporting,” and recommends creating formal data, IT, and information governance frameworks.

With the exception of BCBS 239, many of these guidelines do not explicitly include information governance as part of corporate governance. As we explain below, information governance can support effective corporate governance, and its omission from formal inclusion should be addressed.

Information Governance

IG, in general terms, is the strategy and framework for managing information effectively in an organization, reducing risk and enhancing value and efficiency of operations. The key elements of effective IG are creating the processes and utilizing the appropriate technology and controls to ensure the integrity and reliability of the information, the accessibility and availability of that information, and its security over its lifecycle, from creation through storage and use, to disposition or archiving.

For many corporate stakeholders, IG is a foreign concept that may often be confused with data governance (which is an element of IG), relegated to the task list of the company’s IT operations or parked in its under-funded, under-resourced records management programs. It is much more than that: a well conceived IG program sits astride an organization’s business operations, ensuring that the organisation’s lifeblood -- information -- has integrity and is responsive to the business’s needs. A reliable, available, and usable corpus of information derived from good data is an essential element for any modern organization to tackle corporate governance issues. In the early days of Big Data that contributed to the definition of IG, Robert Smallwood specifically called out IG as a “super discipline,” encompassing a variety of areas ranging from data management and regulatory frameworks, to privacy and security considerations, and characterized IG as a “subset” of corporate governance. This characterization has evolved over time, as the need for an integrated framework has been recognised.

Good information governance can ensure that your managers and directors have timely access to accurate production, financial, and sales information on which to base decisions for the company. Good information governance can help your company securely transition to remote work and then maintain that as an enduring operational reality, enabling effective service for your customers’ needs through numerous disasters and ensuring business continuity. Good information governance means that your company’s information and data will be secure, available, and dependable.

The framework for an IG program should always evolve to reflect the changing nature of business conditions and corporate priorities. A great example of this will be the challenge faced by companies and municipalities in the EU as, in response to the COVID-19 related stimulus programs, they attempt to incorporate and accelerate the Green Deal principles and precepts in their highly regulated environments. Given the new economic realities as countries attempt to jumpstart their economic recoveries post-COVID, it will be interesting to watch how governments deal with privacy regulations and enforcement; if focus will shift to financial outcomes over enforcement of individual rights, particularly in the EU.

Convergence of Governance

As companies, boards, investors, and other stakeholders expand their corporate governance focus from financial performance to other important factors that affect the long-term sustainability of companies, information governance should also be a focus. Good information governance underpins good corporate governance in many areas. Some of the key issues that are top of mind for boards and management today that will benefit from strong information governance include cybersecurity, regulatory changes, global and local economic uncertainty, business continuity, enhanced financial reporting, among others. For more on these, see the recent article published by Susan Bennett and Professor Michael Adams entitled Information Governance Key to Good Corporate Governance.

To meaningfully address these and other concerns in the corporate governance sphere, companies must have a solid information governance foundation. A strong IG framework will ensure management access to accurate, reliable, and timely information, support audit responsibilities, and provide replicable processes upon which managers and boards can rely. By making IG concepts explicit in existing corporate governance codes and guidelines, companies, managers, boards, and investors are better positioned to understand how IG supports good corporate governance by improving information access, and enabling companies to become more resilient. In this section, we propose changes to existing corporate governance rules and guidelines by subject area, with detailed language proposals (by jurisdiction) in the Appendix, and in the following section, we lay out steps that companies, boards, and managers can take now -- because you don’t have to wait to embrace the convergence of governance.

Corporate Reports and Disclosures

Key to regulators, investors, markets, and the public’s understanding of what a company is doing and how it is operating are company reports and disclosures. While required or permitted disclosures vary from market to market, the common ground is that reports and disclosures must be timely, accurate, and responsive.. These public-facing documents include financial reports, annual disclosures, corporate governance disclosures, and material event disclosures. For example, the UK Corporate Governance Code explains in its first provision that the board must assess the basis on which the company generates and preserves value over the long-term and describe in the annual report the “opportunities and risks to the future success of the business,” the “sustainability of the company’s business model,” and specifically “how its governance contributes to the delivery of [the company’s] strategy.” 2018 UK Code Provision 1. Annual reports are often the main source of information about the company for shareholders and other stakeholders and the veracity and completeness of what is disclosed therein matters. In fact, the ASEAN Corporate Governance Scorecard has more than ten specific questions concerning the quality of companies’ annual reports. The ASX CGC directs companies to make fulsome, detailed corporate governance disclosures that explain both the company’s “governance arrangements it has in place” but also “how they are being implemented in practice.” Corporate Governance Principles and Recommendations, 4th ed. (Feb. 2019) at p. 4. Such disclosures are meant to promote transparency, improve investor confidence, and assist other companies that may be facing similar challenges.

Given these goals and requirements, a well-conceived and effectuated IG program will enable management to have appropriate access to the corpus of information to be disclosed and confidence in the procedures that the company has in place to store and retrieve important information as a result of that framework. For example, a requirement to annually review risk, as found in the ASX CGC at 7.2, should include the explanation of how the board conducted its risk review (discussed more in detail below), what material insights were gained from that review, and what steps the board is taking as a result of that review. An IG framework enables these disclosures and provides a repeatable, auditable process that can promote market confidence.

Explicitly recommending a comprehensive, appropriate IG framework in order to improve corporate reports and disclosures would be a logical step by exchanges, regulators, and advisory bodies. This could be added to the ASX CGC Code under principles 4 and 5, to the New Zealand FMA under 4.3, and to the UK FRC’s Corporate Governance Code as a provision under F, Transparency and External Reporting. Appendix A sets out other countries’ and organisations’ codes and guidelines that could be improved by the addition of an IG framework to corporate disclosures and reporting.

Shareholder or Securityholder Engagement and Rights

Engagement with a corporation’s shareholders or securityholders is crucial to effective management and governance today across the world. Stakeholders in Europe and Asia have long understood this, and American businesses have been trending in this direction. In the United States, the SEC reported a ten-fold increase in shareholder engagement over the past decade. In Europe, the European Union Shareholder Rights Directive (SRD II) promotes effective stewardship and long-term investment objectives by focusing on the responsibilities of the investment community, not just shareholders. Engaging with shareholders and securityholders allows management and directors to hear directly from them and build a relationship of trust. Shareholder engagement includes efforts on topics such as executive compensation, strategy, diversity and inclusion, risk management, and corporate governance, in addition to the usual financial and strategic conversations. These complex discussions can build strong relationships, ensuring that management and stakeholders are on the same page with respect to company strategy, long-term value, and effective stewardship. This is particularly important if co-called “activist” investors arrive who are looking for short term gains instead of long term results. Part of the relationship of trust requires management and the board to ensure timely access by the shareholder or securityholder to accurate information.

The corporate governance guidelines and rules of many organisations recognise that companies need to provide information to ensure this trust relationship is established and nurtured. What they haven’t done is to explicitly incorporate the complementary IG principles:  veracity of information; availability of information; dependable and repeatable reporting of information, in this context. The guidelines and rules can be enhanced to incorporate these principles in order for shareholders to be able to participate meaningfully with company management. See the chart at Appendix A for more detail on suggested enhancements and clarifications.

Risk Identification and Management

Another key area for incorporating IG is in addressing management’s responsibilities to identify or recognise risk, manage risk, and set and monitor the company’s risk profile. Countries and exchanges differ on the roles that board members and management take with respect to risk recognition and management, but all agree that risk identification, assessment, control, and management are critical to a company’s success. The positive effect of a thoughtful IG program on an organization’s ability to plan for and respond to risk is evidenced by having good, clean, available and timely data upon which to base decisions during turbulent times. Organisations and jurisdictions are aligned in stating that boards and management should pay close attention to potentially disruptive risks, which could have a significant, severe, and often sudden effect on a company's revenue, operations, profitability, competitive position, and reputation. See, e.g., National Association of Corporate Directors, The Report of the NACD Blue Ribbon Commission On Adaptive Governance: Board Oversight of Disruptive Risks (2018). Disruptive risks include near-term political challenges; market deterioration/industry disruption; natural disasters/man-made emergencies; and strategic/business model failure.

Incorporating IG into corporate governance codes for risk matters can be achieved by explicitly adding IG frameworks and systems to the risk responsibilities of boards and management. For example, the Singapore Code of Corporate Governance Principle 9, can be amended to include information governance systems as a type of internal control that must be reviewed and assessed. By including IG in that and similar principles, boards and management will better understand how that framework can help them better assess the types and extents of risks that their corporations face.

Business Resiliency

Business resiliency includes risk, supply chain, insurance and legal, technology and information security, government relations and public policy, financial and investor, customers and branding, talent and workforce, and employee health and wellbeing. These are all areas well serviced by a strong IG strategy that, again, provides timely, accurate information to management so that they can plan for and react efficiently to business threats.

Internal Controls

Among the internal control systems that boards should work with management to oversee and regularly assess is how the company manages its information resources and the processes governed by the company’s IG framework. These will include development, documentation and ongoing maintenance of company-wide information system architecture, documenting, conforming and maintaining key data and information processes and development and maintenance of a master data management program. Understanding that the IG framework straddles all areas of a business’s operations can assist management and the board in assessing the adequacy of other internal control systems. Similarly, the repeatability of IG processes and auditability of the IG framework can help management and the board strengthen other internal controls.

Why Boards Should Act Now to Incorporate IG 

Companies can realise the benefits of information governance, as laid out above, before information governance is explicitly incorporated into their respective jurisdictional corporate governance codes and guidelines. All regulatory and advisory bodies -- both those that require companies to comply (like the Singapore MAS requirement for listed companies to “comply or explain”) and those that issue advisory guidance (like the US Business Roundtable and OECD) -- explicitly recognize that corporate governance is not a mandated “check-the-box” system, but rather depends on the specifics of each company. Inherent in that understanding is that companies can adopt best practices before the relevant local advisory group or regulator requires those practices. Adopting best practices before they are explicitly required is an example of strong, competent leadership, uniformly recognised as fundamental in effective corporate governance and risk management. As Peter Seah, the chairman of DBS Bank (Singapore), recently wrote, a “corporate governance framework [is] anchored on competent leadership, effective internal controls, a strong risk culture, and accountability to stakeholders.”

The benefits from acting now, and being an “earlier adopter” to integrate IG into your company’s corporate governance schema, are profound. Information governance integration will obviously benefit your company’s risk identification and management, reducing the cost of risks associated with crises and unplanned events. What is not so obvious is how it can add value to areas other than risk mitigation and guideline adhesion.

We focus on two areas where a strong information governance component to your corporate governance framework will provide immediate and measurable impact. One is M&A and financing. Good corporate governance can help a company attract outside investors and capital and reduce the costs of capital for the company (in terms of debt and equity financing). The due diligence processes conducted for these transactional functions are heavily dependent on the corporation being able to accurately report on its business functions and on the flow of information underlying these functions. A well-defined information governance program can clearly facilitate this process and inject a greater degree of transparency in the due diligence process for both M&A and capital markets activities.

In addition, only in recent years has valuation of information assets started to gain traction as an integral part of M&A due diligence, beyond the standard valuation of the target company’s intellectual property. The valuation of information assets is being realised due to the improved insight afforded by having a sound, evolutionary IG strategy and well-documented, auditable, repeatable business processes around information management, leading to greater opportunity to leverage business information that was previously not available.

A second area where information governance can provide measurable impact is companies’ reputations, through, for example, growing forays into data ethics and corporate social responsibility activities. As part of their commitment to corporate social responsibility, some US companies across a range of verticals are finding ways to employ their data assets to more directly service their communities. Their effectiveness in deploying successful initiatives depends largely on their ability to harness the internal corpus of responsive information and conduct sophisticated (advanced algorithmic) analysis, sometimes in concert with external IoT and sentiment analysis data. None of this is possible without a well-developed IG framework, which can provide the basis for meaningful analysis on underlying data assets with integrity.

Conclusion

Effective corporate governance needs strong information governance. Numerous areas of focus for corporate governance depend on or require the type of transparency, measurability, and repeatability that comes from a robust information governance framework. These include shareholder and stakeholder engagement, appropriate and fulsome disclosures, business resiliency, and risk identification and management. As championed in this article, local regulatory and advisory bodies should explicitly incorporate information governance into their corporate governance rules and guidances. Even with the myriad characterizations of corporate governance principles across jurisdictions, and differing degrees of requirement, a developed information governance framework will enhance corporate governance in organisations regardless of their location.

While explicit guidance will hopefully be forthcoming along the lines proposed herein, companies and boards should seize the initiative to bring information governance into their corporate governance systems. Companies should turbocharge an integrated information governance program as part of their efforts to enhance and improve their corporate governance. As laid out above, the upsides include mitigating risk, improving management of data and information, unlocking and leveraging information assets for business growth, and enhancing the ability to demonstrate good corporate citizenship.

 

Authors

Kristie Blase is a Principal at 64.9 Consulting, LLC, a business and governance consulting practice.

Bryn Bowen is a Principal Consultant at Greenheart Consulting Partners, a Governance Risk & Compliance information consulting practice and a Board Director of MCCG Guyana, a management consulting company based in Guyana.

 

Appendix

JURISDICTION SECTION/ PRINCIPLE PROPOSED INSERTION/ADDITION
Australia 4.2 Corporate Reports; add to Commentary paragraph 1:
The company should have in place an appropriate information governance framework that will allow the CEO and CFO to declare that the financial records are properly maintained and give a fair and true representation of the financial position of the company.
4.3 Add to the beginning of the last paragraph:
This disclosure should include a description of the company’s information governance structure.
5.1 Disclosures; add to Box 5.1:
Document the information governance framework that governs the management of the underlying information being disclosed.
6.2 Rights of security holders; add to the end of second paragraph:
The best way to facilitate this is through a strong information governance framework established at the outset.
7.1 Risk management and recognition; add to the risk committee roles:
Ensure that an information governance framework exists and is responsive to the company’s risk concerns.
New Zealand 2.1 Add to Board Composition & Performance, Board Responsibilities:
Overseeing the governance of the organization’s information assets and processes perhaps as an adjunct to the audit function
3.1 Add to the Board Committee, financial reporting processes: ensuring financial and information processes are in place and monitored….
4.3 Add to Reporting & Disclosure, Non financial reporting: ...include other non-financial disclosure such as compliance with its information governance framework...
6.3 Add a new section to Risk Management:
An issuer should disclose how it is managing its information and data assets through an information governance program, and should report on its level of risk, performance, and management.
US Business Roundtable II Add to Key Responsibilities of the Board:
Reviewing the company’s information governance structure. The board annually reviews the company’s information governance structure to ensure that it is adequate to responsive to the company’s risk profile and audit and disclosure needs, and is aware of changes in information profiles that may affect the company.
Add to Key Responsibilities of the CEO and Management:
Creating, implementing, and updating the company’s information governance structure. The CEO and management create the company’s information governance structure, implement it, and regularly assess it to ensure that it is adequate and responsive to the company’s risk profile and audit and disclosure needs. Management keeps abreast of changes in information profiles that may affect the company.
IV Board Committees; Audit Committee. Add:
Information Oversight. To ensure that the audit function is encompassing, oversight of the company’s IG program should be an explicit part of the committee’s responsibilities.”
UK FRC Corporate Governance Code 1(C) Under Board Leadership//add new provision:
The board should ensure that the company has put in place an information governance structure that is appropriate for its size, industry, and risk profile, monitor implementation of the information governance structure to ensure that it is effective, and review it periodically.
4(O) Add to Audit, risk, and internal controls, provision 29:
The board should monitor the company’s risk management, and internal control systems, and information governance structure, and, at least annually, carry out a review of their effectiveness and report on that review in the annual report. The monitoring and review should cover all material controls, including financial, operational and compliance controls.
Germany Rec. A.2 Add to recommendation A.2:
The Management Board shall institute an appropriate compliance management system and information governance system reflecting the enterprise’s risk situation, and disclose the main features of this system.
Rec. D.3 Add to recommendation D.3:
The Supervisory Board shall establish an Audit Committee that – provided no other committee or the plenary meeting of the Supervisory Board has been entrusted with this work – addresses in particular the review of the accounting, the monitoring of the accounting process, the effectiveness of the internal control system, the information governance system, the risk management system, the internal audit system, the audit of the financial statements and compliance. The accounting particularly comprises the consolidated financial statements and the group management report (including CSR reporting), interim financial information and the single-entity financial statements in accordance with the German Commercial Code (Handelsgesetzbuch – “HGB”).
Principle 15 Add recommendation:
The Supervisory Board must have knowledge of the enterprise's information governance system and ensure that they can access and obtain sufficient information.
F Transparency and external reporting; add recommendation:
The company shall have an effective and robust information governance system in place that will ensure accurate timely access to all required information.
Singapore 9 Add to Principle 9:
The Board is responsible for the governance of risk and ensures that Management maintains a sound system of risk management and internal controls, including information governance, to safeguard the interests of the company and its shareholders.
10.1(b) Add to the Audit Committee’s responsibilities:
reviewing at least annually the adequacy and effectiveness of the company's internal controls, information governance, and risk management systems;
12.2 Add to guidance:
The company has in place an investor relations policy which allows for an ongoing exchange of views so as to actively engage and promote regular, effective and fair communication with shareholders. This policy is incorporated into the company’s information governance framework.
13.1 Add to guidance:
The company has arrangements in place to identify and engage with its material stakeholder groups and to manage its relationships with such groups. These arrangements are incorporated into the company’s information governance framework.
Philippines 11.2 Add a new recommendation 11.2 as follows:
Companies should ensure an effective system of information governance is in place, appropriate to the size and complexity of the business, that will, amongst other capabilities, enable the company to simply and cost effectively disseminate information to shareholders.
12.5 Add to recommendation 12.5:
The Chief Risk Officer (“CRO”) must have a fulsome understanding of information governance and incorporate information governance into the company’s ERM.

Australia and New Zealand’s COVID-19 Contact Tracing Apps – Differences in Approach on the Road to Recovery

by

While Australia and New Zealand were able to flatten the COVID-19 curve, the approaches of each country have somewhat differed, both in relation to the level of restrictions imposed on citizens, as well as the type of contact tracing technology deployed.

Australia and New Zealand stand alongside Germany, South Korea and Singapore as examples of countries that followed the advice of their scientists and moved into lockdown in a timely way to limit the spread of the COVID-19 virus.

Australia, similar to other countries, experienced a doubling of COVID-19 positive people every two days as it went into lockdown. The containment of the coronavirus in Australia and New Zealand is a result of a multipronged strategy that includes prompt lockdowns restricting movement and requiring social distancing; quarantining of international travellers for 14 days; and a high rate of testing and contact tracing.

The governments of both countries have developed their own voluntary app to speed up and support the manual tracking process of people who have been in contact with individuals who tested positive for COVID-19. Australia’s COVIDSafe app is a modified version of Singapore’s TraceTogether using Bluetooth technology to track encounters between the user’s phone and other phones that are using the app. New Zealand’s COVID Tracer app enables users to record their visits to specific businesses and organisations that have registered with either the Ministry of Health or the Ministry of Business, Innovation and Employment.

Australia’s COVIDSafe App

Australia launched its COVIDSafe app on 26 April 2020, with one million downloads in the first 24 hours. By the end of the first week, over four million people had downloaded the app. While the initial download rate of the app was positive, the rate then slowed. By early July, nearly six and a half million people had downloaded the app, which is nearly 25 percent of the population, although still a distance from the government’s 40 percent take-up target.[1]

The COVIDSafe app is considered by Australia’s Chief Medical Officer and the Government as a key tool to expedite contact tracing to enable lockdown restrictions to ease and enable Australians to return to everyday living more quickly. Privacy has been a central consideration in the development of the app and the COVIDSafe legislation, passed by Parliament on 14 May 2020, enshrines that the app is voluntary and no one is required to download it.[2]

How It Works

Following the approach of Singapore's TraceTogether software, the COVIDSafe app uses Bluetooth technology to find other COVIDSafe app users. Australians are asked to provide a name (which can be a pseudonym), a contact phone number, a postcode and an age range. The app records the date, time, distance, duration of the contact and the other user’s reference code. The app does not collect location data. The information is encrypted and stored on the user’s phone. The contact information stored on phones is deleted on a 21-day rolling cycle. Users who test positive for COVID-19 have the option of uploading the encrypted data on their device to the National COVIDSafe data store. The uploaded data is information about other users who have been in contact within 1.5 metres for 15 minutes or more.

Privacy Protections

Privacy was a central consideration in the development of the COVIDSafe app. At the time the COVIDSafe app was launched, the Privacy Impact Assessment (PIA) report, the Department of Health’s Agency Response to the PIA, and the Privacy Policy for the app were made publicly available.[3]

Prior to passing the legislation on 14 May 2020, the Health Minister issued a Determination under the Biosecurity Act to protect people’s privacy and restrict access to information obtained from the app. The Determination enabled State and Territory health authorities to access the information solely for contact tracing, but only with the explicit consent of the user.[4] The only other access was by the COVIDSafe Administrator, including deletion of registration information at the user’s request.

On 5 May 2020, the Australian Government released the draft Privacy Amendment (Public Health Contact Information) Bill 2020, (COVIDSafe Act), which was subsequently passed by both houses of Parliament on 14 May 2020. The COVIDSafe Act enshrines privacy protections contained in the Health Minister’s Determination under the Biosecurity Act 2015. Breaching the requirements of the legislation is a criminal offence, a breach of the Privacy Act 1988, or both.

The COVIDSafe Act protects the app as being voluntary, stating that no one can be forced to download or use COVIDSafe or upload its data to the National COVIDSafe data store. The Act makes it a criminal offence, punishable by up to five years in prison or a $63,000 fine per breach, or both, to misuse the data or pass it on without the explicit permission of the user after contracting COVID-19. Data will be deleted every 21 days and the administrator of the National COVIDSafe data store will delete users’ registration data upon request. The legislation provides a process to be put in place for COVIDSafe data to be deleted at the end of the COVID-19 pandemic and users to be notified accordingly.

Over Collection of Data

Privacy academics Professor Graham Greenleaf and Dr. Katharine Kemp stated that ‘[a] crucial problem with the legislation is it allows the government to collect much more personal data than is necessary for contact tracing.’[5] They refer to the PIA of COVIDSafe and point out that the app collects data about ‘all other users who came within Bluetooth signal range even for a minute within the preceding 21 days.’ As Greenleaf and Kemp point out, the data collected should be minimised to that which is necessary and technically possible.

Data Storage

The data collected by the COVIDSafe app will be stored in Canberra in the National COVIDSafe data store. After it emerged that the government contract for storage of the COVIDSafe data was awarded to U.S. tech giant Amazon Web Services (AWS), concerns were raised about the global tech giant being awarded the contract over an Australian provider and the potential access to the data by the U.S. government, given the extraterritorial reach of the U.S. CLOUD Act 2018.

In response to the concerns, Health Minister Greg Hunt stated that he received advice from Attorney-General Christian Porter's office that protections under Australia's Biosecurity Act 2015 would prevail over the CLOUD Act.[6]  The Department of Health’s information webpage about COVIDSafe explains that the Australian Government’s Digital Transformation Agency had existing contracts with AWS, that the data is required to be stored in Australia, and AWS does not have access to the national COVIDSafe data store.[7]

Cybersecurity Concerns

Cybersecurity concerns have focused on the risks around a National COVIDSafe data store, as well as cybercrimes. The Australian Cyber Security Centre reports that from 10 March to early June 2020, there were more than 1,100 related COVID-19 scams reported to the Australian Competition and Consumer Commission (ACCC), 95 cybercrime reports related to COVID-19 themed scams and online frauds, 20 cybersecurity incidents affecting COVID-19 response services and/or major national suppliers, and over 150 malicious COVID-19 theme websites.[8]

Prior to the release of the COVIDSafe app, it was independently reviewed by the Cyber Security Cooperative Research Centre and CSIRO’s Data 61 with a team of cyber experts. The app’s source code was made available on 7 May 2020. While it was a further demonstration of transparency and enabled further scrutiny, the server code on ‘which all the important encryption is done’ was not made available.[9]

Limitations of Bluetooth Functionality

It has been slow going fixing Bluetooth bugs and there were challenges getting the app to work properly on iPhones.[10] The Apple version of the COVIDSafe app needed to be open for the Bluetooth functionality to work on iPhones, which drains the battery. However, an updated version enables the iPhone screen to be locked as long as the app is open. Upon releasing the second update to COVIDSafe, the Digital Transformation Agency’s media release on 14 May 2020, explained:[11]

We are continuing to make iterative improvements to enhance COVIDSafe’s Bluetooth performance.'

Today’s update includes new code from the United Kingdom Government’s National Health Service (NHSX) that improves the COVIDSafe app’s Bluetooth performance on iOS devices, including when the device is locked.

We continue to work with Apple and Google on further enhancements that will improve COVIDSafe’s performance.’

Google and Apple

In April 2020, Google and Apple announced a joint collaboration to enable the use of Bluetooth technology to help governments and health agencies to reduce the spread of COVID-19. User privacy and security are central to the design.

On 21 May 2020, Google and Apple released their contact tracing API to 22 countries, including Australia. The Exposure Notification System enables those who test positive to COVID-19 to alert others so they can isolate and/or get tested. Importantly, device location is not collected; it holds data only on users’ phones with no central data repositories and only official public health authorities are allowed to use the system whose apps ‘meet the specific criteria around privacy, security and data control.’

This decentralised approach is in contrast to Australia’s centralised data store for those who test positive and consent to upload their personal information and those they have been in contact with, which is then sent to the relevant state or territory carrying out the contact tracing. The collection of additional personal information, such as phone numbers, means that if the Australian government wants to utilise the Exposure Notification System, it will need to make modifications to the COVIDSafe app.

Differences in Australian and New Zealand Approaches

While Australia embarked on a suppression strategy of COVID-19, New Zealand implemented a higher level of lockdown restrictions, pursuant to the COVID-19 Response (Urgent Management Measures) Legislation Act 2020, with the objective of eliminating COVID-19.[12] New Zealand’s first reported COVID-19 case was on 28 February 2020 and on 26 March 2020, Prime Minister Jacinda Ardern, implemented the COVID-19 Alert System Level 4 – Lockdown.

By 26 April 2020, New Zealand had 1,121 confirmed COVID-19 cases and 18 deaths, with only four new cases reported on the preceding day. New Zealand’s approach required all nonessential services to be shut down, so basically only supermarkets and pharmacies remained open. This was significantly more restrictive than Australia’s lockdown, which enabled cafes and restaurants to continue to provide take-away services and other retail outlets to remain open.

On 8 June 2020, New Zealand was COVID-19 free after the recovery of the last person with COVID-19 and 17 days without a new case. The following day, all restrictions were lifted. Controls at the border remain in place, with a mandatory 14-day quarantine or self-isolation. However, during the following month, 21 travellers to New Zealand tested positive.

While Australia’s strategy was suppression, with the first confirmed case late in January 2020, the extent of containing the pandemic before the launch of the COVIDSafe app was impressive. There were 6,710 reported cases and 83 COVID-19 deaths in Australia. In the preceding six days leading up to the app’s launch on 26 April 2020, there were only between eight and 22 people testing positive across the entire country. On 8 June 2020, New South Wales, with a population of eight million, reported two new COVID-19 cases for the first of June 2020.[13]

Australia, with one of the highest levels of testing rates for COVID-19 per capita globally, has experienced a 1.2 percent mortality rate, which is slightly lower than New Zealand’s mortality rate of 1.4 percent. While these rates are low, there are other countries with lower mortality rates, such as Singapore at 0.1 percent, which is in stark contrast to the United Kingdom’s 15.5 percent mortality rate and 4.6 percent in the United States, according to Johns Hopkins University & Medicine Coronavirus Resource Center – Cases and mortality by country chart as at 5 July 2020. .[14]

Contact Tracing in New Zealand

While the focus on technology to assist in contact tracing is a key plank for the Australian Government to enable the continuing containment of the virus, the New Zealand approach places less importance on the role of technology in contact tracing. On 19 April 2020, Prime Minister Ardern said in a COVID-19 media update:[15]

An app will only ever supplement the work that we have to do for contact tracing. And, again, most countries who have an app like this will highlight that you have to have the foundation of people and a people-centred network of contact tracers.'

The Prime Minister also asked New Zealanders to keep a diary of their daily movements to help with contact tracing. [16]

While the shutdown was very effective in New Zealand for containing the spread of COVID-19, Level 4 restrictions were reduced to Level 3 restrictions on 27 April 2020. This coincided with increasing concerns about the very serious economic challenges that were mounting, including from a group of academics who launched a campaign called ‘Plan B’, arguing the Level 4 measures were too strict and would create more serious problems. On 7 May 2020, Prime Minister Ardern set out Level 2 rules, with the Cabinet making a decision to reduce the level of restrictions on 11 May 2020.

On 20 May 2020, the New Zealand Ministry of Health launched its voluntary NZ COVID Tracer app together with the privacy impact assessment.[17] The Trace app enables users to create a digital diary of the locations visited by the user. The phone camera scans and selects any Ministry of Health COVID-19 QR code posters displayed by businesses and organisations visited. The QR codes contain the name of the business or organisation, its business number, the address and the global location number of the premises. The digital diary is designed to support, rather than replace, existing contacting tracing processes.

New Zealand’s Privacy Commissioner John Edwards said, ‘The Ministry’s app is a privacy-friendly solution for contact tracing which New Zealanders should feel secure in downloading and using. [18]

Is the COVIDSafe App Making a Difference?

At the launch of the COVIDSafe app, Health Minister Greg Hunt explained that the contact tracing app was one of three keys for Australia’s recovery from the pandemic. The other two were to expand testing capacity to people who are asymptomatic and increase rapid response capability, such as what occurred for the outbreak in a regional Tasmanian hospital, to contain outbreaks.

The Singapore experience shows that while the virus can be suppressed, there can be cluster outbreaks, such as those that have occurred in Singapore’s migrant worker dormitories. Cluster outbreaks in New South Wales in aged care homes, a regional hospital in Tasmania, and a meat abattoir in Victoria similarly highlight the significant challenges that are continually being reported and could last for up to two years. However, the Australian suppression strategy – with social distancing, allowing cafes and restaurants to do take-away, and allowing retail shops and hairdressers to remain open – has enabled Australia to still achieve suppression and possibly elimination all before the COVIDSafe app was available.

By the first week of June 2020, more than a month after the app’s launch, it was reported that there had only been one known case where a COVID-19 patient had downloaded the app and consented to the Victorian Health Department using the data. The data identified a person who hadn’t been identified in the initial interviewing process.

Deputy Chief Medical Officer, Dr Nick Coatsworth, explained, ‘[t]hat reflects how well Australia is doing. There are so few cases that it will naturally mean that the app will not be as well utilised by public health authorities simply because the cases are low’.[19]  While the app has so far not yielded any significant benefits, it is part of the overall response strategy of test, trace and self-isolate, and will be important in the event of a significant cluster outbreak or a second wave of the pandemic.

Conclusion

Australia and New Zealand developed their contact tracing apps as part of an overall strategy of testing, contact tracing, early self- isolation, and mandatory quarantining of international travellers. The use of contact tracing technology supports the manual tracking undertaken by people who were in contact with those individuals who test positive for COVID-19.

The actions of the Australian and New Zealand governments to restrict movement in a timely way has resulted in containment of the pandemic to date. Given the initial success of this suppression strategy in Australia and the elimination of COVID-19 in New Zealand, the contact tracing technology has not to date played a significant role. However, as a means of supporting and speeding up manual contact tracing in any cluster outbreaks or second waves of the pandemic, the apps are important tools for tracing potentially infected individuals to minimise further spread of COVID-19.

While both apps are voluntary, the COVIDSafe app has only been downloaded by 25 percent of Australians and is still well short of the target of 40 percent of the population. Once users have downloaded the app and where the user consents, the data can be accessed quickly and easily to track individuals who were in contact with the user for more than 15 minutes. The New Zealand app, on the other hand, minimises data collection, but requires ongoing commitment by users to scan codes of all premises they visit. The different approaches to the apps, where not all contacts are traced, highlight the usage of this type of technology as a support tool to manual contact tracing and is appropriate given the privacy and cybersecurity concerns and the low levels of COVID-19 infection rates.

It is clear that contact tracing is key to containing the expected continuing outbreaks and will assist in returning to a post COVID-19 ‘new normal’ world. There is no doubt that technology will provide a faster and more efficient way of finding and containing fast spreading COVID-19 cluster outbreaks than asking people to either remember or keep a record of all their movements. The role of contact tracing technology, particularly given that the pandemic is being predicted to be with us in one form or another for up to two years, will be crucial in managing the pandemic.

The key is for governments to ensure that privacy and cyber risks are mitigated and minimised. It would be a significantly good outcome for citizens where the use of technology for contact tracing ensures that cluster outbreaks are contained and there is a return to everyday living without further widespread waves of the pandemic and lockdowns.

While we as citizens have demonstrated we can live with restrictions on our movements and requirements to social distance without technology surveillance, we need government to demonstrate it can be trusted with our personal information.

Author

Susan Bennett (LLM(Hons), MBA, FGIA, CIPP/E) is the Founder and Executive Director, Information Governance ANZ and Principal, Sibenco Legal & Advisory

 References

[1]  Meixner, Sophie, ‘How many people have downloaded the COVIDSafe app and how central has it been to Australia's coronavirus response?’, ABC, 2 June 2020 , <https://www.abc.net.au/news/2020-06-02/coronavirus-covid19-covidsafe-app-how-many-downloads-greg-hunt/12295130>.

[2] Privacy Amendment (Public Health Contact Information) Act 2020.

[3] Department of Health, COVIDSafe Application Privacy Impact Assessment, <https://www.health.gov.au/resources/publications/covidsafe-application-privacy-impact-assessment>.

[4] Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) (Emergency Requirements—Public Health Contact Information) Determination 2020, <https://www.legislation.gov.au/Details/F2020L00480>.

[5] Greenleaf, Graham and Kemp, Katharine, Australia’s COVIDSafe Experiment, Phase III: Legislation for Trust in Contact Tracing (May 15, 2020). (2020) University of New South Wales Law Research Series. Available at SSRN: https://ssrn.com/abstract=3601730.

[6] Koslowski, Max, ‘Coronavirus app data will stay here despite US security laws, Health Minister says’, 28 April 2020, Sydney Morning Herald, <https://www.smh.com.au/politics/federal/coronavirus-app-data-will-stay-here-despite-us-security-laws-health-minister-says-20200428-p54o05.html>.

[7] Department of Health, COVIDSafe help, Why did the Australian Government choose Amazon Web Services? <https://www.health.gov.au/resources/apps-and-tools/covidsafe-app/covidsafe-help>.

[8] Australian Government, Australian Cyber Security Centre, ‘Threat update: COVID-19 malicious cyber activity’, as of 7 June 2020, <https://www.cyber.gov.au/threats/threat-update-covid-19-malicious-cyber-activity-20-apr-2020>.

[9] Teague, Vanessa, posted on Twitter 11 May 2020, <https://twitter.com/VTeagueAus/status/1259644018939408384>.

[10] Basford, Sarah, ‘CovidSafe still has bugs, according to experts’, Gizmodo, 25 May 2020 <gizmodo.com.au/2020/05/covidsafe-bugs-ios-android-tracking-privacy/>.

[11] Digital Transformation Agency, ‘The new release of COVIDSafe is live’, 14 May 2020, https://www.dta.gov.au/news/next-release-covidsafe-live

[12] COVID-19 Response (Urgent Management Measures) Legislation Act 2020, <https://www.parliament.nz/en/pb/bills-and-laws/bills-proposed-laws/document/BILL_96378/covid-19-response-urgent-management-measures-legislation>.

[13] NSW Department of Health, NSW COVID-19 case statistics, <https://www.health.nsw.gov.au/Infectious/covid-19/Pages/stats-nsw.aspx>, See also Department of Health, Coronavirus (COVID-19) current situation and case numbers, <https://www.health.gov.au/news/health-alerts/novel-coronavirus-2019-ncov-health-alert/coronavirus-covid-19-current-situation-and-case-numbers#total-cases-recoveries-deaths-and-new-cases-in-the-last-24-hours>.

[14] Johns Hopkins University & Medicine, Coronavirus Resource Center, Mortality Analysis, 7 June 2020, <https://coronavirus.jhu.edu/data/mortality>.

[15] Covid-19 media update, 19 April 2020, Ministry of Health, <https://www.health.govt.nz/news-media/news-items/covid-19-media-update-19-april>.

[16] Ibid.

[17] NZ COVID Tracer app, Ministry of Health, <https://www.health.govt.nz/our-work/diseases-and-conditions/covid-19-novel-coronavirus/covid-19-novel-coronavirus-resources-and-tools/nz-covid-tracer-app>.

[18] New Zealand Privacy Commission, ‘Privacy Commissioner backs NZ COVID Traces app’, 20 May 2020, <https://www.privacy.org.nz/news-and-publications/statements-media-releases/privacy-commissioner-backs-nz-covid-tracer-app/?mc_cid=cd56848da2&mc_eid=a12a97dd18>.

[19] Meixner, Sophie, ‘How many people have downloaded the COVIDSafe app and how central has it been to Australia's coronavirus response?’, ABC, 2 June 2020 , <https://www.abc.net.au/news/2020-06-02/coronavirus-covid19-covidsafe-app-how-many-downloads-greg-hunt/12295130>.