The Auditor-General Department has released a report finding that the use of the COVID‐SAfe Check‐In app has been applied ‘reasonably’ when used for the purpose of contact tracing.
In his report 13 of 2021: COVID-SAfe Check-In review, Auditor-General Andrew Richardson examines both the Department of Premier and Cabinet (DPC) and Department for Health and Wellbeing’s data management, protection and disposal arrangements.
For DPC Mr Richardson found that the controls implemented to secure the data captured by the COVID-SAfe Check-In app were reasonable.
He said this included controls applied to the database and supporting IT environment.
He said DPC had a regular process for destroying COVID‐SAfe Check‐In data older than 28 days from the production database and regularly backed up the COVID‐SAfe IT environment in line with responsible and vital practice for recovering critical systems in the event of a disaster or system failure.
For SA Health, he said that some controls applied over its COVID management systems were reasonable but he found others needed strengthening to provide better security of people’s contact details.
The Auditor-General found that SA Health retained the data it received indefinitely, which was in line with its responsibilities under the Health Care Act 2008.
“For clarity of community messaging about the retention of data, it would be helpful if SA Health’s public communications include information about this requirement, such as on websites and in digital media,” Mr Richardson said.
He noted this was a point-in-time review and IT systems were subject to changing circumstances while the ongoing management of system changes and security were key management responsibilities.
The Auditor-General’s key findings showed the South Australian Cyber Security Framework required a clear asset owner to be assigned for the COVID‐Safe systems to ensure clarity for managing the Check‐In app and associated IT environments.
His 42-page Report can be accessed at this PS News link.
