The examination of an information system developed by WA Health to collect details about people suffering COVID-19 as well as their close and casual contacts, has found the system to be faulty.
In her Report COVID-19 Contact Tracing System – Application Audit, Auditor General Caroline Spencer followed up her need to review WA Health’s Public Health COVID Unified System from August last year, to fully understand the System’s application.
Ms Spencer (pictured) said the Unified System known as PHOCUS collates highly sensitive personal and medical information of COVID-19 positive individuals and their close and casual contacts, from multiple sources for contact tracing purposes.
“The system continues to play a significant role to support WA Health’s contact tracing efforts,” Ms Spencer said.
“I expected to find robust access controls for this system given the sensitive nature of information it contains, and the consequences to people’s privacy, freedom of movement and public health measures if the information is inappropriately accessed or altered,” she said.
“However, our audit found a number of significant weaknesses.”
The Auditor General said she was concerned that the security and privacy of peoples’ highly sensitive medical and personal information had not been protected to the extent the community has a right to expect.
“WA Health does not adequately log and monitor who has accessed information to detect inappropriate changes or snooping, and has provided an external vendor with inappropriate access to personal and medical information,” Ms Spencer said.
“In the absence of comprehensive privacy legislation in our State, WA Health must ensure their privacy practices protect the confidentiality of information stored in PHOCUS and are consistent with the Commonwealth Privacy Act 1988.”
She said she was also concerned that WA Health had not told the community the types of personal and medical information PHOCUS collects (about positive cases, close and casual contacts, and travellers) to support contact tracing, and that this information is stored indefinitely.
“Such a lack of transparency could lead to unintended consequences, including erosion of trust in Government institutions,” she said.
The Auditor General made four recommendations of which WA Health agreed to them all.
Ms Spencer’s 18-page Audit Report can be accessed at this PS News link and the audit team was Aloha Morrissey, Kamran Aslam, Michael Chumak, Paul Tilbrook, Jacqueline Richards and Karen Telford.
