Western Australia’s auditor-general has criticised lax protection of personal data collected as part of the state’s response to the Covid-19 pandemic.
Caroline Spencer said in a statement (PDF) WA Health’s Public Health COVID Unified System (PHOCOS) “contains some of the most sensitive and consequential data” the state has collected in the last two years.
In the report (PDF), Spencer wrote that “WA Health does not adequately log and monitor who has accessed information to detect inappropriate changes or snooping, and has provided an external vendor with inappropriate access to personal and medical information.”
She was also critical of the public information offered by WA Health.
The department “has told the community little about the types of personal and medical information PHOCUS collects (about positive cases, close and casual contacts, and travellers) to support contact tracing, and that this information is stored indefinitely.”
The lack of transparency could erode trust in government institutions, Spencer wrote.
The auditor also noted that she had raised similar issues delivering an audit of SafeWA in 2021.
Spencer also found that manual processes in WA Health’s contact tracing system eroded data quality.
“Manual data entry processes were inefficient and prone to increased errors, especially as large datasets were involved”, the audit report stated.
WA Health has accepted all recommendations made in the report, but noted: “the report highlights many historic items that have largely been previously addressed or were issues where existing controls were strengthened.”
The department also said that “no breach of privacy has occurred”.