A new free service will send users a text if they’ve used their credit card at a COVID-19 exposure site.
COVID Hotspot Alert was created by Sydney-based fintech company Adatree, and it’s set to expand across the country.
The alert connects to users’ bank accounts through a government-legislated standard known as the Consumer Data Right.
“We have this rare, regulated data-sharing capability,” Adatree CEO Jill Berry told The New Daily.
“So when we had this idea, it was essentially our lockdown project. We thought, ‘let’s build something for good’.”
The Consumer Data Right is a protocol established to give individuals – rather than corporations – control over their personal data such as their credit card history.
Previously, that data belonged to companies and was unable to be transferred anywhere without the company’s permission.
Now, the Consumer Data Right is being used on a very small scale to help customers seamlessly change banks without having to share all their personal info from scratch.
“There’s been so much work going on for years, but it’s been largely theoretical,” Ms Berry added.
“We wanted to have a use case that isn’t about financial services, but really shows that you can leverage data for better social outcomes.”
The hope is that users can be alerted if they’ve visited an exposure site faster than government contact tracers, who can sometimes take longer than a week to reach someone.
COVID Hotspot Alert is currently available across regional NSW, with a waiting list for users in Queensland and Victoria.
People who sign up on the service’s website will be contacted by Adatree asking for consent to access their credit card records.
Users will then be redirected to confirm the data sharing request with their bank through a streamlined online process.
Security and the law
Any service that accesses credit card data automatically raises concerns about privacy and security, but Ms Berry described her company as “the Fort Knox of data”.
For a company to be part of the Consumer Data Right ecosystem, it needs to be assessed by the ACCC on a number of different security criteria ranging from cybersecurity to police checks of staff.
“My background, and the team’s background, is actually building banks,” said Ms Berry, whose most recent stint was at neobank Volt.
“So it’s really, really similar to the security protocols and measures that banks actually have.”
Almost all banks in Australia support the Consumer Data Right, with the remaining minor players due to come on board later this year.
In addition to the ACCC, the Office of the Australian Information Commissioner (OAIC) oversees the data-sharing ecosystem to monitor any complaints.
“Strict privacy safeguards are built into the system and regulated by the OAIC,” an OAIC spokesperson told TND.
“There are 13 legally binding privacy safeguards that set out consumers’ privacy rights and the obligations on businesses collecting and handling their data.”
Since July 1, 2020, the OAIC has handled just one complaint related to the Consumer Data Right, and the service provider was ultimately found not to have breached any privacy or confidentiality safeguards.
Using credit card information to track someone’s location has the potential for false positives.
Two businesses with similar-sounding names could easily get mixed up, while online transactions present their own difficulties.
Adatree has taken this into consideration, and it hopes machine learning will keep false positives from a COVID Hotspot Alert to a minimum.
Another issue is the availability of exposure site data.
NSW Health is no longer releasing the full list of exposure sites in Greater Sydney, which is why COVID Hotspot Alert only supports regional NSW at launch.
Exposure sites in Queensland and Victoria will soon be included, as will other states should the need arise.
“For example, if someone signs up from Queensland right now, we’re not ingesting the Queensland locations this second,” Ms Berry said.
“We plan on doing it really soon, so we have a waitlist.”