Have you tried to travel interstate to Western Australia lately? If so, you would have been required to apply for a G2G PASS, designed by Genvis Pty Ltd, an Australian company “specialising in cloud-based programs, data science and artificial intelligence.” A G2G Pass is the functional equivalent of a travel passport.  

Even a perfunctory examination of the G2G website, the G2G application form, Genvis’s G2G PASS Privacy Policy (last updated on April 17, 2020), Genvis’s general Privacy Policy (last updated May 6, 2021), reveals the existence of inconsistencies and contradictions between these documents. 

This opinion piece, in focussing on these contradictions and inconsistencies, seeks to inform its readers of the invasive nature of the application process, which impedes the freedom of movement traditionally associated with living in Australia and equally importantly, potentially violates the privacy rights of Australian citizens. Using the language of the New South Wales Government, this opinion piece examines “the overall proportionality of a policy or project, that is, whether the use of personal information strikes an appropriate balance between the project objectives and the resulting privacy impacts. This is particularly important where individuals do not have a meaningful choice to provide the information”.  

The relevant G2G PASS website explains that border controls are in place to limit the spread of Covid-19, and that for that purpose, travellers must present a valid Pass on arrival in Western Australia. To complete the application form, an applicant will need a driver’s licence, passport, or Medicare card. Every application is linked to an email address. Many older people who do not have an email address or are not computer-literate are thus effectively banned from travelling to Western Australia. This is a serious equity issue which is not addressed by the G2G PASS website. 

The application process involves the extensive collection of personal information: name, gender, date of birth, residential address, email address, phone number, full legal name of next of kin, driver’s licence, main reason for travel, the applicant’s intended address in Western Australia, airline and flight number, and a biosecurity declaration relating to places visited in the two weeks prior to entry into Western Australia, among others. The application form indicates that “To complete your G2G PASS declaration you will need your driver’s licence, passport or Medicare card.” However, although there appears to be a choice between these three documents, a driver’s licence is the most appropriate document because, unlike a passport or a Medicare card, it contains the current residential address of the applicant, which must be listed on the application form. 

The personal information collected is not only used to determine whether the applicant will be allowed to enter Western Australia, but for other purposes as well. The information may be disclosed to the service provider who has designed the G2G PASS, the authorities, “including those with Covid-19 powers and responsibilities (and those helping them) such as the State Emergency Coordinator, the Chief Health Officer and other health authorities; and others – for example, to assist in managing various states of emergency or as required by law.” 

The G2G PASS website also states, in bold letters, that, “By selecting ‘I Consent’… you consent to: the collection, use, storage and disclosure of personal information as set out… in the G2G PASS Privacy Policy”. But if the applicant withholds his/her consent, permission to enter Western Australia would not be granted. Hence, the invitation to consent to the collection of the data is a meaningless exercise because the only check box is for “I consent”. 

The Western Australia Police, which “proudly” brings the G2G PASS to applicants, appears not to hold the information provided in the application form. This is kept by the contractor, Genvis Pty Ltd, a private organisation. However, the WA Police, as the data custodian, is the controlling entity because it apparently controls the use and disclosure of the data and decides what happens to it.  

The information is stored by Genvis Pty Ltd using Amazon Web Services. In addition, WA Police “has to (by law) keep your information, even after you have finished any quarantine or isolation – and even after you have deleted the G2G Pass app.” The information thus appears to be stored indefinitely.  

It is revealing to compare the language used on the G2G website with Genvis’s G2G PASS Privacy Policy.  

Dealing with the rights of applicants, the G2G PASS Privacy Policy states that, “You are solely responsible for the uploading, sharing, withdrawal, management and deletion of your information.” This is misleading because if the requested information is not uploaded or sensitive information is deleted, no travel pass would be issued. Moreover, the apparent indefinite storage of the information supplied by applicants is clearly incompatible with Genvis’s own G2G PASS Privacy Policy and it raises the question whether it is possible at all to delete the information.  

The most egregious part of the application is that an applicant must give their consent to the collection, use and disclosure of their information if they want to travel to Western Australia. The Privacy Policy indicates that, “By using G2G PASS, you agree that Genvis may collect, use and disclose your personal information”. However, as receipt of a 2G2 PASS is mandatory for travel to and within Western Australia, applicants cannot disagree with the collection, use and disclosure of personal information.  

In its section on information retention, the G2G PASS Privacy Policy states, “When we have no ongoing legitimate need to process or store your personal information, we securely delete the information or anonymise it. We will delete this information from our servers at your request.” Of course, this concession depends entirely on the meaning of the word “legitimate”: what is legitimate is decided by the policymakers themselves. In addition, the concession also violates Australian Privacy Principle 11 according to which an entity that “no longer needs the information for any purpose for which the information may be used … the entity must take steps as are reasonable in the circumstances to destroy the information or to ensure that the information is de-identified.” 

Privacy Principle 11 indicates that the onus to delete information which is no longer needed should not be placed on an applicant for a G2G PASS, but rather it should be proactively deleted by the service provider when the collected information is no longer required.  

This G2G Privacy Policy’s statement is also inconsistent with the G2G website’s confirmation that collected information would apparently be stored indefinitely. Hence, there are contradictory messages, leading to confusion and potential breaches of a person’s privacy rights.  

Western Australia’s track record for properly and securely handling personal information is poor, considering there is no privacy law in that State.  In this context, the Western Australia Auditor General’s Report, Local Government General Computer Controls, tabled on May 12, 2021, involving an examination of the use of computer systems at 50 local entities, is a timely reminder of this problem. The Auditor General found 328 weaknesses, with 33 considered as significant. She pointed out that “extremely poor general computer controls can result in system breaches, loss of sensitive and confidential information and financial loss.” 

The G2G website also states that, “police may prosecute those found to provide false or misleading information.” The WA Police Operation Tide (Covid-19) Command Team emails an intimidating communication to successful applicants of a G2G PASS approximately seven days before they travel to Western Australia. The email reminds travellers that they need to update their G2G application with regards to their proposed route into Western Australia at least two days before their travel, and they are encouraged to download an app which enables Police to check on their quarantine status. 

The G2G PASS is a horrendous piece of administrative oppression, which one would not expect in a democratic society but is now foisted upon Australians who are effectively banned from travelling to Western Australia, if they do not have an email address, or fail to consent to the collection, use, disclosure, and retention of their personal information. As such, the G2G PASS is an example of the operation of the Nanny State to control those who seek to enter, and travel within, Western Australia.  

Although Genvis’s G2G PASS Privacy Policy indicates that an applicant’s personal information will be handled “in accordance with privacy laws”, Western Australia does not have a privacy law and, hence, it becomes easier to introduce processes which potentially violate the privacy of travellers. However, in its general Privacy Policy, Genvis indicates that it is “committed to managing personal information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth)… and in accordance with other applicable privacy laws.”  

Australia urgently needs a sensible national policy on travel passports. What is happening in Western Australia (and Tasmania which also requires the G2G PASS) distorts a person’s basic rights to privacy and the free movement of people in Australia.  

Hence, it is important that the G2G PASS be revisited to ascertain its impact on the privacy rights of people, and to ensure that the contradictions and inconsistencies between the various relevant documents are eliminated. Ultimately, the aim of this revision should be to ensure that the G2G PASS “strikes an appropriate balance between the project objectives and the resulting privacy impacts.”  

Gabriël A. Moens AM is an emeritus professor of law at The University of Queensland. He served as dean of law and pro vice-chancellor at Murdoch University. He is also the emeritus editor-in-chief of the International Trade and Business Law Review and has taught extensively across Europe, Asia, and North America. He is the author of short stories and a novel on the origins of the Covid-19 virus, “A Twisted Choice”, published by Boolarong Press, 2020.