07/05/2020

Late Monday, the Federal Government released an exposure draft of its COVIDSafe contact-tracing app privacy legislation as an amendment to the Privacy Act 1988 (Cth) (the Privacy Act), the Privacy Amendment (Public Health Contact Information) Bill 2020 (the Bill).

The Bill improves on the privacy protections in respect of the use of the app and clarifies its non-coercive intent. However, as the Bill moves toward Parliamentary debate next week, some questions remain as to whether all privacy assurances are now captured.

With the Federal Government urging the community to continue to download the app, we examine these improvements and questions in the week since its launch.

What has been improved?

Oversight and governance

  • ‘COVID app data’ is ‘personal information’ for the purposes of the Privacy Act. This means that individuals have access to the complaints handling procedures under the Act where they allege ‘an interference with privacy’ and to the remedies under the Act where the Office of the Australian Privacy Commissioner (OAIC) finds a privacy breach. This may include compensation.
  • A breach of obligations by the Federal Health Department or a State or Territory health authority is deemed to be an ‘eligible data breach’ for the purposes of the notifiable data breach provisions under the Privacy Act. That is, any breach is deemed ‘likely to result in serious harm’ whether or not it in fact does. However, the assessment as to whether or not affected individuals are notified of a breach is undertaken by the OAIC rather than the Federal Health Department or relevant State or Territory health authority.
  • State and Territory health authorities are subject to the Act to the extent that an authority deals with, or its activities relate to, ‘COVID app data’, requiring them to handle the data consistently with existing federal privacy law (as opposed to the respective state and territory-based privacy legislation which is the normal course). They are also subject to the supervision of the OAIC in relation to their use of ‘COVID app data’.
  • The OAIC is empowered to share information with, and refer complaints to, State or Territory privacy authorities. Where the OAIC is satisfied that an offence has been committed, the OAIC must inform the Commissioner of the Australian Federal Police or the Commonwealth Director of Public Prosecutions.
  • In determining when use of the COVIDSafe app is no longer required, the Federal Minister for Health is required to consult with, and consider the recommendations of, the Commonwealth Chief Medical Officer or Australian Health Protection Principal Committee.

Deletion of data 

  • Following a determination by the Federal Minister for Health that the use of the COVIDSafe app is no longer required, the Federal Health Department is required to delete ‘COVID app data’, notify users of the deletion of the data, request that users delete the COVIDSafe app, cease collecting any data from the app and remove the ability of individuals to download the COVIDSafe app.
  • The Federal Health Department must take all reasonable steps to delete an individual’s data on their request. This request must be actioned as soon as practicable and, where not practicable, the Federal Health Department must not use or disclose the data prior to its deletion following the request. However, this does not apply in relation to an individual’s data recorded on another user’s device.
  • The Federal Health Department must not collect a user’s device data after the user has deleted COVIDSafe from their device.
  • The Federal Health Department must take all reasonable steps to ensure ‘COVID app data’ is not retained on a device for more than 21 days. If a strict 21 days is not possible, the data must be removed in the shortest practicable period after 21 days. It is not clear why a limited retention period does not also apply to the data uploaded to the national data store, although we note that APP 11 would apply generally in this regard.  
  • State and Territory health authorities are subject to the data minimisation principles in the Privacy Act, such as APP 6 (relating to the use or disclosure of personal information) and APP 11 (security of personal information).

Opting-in and opting-out of data sharing

  • The Bill also creates new offences essentially focused on not forcing Australians to download the app. For example, employers cannot coerce employees and venues cannot compel venue users to download the app. Time will tell whether discounts and rewards reportedly being offered by businesses as a way to induce Australians to download the app will meet this test. However, reported scenarios of businesses considering introducing their own ‘contact-tracing’ process by seeking personal information of people who wish to enter their place of business will not be subject to these provisions. 
  • It is an offence under the Bill for an individual to upload ‘COVIDSafe app data’ without the consent of the registered user of that device. This improves upon the drafting of the app’s temporary legal framework which ties the required consent to the individual who has “possession or control of the device” rather than which user registered with the app on the relevant device.

Future proofing 

  • The Bill takes precedence over any existing Australian law that conflicts with its provisions, including restrictions on the access to and use of data. An exception allows for legislation passed after the Bill that expressly purports to override the operation of the Bill.

What remains a concern?

  • As drafted, the definition of ‘COVID app data’ does not expressly include linked data like metadata or derivative data that has not been directly ‘collected or generated’ through the operation of the app. For example, data that is otherwise available to State and Territory health authorities to the extent merged with data generated by the app, or data that is derived or transformed from COVID app data and in respect of which other inputs have been added (albeit in respect of this data it is likely to be covered by the respective state and territory-based privacy regimes). As the COVIDSafe app assists with one component of a longer contact-tracing process, the definition of COVID app data would ideally reflect the privacy assurances we have been given, including where data is processed or transformed by authorities.
  • There are no metrics to determine when the Minister for Health should declare the "pandemic has concluded”, although the Minister must consult with Australia’s medical leaders in this regard.
  • Given the concerns raised previously in relation to the location of the centralised data store housing the COVIDSafe app data, the Bill could be drafted with greater clarity as to the Federal Government’s obligation to store COVIDSafe app data in a data store located in Australia.  

What additional questions have arisen?

Ahead of its debate in Federal Parliament, it is unclear whether the final draft of the Bill will include interim reporting on the utilisation, efficacy and complaints made concerning the COVIDSafe app. These would assist in building and maintaining public trust in the app.

As the number of Australians who have downloaded the app passes 5 million the community may be satisfied that existing protections are adequate perhaps unless and until they have reason to believe otherwise. Given the application of the Privacy Act, including elements of the mandatory data breach notification provisions, to the use and disclosure of data collected by the COVIDSafe app, Australians will now have legislative protections in place to complain and investigate when their information is mishandled.

 

Authors: Sheila McGregor, Melissa Fai and Mitch Bennett

""