On 26 April 2020, the Australian Government released the COVIDSafe app to provide a new tool for state and territory health authorities to undertake contact tracing for people exposed to coronavirus (COVID-19).
Upon its release, COVIDSafe was supported by interim privacy protections outlined in a determination made under the Biosecurity Act 2015.
On 14 May 2020, Parliament passed the Privacy Amendment (Public Health Contact Information) Act to support the COVIDSafe app and provide strong ongoing privacy protections.
The Act is available for download on the Federal Register of Legislation.
COVIDSafe is a voluntary application that can be installed on Android and iOS personal devices to assist Australia's efforts to combat the spread of COVID-19.
COVIDSafe works by using Bluetooth signals to record encrypted data about close contacts with other users. When a user tests positive for COVID-19, they have the option of uploading the encrypted data on their device to the National COVIDSafe Data Store. State and territory contact tracers can access the National COVIDSafe Data Store to anonymously notify the positive user's close contacts that they may have been exposed to COVID-19. This allows contact tracers to inform people at risk of COVID-19 about what to do next, such as getting tested.
Having confidence that COVID-19 outbreaks can be found and contained quickly will mean governments can ease restrictions while still keeping Australians safe.
Determination under the Biosecurity Act 2015
The Minister for Health, the Hon Greg Hunt MP, made a determination under the Biosecurity Act 2015 on 25 April 2020 to provide strong interim privacy protections for information that Australians provide through COVIDSafe.
The determination contained provisions that:
- ensured that data from COVIDSafe is only used to support state and territory health authorities' contact tracing efforts, and only to the extent required to do so
- outlined limited additional circumstances when data from COVIDSafe can be used, including to investigate a breach of the determination and allow the administrator of the National COVIDSafe Data Store to produce de-identified statistics about COVIDSafe registrations
- required that users must consent before data from their device can be uploaded to the National COVIDSafe Data Store
- prevented data from COVIDSafe being retained outside of Australia, and protected against unauthorised disclosure outside of Australia
- required all COVIDSafe data held in the National COVIDSafe Data Store to be deleted at the end of the COVID-19 pandemic
- protected against decryption of COVIDSafe data stored on users' devices
- provided that no one can be forced to download or use COVIDSafe or upload their data to the National COVIDSafe Data Store.
A breach of these requirements was made a criminal offence, and remains a criminal offence under the Privacy Amendment (Public Health Contact Information) Act 2020.
The Australian Government has now enshrined the determination's privacy protections in primary legislation.
The Privacy Amendment (Public Health Contact Information) Act 2020 replaces the determination and includes all of the requirements outlined by the determination. Breaching these requirements remains a criminal offence. Breaches may now also be treated as breaches of the Privacy Act 1988.
The legislation also introduced the following additional protections:
- The national privacy regulator, the Office of the Australian Information Commissioner (OAIC), now has oversight of COVIDSafe data. They can manage complaints about mishandling of COVIDSafe data and conduct assessments relating to maintenance and handling of that data.
- The Privacy Act's Notifiable Data Breaches scheme has been extended to apply to COVIDSafe data.
- The interaction between the powers and obligations of the OAIC in relation to COVIDSafe data with the powers of state and territory privacy regulators and the Australian Federal Police have been clarified.
- The administrator of the National COVIDSafe Data Store is now legally obligated to delete users' registration data upon request.
- An individual is now required to delete COVIDSafe data if they receive it in error.
- No data is allowed to be collected from users who have chosen to delete COVIDSafe.
- A process is now in place for COVIDSafe data to be deleted at the end of the COVID-19 pandemic and users to be notified accordingly.
- The Minister for Health must report on the operation and effectiveness of the COVIDSafe app and the National COVIDSafe Data Store every 6 months.
- The Information Commissioner must report on the performance of her functions and the exercise of her powers in relation to Part VIIIA of the Privacy Act every 6 months.
Prior to its introduction into Parliament, we publicly released a draft of the legislation.
Information Law Unit
Information Law and Intelligence Review Response Taskforce
Integrity and Security Division
Call: 02 6141 6666
Address: 3-5 National Circuit, Barton, ACT 2600