New COVIDSafe legislation has been passed by the federal government to supplement the COVIDSafe app by providing strong, ongoing privacy protection.
The Australian government launched the COVIDSafe app in late April. The app is designed to track, via Bluetooth, the movements of a person infected with COVID-19 to ensure state and territory health authorities can contact anyone that may have come into close contact with an infected individual.
The newly passed Privacy Amendment (Public Health Contact Information) Bill 2020 (Bill) governs how government entities collect, use and disclose COVIDSafe data and ensures that all data collected by the app is securely stored within Australia.
The legislation is aimed at giving Australians the confidence to download the app, as the government increases its efforts to get many more Australian citizens to sign up and help track the spread of COVID-19. At the time of writing, downloads of the app had reached 5.6 million.
The Bill was structured as an amendment to the Privacy Act 1988 (Cth) (Privacy Act).
The approved amendments to the Privacy Act:
- Ensures that COVIDSafe data can only be collected, used and disclosed by a person employed by, or in the service of, a state or territory health authority for the sole purpose of COVID-19 contact tracing;
- Requires users to provide consent before data from their device is uploaded, in encrypted form, to the National COVIDSafe Data Store (Data Store). The information uploaded to the Data Store can only be accessed by state and territory health authorities for the sole purpose of contact tracing;
- Extends the Privacy Act's Notifiable Data Breaches scheme (NDB Scheme) to apply to COVIDSafe data. The NBD Scheme requires organisations and agencies to notify affected individuals and the Office of the Australian Information Commissioner (OAIC) when a data breach involving COVIDSafe data is likely to result in serious harm;
- Grants the OAIC oversight of the COVIDSafe app. The OAIC will manage complaints about mishandling of COVIDSafe data and conduct relating to the maintenance and handing of data. If required, the OAIC can refer complaints to the Australia Federal Police;
- Requires that all COVIDSafe data stored on mobile devices and in the Data Store be deleted at the end of the COVID-19 pandemic; and
- Creates a series of offences punishable by up to five years in prison, a $63,000 fine, or both for anyone who collects, uses or discloses COVIDSafe data outside of the designated purposes, uploads COVIDSafe data to the Data Store without the users consent, or attempts to decrypt encrypted COVIDSafe data stored on a mobile device. It will also be an offence to require a person to download or use the app.
If you have any questions or concerns, DWF has a team of expert Privacy lawyers who can advise you on Australian privacy law. Please do not hesitate to contact Alex Ninis or Marcus Hannah should you require further information.
We would like to acknowledge the contribution of Serpil Bilgic to this article.