On 15 May 2020 the Privacy Amendment (Public Health Contact Information) Act 2020 (Cth) (Amendment Act) received the royal assent.
The Amendment Act amended the Privacy Act 1988 (Cth) (Privacy Act) by inserting new provisions for regulating the handling of “COVID app data” which is collected through the Government’s COVIDSafe mobile application.
What is COVIDSafe?
COVIDSafe is a voluntary mobile app that may assist Australia's efforts to combat the spread of COVID-19, by enabling exposure notification to individual users.
COVIDSafe works by using Bluetooth signals from personal mobile devices to record encrypted data about close contacts (of at least 15 minutes' duration) with other users. If a user later tests positive for COVID-19, they have the option of uploading the encrypted data from their personal device to the “National COVIDSafe Data Store” database. State and Territory contact tracers can then access that database to anonymously notify the positive user's close contacts that they may have been exposed to COVID-19. This may assist contact tracers to inform people at risk of COVID-19 about what to do next, such as getting tested.
In late April 2020, the Minister for Health, the Hon Greg Hunt MP, made a determination under the Biosecurity Act 2015 (Cth) to provide interim privacy protections for information that users voluntarily provide through COVIDSafe.
What has changed?
The Amendment Act repealed the Minister's determination and amended the Privacy Act to incorporate a number of privacy protections relating to the handling of COVID app data. This includes enabling the Australian Information Commissioner (Commissioner) to oversee the use of, and give individuals an ability to make complaints to the Commissioner about, information which is collected, used and disclosed in relation to COVIDSafe.
The protections include:
- prohibiting a person from requiring an individual to download, use or upload data through COVIDSafe. This includes making it an offence for a person including an employer to refuse to enter into, or continue an arrangement or contract (including an employment contract) or taking adverse action against a person, if they have not downloaded or are not actively using COVIDSafe;
- requiring informed consent before the Commonwealth collects data relating to a person through COVIDSafe;
- limiting the ability to disclose COVID app data that is or has been stored in the Commonwealth’s National COVIDSafe Data Store outside of Australia;
- ensuring that if a person suffers loss as a result of misuse of their COVID app data (whether by the Commonwealth, a State/Territory or a contracted service provider), they can seek compensation or other remedies for any loss suffered;
- requiring the Commonwealth to delete the National COVIDSafe Data Store when the Health Minister determines that COVIDSafe is no longer required or is no longer likely to be effective as part of Australia’s response to COVID-19. The Bill does not impose any specific timing for this step, but requires that the Determination be based on consultation with or a recommendation from the Commonwealth Chief Medical Officer or the Australian Health Protection Principal Committee;
- mandating a six-month review of the operation and effectiveness of COVIDSafe, the National COVIDSafe Data Store, and these amendments to the Privacy Act; and
- making breach of the COVIDSafe privacy requirements a criminal offence (subject to imprisonment for five years or 300 penalty units, or both), a breach of the Privacy Act, or both.
What won't the amendments do?
The definition of "COVID app data" does not expressly include the individual's mobile phone number. While a person can use COVIDSafe pseudonymously (that is, they can use a different name when setting up the app on their device), their personal device's phone number is verified when COVIDSafe is set up.
Further, the amendments will not restrict the use or disclosure of any derived information that is created as a 'by product' of information collected or generated by or connection with COVIDSafe.
Accordingly, whether a user's mobile phone number or any derived information will be generally protected as 'personal information', will depend on the usual operation of the Privacy Act.
What’s next?
The amendments to the Privacy Act took effect on Friday 15 May 2020. On the same day, the Acting Secretary of the Health Department made a determination that the Digital Transformation Agency is the "data store administrator" responsible for managing COVID app data.
The federal government hopes that at least 40% of Australians will install and use COVIDSafe on their personal devices.
After the COVID-19 pandemic is declared to have ended, the data store administrator must (as soon as reasonably practicable) delete all COVID app data from the National COVIDSafe Data Store and notify COVIDSafe users to delete the app from their personal devices. Deleting the COVIDSafe app will also remove locally-stored COVID app data on a user's device.
Additionally, the Health Minister must report to federal parliament on the operation and effectiveness of COVIDSafe and the National COVIDSafe Data Store, and do so every six months during the COVIDSafe operating period and within approx. six months after the pandemic ends.
If you would like more information about these recent amendments to the Privacy Act, or guidance in handling personal information especially during COVID-19, please contact our Intellectual Property & Technology team.