COVID-19 Updates: Read our blog for useful informaton about commercial, employment and family law issues.

COVID-19 Blog

The ‘COVIDSafe Bill’: How safe is our data?

Posted by Rebecca Hegarty, Isabella Krstanovski on 13 May 2020

On 26 April 2020, the Federal Government launched the COVIDSafe app (App), which is a contact tracing app designed to trace close contacts of individuals who have tested positive for COVID-19. The Federal Government has encouraged Australians to download the App in a bid to slow the spread of COVID-19 and to begin lifting restrictions. However, there have been privacy concerns surrounding the App. To alleviate the concerns, the Federal Government released the draft Privacy Amendment (Public Health Contact Information) Bill 2020 (Cth) (Bill), which was introduced into Parliament in the week of 11 May 2020. The Bill will supersede the determination under the Biosecurity Act 2015 (Cth) and is an amendment to the Privacy Act 1988 (Cth) (Privacy Act).

What protections does the Bill introduce?

  1. The collection, use and disclosure of information from the App

The Bill specifies that the data from the App can only be collected, used or disclosed if a person is ‘employed by, or in the service of, a State or Territory health authority, and the collection, use or disclosure is for the purpose of . . . undertaking contact tracing'. Data can also be collected or disclosed for the purpose of transferring encrypted data between mobiles or transferring data to the National COVIDSafe Data Store (Data Store).

  1. Penalties for contraventions

If someone collects, uses or discloses data from the App for purposes that are not permitted by the Act, they could receive the maximum penalty of five years imprisonment and/or a $63,000 fine.

  1. State and Territory health authorities subject to the Privacy Act

The Bill prescribes that State and Territory authorities are also subject to the Act to the extent that the authority deals with the App, or the activities of the authority relate to the App. They will be treated as ‘organisations’ under the Act to the extent that they deal with the App.

  1. Deletion of data

If an App user requests a data store administrator of the Data Store to delete any registration data, the National COVIDSafe Data Store administrator:

  1. ‘must take all reasonable steps to delete the data from the Data Store as soon as practicable; and,
  2. if it [is] not practicable to delete the data immediately - [the administrator] must not use or disclose the data for any purpose’.

In addition to the administrator’s requirement to delete any registration data upon request the administrator must also take reasonable steps to ensure that the App data is not retained on a device for more than 21 days from the date that the data is obtained.

  1. The end of the COVID-19 pandemic

A process for the deletion of the data from the App has also been outlined for the end of the COVID-19 pandemic. When the Health Minister determines that the COVIDSafe is no longer required, the National COVIDSafe Data Store administrator must:

  • not collect any App data, or make COVIDSafe available for download;
  • as soon as reasonably practicable, delete all App data from the Data Store; and,
  • take reasonable steps to inform all users that all data has been deleted, App data can no longer be collected, and that they should delete the App.

There is no requirement for any de-identified data to be deleted. However, as the data is currently stored in Australia, there is some additional comfort in the fact that the data is hosted by local infrastructure.

Who will manage complaints?

The Office of the Australian Information Commissioner will manage complaints with respect to the App.

Conclusion

It is evident that the Bill is a positive step forward in providing additional privacy protections for users of the App. The Bill provides some clarity by clearly stating the purposes for which App data can be collected, used and disclosed, broadening the organisations that may be subject to the Act, giving users the ability to request the deletion of their registration data, and providing a process for the deletion of App data when the COVID-19 pandemic is over.

If you have any questions or concerns relating to any of the items discussed in this blog, please do not hesitate to contact a member of Coleman Greig’s Commercial Advice team, who would be more than happy to assist you today.