Exposure draft legislation on the COVIDSafe app published

On 25 April 2020, the Minister for Health issued a determination under the Biosecurity Act to allow for the launch of the Federal Government's COVIDSafe app (the Determination), to enable State and Territory health authorities to conduct "contact tracing" for users of the app who had been exposed to COVID-19. What is undoubtedly an unprecedented measure to help fight the "invisible enemy", the app has been the subject of much concern in respect of privacy issues.

 

The Federal Government has recently circulated its "exposure draft" bill to the public, Privacy Amendment (Public Health Contact Information) Bill 2020 (the COVIDSafe Bill), to formalise in law the interim legal framework set up by the Determination. Tellingly, the Government proposes to introduce strict criminal punishment for any person that uses the data for a purpose other than "contact tracing", as a clear attempt to alleviate privacy concerns in relation to the app.

The COVIDSafe app

The COVIDSafe app is a tool to digitise "contact tracing", a method that had been conducted manually by health officials to manage and map the outbreak of COVID-19.  The COVIDSafe app is designed to fast-track that process, by promptly identifying and contacting people who may have been exposed to the virus.

When you download the app, you are asked to provide your name, mobile number, postcode and age range. The COVIDSafe Bill acknowledges that this is "personal information" for the purpose of the Privacy Act 1988 (Cth) (Privacy Act).

The COVIDSafe app utilises Bluetooth technology to record close interactions between the user and another user of the app who has Bluetooth enabled. When you interact with another user, the app notes the "digital handshake" by recording the date, time, distance and duration of contact. Importantly, the app does not save your location.

In the event that a user is tested positive for COVID-19 and subject to the consent of that user, the data will be uploaded into the National COVIDSafe Data Store (Data Store), a national database administered by the Department of Health or the Digital Transformation Agency (administrator). The health officials will be able to access this information to contact the user or the user's parent or guardian to complete the "contact tracing" and offer advice on what the exposed user should do to protect themselves and/or to those they have been in close contact.

Permitted collection, use or disclosure of your data

Pursuant to the COVIDSafe Bill, it is proposed that the collection, use or disclosure of the app data is permitted:
  1. by a person who is "employed by, or in the service of, a State or Territory health authority" for the purpose of contact tracing;
  2. by a person who is "an officer, employee or contractor of the data store administrator" for the purpose of enabling contact tracing by an authorised person identified at (1) or to ensure the "proper functioning, integrity or security of COVIDSafe or the [Data Store]";
  3. for collection or disclosure of the app data, for the purpose of transferring the encrypted data, through the app, between mobile devices or from the mobile device to the Data Store;
  4. for the Privacy Commissioner to exercise its powers under or in relation to the relevant part of Privacy Act;
  5. for investigating possible breach or for prosecuting a person for an offence of such breach; or
  6. by the administrator for the purpose of "producing de-identified statistical information about the total number of registrations through [the COVIDSafe app]".
Importantly, COVIDSafe data will only be uploaded from a phone to the Data Store if consent has been granted by the user, or a parent, guardian or carer of the user (in the event that the user is unable to provide consent).

Deleting your data

The bill provides that the administrator must "take all reasonable steps" to ensure that the COVID app data is deleted from the mobile device within 21 days or otherwise, "for [not] longer than the shortest practical period" after 21 days. The purpose of the 21-day period is to account for the known incubation period of COVID-19 and delays in getting tested and obtaining results.

When you delete the COVIDSafe app, your information will not immediately be deleted from the Data Store. The COVIDSafe Bill makes provision for the user to be able to request the administrator "to delete any registration data of the person that has been uploaded from the device to the [Data Store]". Following such request, the administrator "(a) must take all reasonable steps to delete the data from the [Data Store] as soon as practicable; and (b) if it is not practicable to delete the data immediately – must not use or disclose the data for any purpose".  However, if your data relates to another person that was (a) uploaded from another device by another COVIDSafe user, and (b) collected following a "digital handshake" with that other person, it will remain in the Data Store.

Your information will only delete from the Data Store following a declaration made by the Health Minister if is satisfied that, by the specified date, use of the COVIDSafe app is no longer required to prevent or control, or no longer likely to be effective in preventing or controlling, COVID-19 in Australia.

Prior to making the declaration, the Health Minister must consult the Commonwealth Chief Medical Officer or the Australian Health Protection Principal Committee, who can make recommendations to the Health Minister.

Penalties and remedies

Perhaps the most notable difference between the Determination and the COVIDSafe Bill is the strengthening of the privacy protections through significant deterrent measures for misuse of the data, including a maximum jail sentence of five years, a fine of 300 penalty units (currently equates to $63,000), or both.

Further, as the COVIDSafe Bill proposes to amend the Privacy Act, aggrieved users will be able to take enforcement action under the Privacy Act for breach/es that would constitute an "interference with privacy", and therefore be able to access the remedies prescribed by it, including but not limited to compensation.

What next

Although the COVIDSafe Bill is largely similar to the Determination, it is not law. It remains in draft form. The COVIDSafe Bill needs to pass both houses of Parliament and receive Royal Assent to become law. However, it is expected that the bill will be introduced to Parliament in the week commencing 11 May 2020.

The COVIDSafe bill is no doubt one of the most significant steps taken by the Federal Government in its efforts to eradicate the virus. It will be interesting to see whether any changes occur (if any) – including whether further privacy protections are included, as this will be a primary concern for the Federal Government that would assist to "encourage public acceptance and uptake of [the COVIDSafe app]" to attain its target of 40% of the Australian population.

Contributors

Gidon Kangisser Lawyer