The Federal Government has recently circulated its "exposure draft" bill to the public, Privacy Amendment (Public Health Contact Information) Bill 2020 (the COVIDSafe Bill), to formalise in law the interim legal framework set up by the Determination. Tellingly, the Government proposes to introduce strict criminal punishment for any person that uses the data for a purpose other than "contact tracing", as a clear attempt to alleviate privacy concerns in relation to the app.
When you download the app, you are asked to provide your name, mobile number, postcode and age range. The COVIDSafe Bill acknowledges that this is "personal information" for the purpose of the Privacy Act 1988 (Cth) (Privacy Act).
The COVIDSafe app utilises Bluetooth technology to record close interactions between the user and another user of the app who has Bluetooth enabled. When you interact with another user, the app notes the "digital handshake" by recording the date, time, distance and duration of contact. Importantly, the app does not save your location.
In the event that a user is tested positive for COVID-19 and subject to the consent of that user, the data will be uploaded into the National COVIDSafe Data Store (Data Store), a national database administered by the Department of Health or the Digital Transformation Agency (administrator). The health officials will be able to access this information to contact the user or the user's parent or guardian to complete the "contact tracing" and offer advice on what the exposed user should do to protect themselves and/or to those they have been in close contact.
When you delete the COVIDSafe app, your information will not immediately be deleted from the Data Store. The COVIDSafe Bill makes provision for the user to be able to request the administrator "to delete any registration data of the person that has been uploaded from the device to the [Data Store]". Following such request, the administrator "(a) must take all reasonable steps to delete the data from the [Data Store] as soon as practicable; and (b) if it is not practicable to delete the data immediately – must not use or disclose the data for any purpose". However, if your data relates to another person that was (a) uploaded from another device by another COVIDSafe user, and (b) collected following a "digital handshake" with that other person, it will remain in the Data Store.
Your information will only delete from the Data Store following a declaration made by the Health Minister if is satisfied that, by the specified date, use of the COVIDSafe app is no longer required to prevent or control, or no longer likely to be effective in preventing or controlling, COVID-19 in Australia.
Prior to making the declaration, the Health Minister must consult the Commonwealth Chief Medical Officer or the Australian Health Protection Principal Committee, who can make recommendations to the Health Minister.
Further, as the COVIDSafe Bill proposes to amend the Privacy Act, aggrieved users will be able to take enforcement action under the Privacy Act for breach/es that would constitute an "interference with privacy", and therefore be able to access the remedies prescribed by it, including but not limited to compensation.
The COVIDSafe bill is no doubt one of the most significant steps taken by the Federal Government in its efforts to eradicate the virus. It will be interesting to see whether any changes occur (if any) – including whether further privacy protections are included, as this will be a primary concern for the Federal Government that would assist to "encourage public acceptance and uptake of [the COVIDSafe app]" to attain its target of 40% of the Australian population.