COVIDSafe app: exposure draft of privacy legislation released

By John Gray, Alison Choy Flannigan and Lauren Krejci

The Federal Government launched the COVIDSafe app in a bid to manage and control the spread of COVID-19 as state and territory governments begin to ease lockdown restrictions. The main purpose of the app is to assist with contact tracing.

As with other COVID-19 initiatives, the issue is balancing protecting the vulnerable of our community and the privacy rights of individuals.

Draft exposure of privacy legislation

The Federal Government released the exposure draft of legislation amending the Privacy Act today on 5 May 2020. The Privacy Amendment (Public Health Contact Information) Bill 2020 (Cth) (Privacy Amendment Bill) deals with:

• non-permitted collection, use or disclosure relating to COVID app data;
• uploading relating to COVID app data without consent;
• retaining or disclosing uploaded data outside Australia;
• decrypting encrypted COVID app data; and
• requiring participation in relation to COVIDSafe.

The amendments to the Privacy Act are in addition to, and should be read in conjunction with, the Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) (Emergency Requirements – Public Health Contact Information) Determination 2020.

The Federal Government has been working to implement strong interim privacy protections into privacy legislation.

The principal offence under section 94D of the amended Privacy Act prohibits the ‘collection, use or disclosure’ of COVIDSafe app data for purposes that are not permitted under the Act.

The maximum penalty is imprisonment for five years or 300 penalty units ($63,000) or both.  In addition, a ‘serious data breach’ can incur higher penalties.

Permitted uses include enabling contact tracing by persons employed by, or in the service of, state or territory health authorities or ensuring the proper functioning, integrity or security of COVIDSafe or of the National COVIDSafe Data Store.

How does the COVIDSafe app work?

The app enables public health officials to quickly identify and contact people who may have been exposed to COVID-19. Close contacts with confirmed cases can be advised to take measures earlier, such as testing or self-isolating, in order to stop the further spread of the virus.

Users who download the app are given unique encrypted reference codes, which can recognise other devices that have also installed the app and enabled Bluetooth. The app will record data such as the date, time and duration of your contact with another user’s reference code. The distance between users will also be recorded based on the strength of Bluetooth connections. However, the app will not record location data.

The information collected by the app is encrypted and stored securely on the user’s device. Data will automatically delete every 21 days in accordance with the incubation period for COVID-19.

The Government has announced that a certain number of people need to download and use the app before lockdown requirements are released.

What happens when an app user tests positive for COVID-19?

State and territory health officials can only access the data stored by the app if the user in possession or control of the device provides consent.

If a COVIDSafe user tests positive for COVID-19, the data from the app, such as their contact information and their exposure to other COVIDSafe user IDs, will be uploaded into the Commonwealth’s National COVIDSafe Data Store. The Commonwealth database is administered by the Department of Health and the Digital Transformation Agency.

Public health officials can use this data to inform people that they have been in contact with a confirmed case and discuss the next steps, such as when and where to get tested.

Restrictions

It is an offence to require a person to download the COVIDSafe app, to have it in operation or to consent to upload the COVIDSafe app data from a mobile to the National COVIDSafe Data Store.

It is an offence to refuse entry into a contractual arrangement, prevent access to public premises or premises that the other person has a right to enter and refuse the sale of goods or services on the grounds that another person has not downloaded the app.

The Act also applies general privacy measures to the COVIDSafe data by establishing the data as ‘personal information’.

For more detail on whether employers can ‘require’ employees to download the app, see our article COVIDSafe: can an employer direct employees to download or use the app?

Biosecurity Determination

According to the Determination, a person must not collect, use, disclose or otherwise deal with COVIDSafe data unless one of the exemptions listed in the instrument applies. For example, a public health official may collect, use or disclose COVIDSafe data if it is for the purpose of undertaking contact tracing.

The COVIDSafe Privacy Policy provides further information on how personal information will be collected, stored and disclosed.

Post-pandemic

The determination requires the Commonwealth to delete the COVIDSafe data stored in the National Data Store after the pandemic has concluded. Users will be required to delete the app from their devices, which will also delete all encrypted information stored by the app.

Downloading the COVIDSafe app is voluntary and it can be deleted at any time. However, this will not delete data already uploaded into the National Data Store or information already collected by other users. A user can expressly ask for their data in the National Data Store to be deleted before the conclusion of the pandemic by completing a request for data deletion form.