11 June 2020
A recent amendment to Australia’s privacy laws has enshrined key privacy and data measures to support the operation of COVIDSafe and its centralised data store.
On 16 May 2020, royal assent was provided to Schedule 1 of the Privacy Amendment (Public Health Contact Information) Act 2020 (PHCI Act) which amends the Privacy Act 1988 (Privacy Act). The PHCI Act repeals the previous Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) (Emergency Requirements—Public Health Contact Information) Determination 2020 (Biosecurity Determination) made under the Biosecurity Act 2015.
The Biosecurity Determination accompanied COVIDSafe’s expeditious release to the public for download by providing basic privacy and data security measures, which had the force of law.
The PHCI Act expands upon and supersedes the initial measures created under the Biosecurity Determination by providing further privacy and data security protections regarding the operation of the COVIDSafe mobile app and the use, collection and disclosure of COVIDSafe app data.
The objective of the PHCI Act is to assist in preventing and controlling the entry, emergence, establishment or spread of COVID-19 by providing stronger privacy protections for COVID app data and COVIDSafe users.
COVIDSafe is a contact tracing app which provides notice to users when they have come into close proximity (1.5 metres), for a period of 15 minutes or more, with another person who has been diagnosed with COVID-19 (and who has consented to that information being disclosed for the purposes of contact tracing). Users’ devices communicate via Bluetooth signals, noting interactions or ‘digital handshakes’ between users who have downloaded the application.
Data gathered relating to a user’s interactions are stored and processed locally on the user’s device in an encrypted form. Users that have tested positive to COVID-19 may voluntarily submit their diagnosis and contact tracing data to a centralised data server, in order to facilitate the contact tracing process. Health authorities can then access and decrypt users’ personal information on the central data sever for prescribed purposes.
There is no prescribed security standard for the COVIDSafe app data, either while residing on a user’s device, residing on the centralised data server or when it is used for contact tracing.
According to the prescribed list set out under the PHCI Act, COVIDSafe app data can only be used, collected and disclosed for the purposes of:
The COVIDSafe app data may not be used for any other purpose, and cannot be used to enforce other laws unrelated to contact tracing. Decrypting communications device data is an offence.
The PHCI Act carves out an exception regarding COVIDSafe app data that has been collected incidentally to the collection of other non-COVID app data, provided the person that has incidentally collected such information deletes it after becoming aware of the collection.
The legislation provides a penalty of five years imprisonment or A$63,000 when contravening requirements under the PHCI Act.
The PHCI Act declares that COVIDSafe app data relating to an individual is taken to be personal information about the individual, for the purposes of the Privacy Act. As a result, the Australian Privacy Principles (APPs) apply in relation to the COVIDSafe app data, and any breaches of the requirements under the PHCI Act will be considered an interference with the privacy of an individual.
The PHCI Act sets out some further user rights in relation to their COVIDSafe app data:
There are also prohibitions that prevent discrimination against a person on the above grounds (e.g. persons cannot be excluded from any premises or be denied any good or service).
Other items of note under the PHCI Act include:
This publication is part of our insight series COVID-19: Navigating the implications for business in Australia and beyond. To get notified by email when new COVID-19 insights are released, please subscribe for updates here.
This publication is introductory in nature. Its content is current at the date of publication. It does not constitute legal advice and should not be relied upon as such. You should always obtain legal advice based on your specific circumstances before taking any action relating to matters covered by this publication. Some information may have been obtained from external sources, and we cannot guarantee the accuracy or currency of any such information.