COVIDSafe legislative framework: An overview - Data Protection

A recent amendment to Australia's privacy laws has enshrined key privacy and data measures to support the operation of COVIDSafe and its centralised data store.

On 16 May 2020, royal assent was provided to Schedule 1 of the Privacy Amendment (Public Health Contact Information) Act 2020 (PHCI Act) which amends the Privacy Act 1988 (Privacy Act). The PHCI Act repeals the previous Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) (Emergency Requirements—Public Health Contact Information) Determination 2020 (Biosecurity Determination) made under the Biosecurity Act 2015.

The Biosecurity Determination accompanied COVIDSafe's expeditious release to the public for download by providing basic privacy and data security measures, which had the force of law.

The PHCI Act expands upon and supersedes the initial measures created under the Biosecurity Determination¹ by providing further privacy and data security protections regarding the operation of the COVIDSafe mobile app and the use, collection and disclosure of COVIDSafe app data.

The objective of the PHCI Act is to assist in preventing and controlling the entry, emergence, establishment or spread of COVID-19 by providing stronger privacy protections for COVID app data and COVIDSafe users.

COVIDSafe: a snapshot

COVIDSafe is a contact tracing app which provides notice to users when they have come into close proximity (1.5 metres), for a period of 15 minutes or more, with another person who has been diagnosed with COVID-19 (and who has consented to that information being disclosed for the purposes of contact tracing). Users' devices communicate via Bluetooth signals, noting interactions or 'digital handshakes' between users who have downloaded the application.

Data gathered relating to a user's interactions are stored and processed locally on the user's device in an encrypted form. Users that have tested positive to COVID-19 may voluntarily submit their diagnosis and contact tracing data to a centralised data server, in order to facilitate the contact tracing process. Health authorities can then access and decrypt users' personal information on the central data sever for prescribed purposes.

There is no prescribed security standard for the COVIDSafe app data, either while residing on a user's device, residing on the centralised data server or when it is used for contact tracing.

Collection, use and disclosure of COVIDSafe data

According to the prescribed list set out under the PHCI Act, COVIDSafe app data can only be used, collected and disclosed for the purposes of:

undertaking contact tracing (this right extends only to persons employed by State or Territory health authorities);
enabling contract tracing for State or Territory health authorities, or ensuring the proper functioning, integrity or security of COVIDSafe or the data store (this right only extends to the data store administrator or relevant contracted service providers to the administrator);
transferring encrypted data between users' communications devices through COVIDSafe or from users' devices to the data store;
enabling the Commissioner to perform its functions or exercise its powers under the PHCI Act;
investigating or prosecuting persons for breaches of the PHCI Act;
producing de-identified statistical information about the total number of registrations through COVIDSafe (this right only extends to the data store administrator); or
confirming that the correct data has been deleted, where a request for deletion has been made by a user (this right only extends to the data store administrator).

The COVIDSafe app data may not be used for any other purpose, and cannot be used to enforce other laws unrelated to contact tracing. Decrypting communications device data is an offence.

The PHCI Act carves out an exception regarding COVIDSafe app data that has been collected incidentally to the collection of other non-COVID app data, provided the person that has incidentally collected such information deletes it after becoming aware of the collection.

The legislation provides a penalty of five years imprisonment or A$63,000 when contravening requirements under the PHCI Act.

Users' rights under the PHCI Act

The PHCI Act declares that COVIDSafe app data relating to an individual is taken to be personal information about the individual, for the purposes of the Privacy Act. As a result, the Australian Privacy Principles (APPs) apply in relation to the COVIDSafe app data, and any breaches of the requirements under the PHCI Act will be considered an interference with the privacy of an individual.

The PHCI Act sets out some further user rights in relation to their COVIDSafe app data:

Right of deletion of data. Users are able to request that the data store administrator delete any registration data of the person (e.g. mobile number) that has been uploaded to the data store. If it is not practicable to do so, the administrator must not use or disclose the data for any purpose. This right of deletion does not apply to app data that has been de-identified. Furthermore, any person that receives COVID app data in error must delete the data as soon as practicable, and notify the data store administrator that they received the data.
Right of consent to upload user information. Users must provide consent before their COVIDSafe app data can be uploaded from their device to the data store. Users who have been diagnosed with COVID-19 may voluntarily upload their health information to the data store.
Rights of refusal to use the app. The PHCI Act prevents persons from requiring others to:
- download COVIDSafe on their communication devices:
- operate COVIDSafe on their device: or
- provide consent upload their user app data onto the data store.

There are also prohibitions that prevent discrimination against a person on the above grounds (e.g. persons cannot be excluded from any premises or be denied any good or service).

Other noteworthy items under the PHCI Act

Other items of note under the PHCI Act include:

Storage limitations. The data store administrator must take reasonable steps to ensure that COVIDSafe app data is not retained on a communication device for more than 21 days, or for the shortest practicable period.
Eligible data breach. Breaches of any requirement under the PHCI Act by the data store administrator, its officers, employees, or contracted service providers may be treated as an eligible data breach. Individuals to whom the data relates are taken to be at risk from this breach. This also applies to breaches by the State or Territory health authority and its employees.
Commissioner's powers: There are a range of powers granted to the Commissioner, including:
- the power to conduct an assessment relating to whether the acts of relevant authorities in relation to COVIDSafe app data have complied with the PHCI Act;
- the power to require the relevant authorities to provide notice of any eligible data breach – the authority must comply with the notification requirements where the breach may result in serious harm; and
- the power to transfer any COVID data-related privacy complaints made under the Privacy Act to the relevant State or Territory authority.

Footnote

¹See our previous publication on COVIDSafe that discusses the measures introduced by the Biosecurity Determination, and a summary of the key features of the COVIDSafe mobile application here.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.