(May 29, 2020) On May 15, 2020, the Privacy Amendment (Public Health Contact Information) Act 2020 (Cth) was enacted in Australia. The act adds a new part to the Privacy Act 1988 (Cth) that specifically regulates the use and disclosure of data collected when people download and use the Australian government’s COVID-19 contact tracing mobile phone application, COVIDSafe.
About the App
The COVIDSafe app was launched on April 26, 2020. The app is voluntary to download and uses Bluetooth to detect and record a person’s contacts with other users; it does not record location information. The app generates encrypted references codes for each user and also stores, in an encrypted form, the date, time, and proximity of a user’s contacts on their phone. Users are unable to access this information. User contacts are automatically deleted 21 days after they have been stored on the phone.
When a user tests positive for COVID-19, state and territory health officials who undertake contact tracing will ask the user for permission to upload the data from the app into a central storage system. The information will then be used to support their usual contact tracing processes.
At the end of the pandemic, users will be prompted to delete the app, and all information in the central storage system will also be deleted.
The privacy policy applicable to the app is available online.
Interim Determination
At the time the app was launched, the minister for health issued an interim determination under the Biosecurity Act 2015 (Cth) containing privacy protections that would apply until primary legislation was enacted. The provisions of the determination ensured that data from the app would be used only to support contact tracing efforts; required that users consent to have data from their device uploaded to the data store; prevented app data from being retained or disclosed outside Australia; required that all data in the data store be deleted at the end of the pandemic; and provided that no one can be forced to download or use the app or upload data to the data store. A breach of these requirements was made a criminal offense.
Legislation
The government introduced a bill to enshrine and extend the above protections into law on May 12, 2020. The bill was enacted on May 15, 2020. The resulting Privacy Amendment (Public Health Contact Information) Act 2020 contained additional protections that included providing for the national privacy regulator—the Office of the Australian Information Commissioner (OAIC)—to have oversight of the app data; extending the Privacy Act’s Notifiable Data Breaches provisions to apply to the app data; legally obligating the administrator of the data store to delete registration data on request; setting out a process for data to be deleted at the end of the pandemic; and requiring that the minister for health and the OAIC submit reports regarding the app.
Impact of the App
On May 24, 2020, the minister for health stated that the COVIDSafe app had reached six million downloads (about 23% of the total population) and that it is “helping state and territory public health officials automate and improve manual contact tracing of the coronavirus.” He further stated that “the COVIDSafe app is playing a significant role in Australia’s world-leading health response to the coronavirus pandemic, with several countries having expressed interest in learning from its positive impacts in Australia.”
However, various commentators have raised concerns about the app, including its effectiveness and privacy implications, and have argued that use of the data by state and territory officials has so far been very limited.