Privacy Amendment (Public Health Contact Information) Bill 2020 passes the House of Representatives and the second reading in the Senate

May 14, 2020 |

With not much in the way of fanfare the House of Representatives passed the Privacy Amendment (Public Health Contact Information) Bill 2020 yesterday.  The Bill was introduced into the Senate yesterday and has passed the Second Reading.  It has been referred to a Committee.

The Bill passed in the House of Representatives relevantly provides:

1  Subsection 6(1)

Insert:

communication device means an item of customer equipment (within the meaning of the Telecommunications Act 1997 ).

contact tracing has the meaning given by subsection 94D(6).

COVID app data has the meaning given by subsection 94D(5).

COVIDSafe means an app that is made available or has been made available (including before the commencement of this Part), by or on behalf of the Commonwealth, for the purpose of facilitating contact tracing.

COVIDSafe user , in relation to a communication device, means the person whose registration data was uploaded from the device when the user was registered through COVIDSafe.

data store administrator means:

                     (a)  for the purposes of a provision of Part VIIIA specified in a determination under section 94Z—the agency specified in that determination (but not to the extent of any limitation in that determination); or

                     (b)  otherwise—the Health Department.

former COVIDSafe user has the meaning given by subsection 94N(2).

Health Department means the Department administered by the Health Minister.

Health Minister means the Minister administering the National Health Act 1953 .

in contact : a person has been in contact with another person if the operation of COVIDSafe in relation to the person indicates that the person may have been in the proximity of the other person.

National COVIDSafe Data Store means the database administered by or on behalf of the Commonwealth for the purpose of contact tracing.

registration data , of a person, means the information about the person that was uploaded from a communication device when the person was registered through COVIDSafe.

State or Territory health authority means the State or Territory authority responsible for the administration of health services in a State or Territory.

State or Territory privacy authority means a State or Territory authority that has functions to protect the privacy of individuals (whether or not the authority has other functions).

2  After Part VIII

Insert:

Part VIIIA Public health contact information

Division 1 Preliminary

94A   Simplified outline of this Part

There are several serious offences relating to COVID app data and COVIDSafe. They deal with:

â?¢      non-permitted collection, use or disclosure relating to COVID app data; and

â?¢      uploading COVID app data without consent; and

â?¢      retaining or disclosing uploaded data outside Australia; and

â?¢      decrypting encrypted COVID app data; and

â?¢      requiring participation in relation to COVIDSafe.

Other specific obligations relate to deletion of data and what is to happen after the COVIDSafe data period has ended (as determined by the Health Minister).

The general privacy law provided by this Act is applied to the requirements of this Part, in particular by:

â?¢      ensuring that COVID app data is taken to be personal information and breaches of this Part are interferences with privacy; and

â?¢      enhancing the Commissioner’s role in dealing with eligible data breaches, making assessments and conducting investigations in relation to this Part; and

â?¢      enabling the Commissioner to refer matters to, and share information or documents with, State or Territory privacy authorities; and

â?¢      providing for this Act to apply to State or Territory health authorities in relation to COVID app data.

This Part imposes on State or Territory health authorities the Act’s rules and privacy protections, and Commonwealth oversight, in relation to COVID app data, as Commonwealth property that those authorities receive.

This Part also cancels the effect of Australian laws that are inconsistent with the prohibitions in this Part.

94B   Object of this Part

                   The object of this Part is to assist in preventing and controlling the entry, emergence, establishment or spread of the coronavirus known as COVID-19 into Australia or any part of Australia by providing stronger privacy protections for COVID app data and COVIDSafe users in order to:

                     (a)  encourage public acceptance and uptake of COVIDSafe; and

                     (b)  enable faster and more effective contact tracing.

94C   Constitutional basis of this Part

Principal constitutional basis

             (1)  This Part relies on the Commonwealth’s legislative powers with respect to matters that are peculiarly adapted to the government of a nation and cannot otherwise be carried on for the benefit of the nation.

Additional operation of this Part

             (2)  In addition to subsection (1), this Part also has effect as provided by subsections (3) to (5).

             (3)  This Part also has effect as if a reference in this Part to COVID app data were expressly confined to a reference to COVID app data that was collected or generated for the purposes of quarantine (within the meaning of paragraph 51(ix) of the Constitution).

             (4)  This Part also has effect as if a reference in this Part to COVID app data were expressly confined to a reference to COVID app data that was collected or generated using a service of a kind to which paragraph 51(v) of the Constitution applies (postal, telegraphic, telephonic and other like services).

             (5)  This Part also has effect as if it were expressly confined to giving effect to Australia’s obligations under the International Covenant on Civil and Political Rights done at New York on 16 December 1966 ([1980] ATS 23), and in particular Article 17 of the Covenant, in relation to COVID app data.

Note:          The Covenant is set out in Australian Treaty Series 1980 No. 23 ([1980] ATS 23) and could in 2020 be viewed in the Australian Treaties Library on the AustLII website (www.austlii.edu.au).

Division 2 Offences relating to COVID app data and COVIDSafe

94D   Collection, use or disclosure of COVID app data

             (1)  A person commits an offence if:

                     (a)  the person collects, uses or discloses data; and

                     (b)  the data is COVID app data; and

                     (c)  the collection, use or disclosure is not permitted under this section.

Penalty:   Imprisonment for 5 years or 300 penalty unit s, or both.

             (2)  The collection, use or disclosure is permitted if:

                     (a)  the person is employed by, or in the service of, a State or Territory health authority, and the collection, use or disclosure is for the purpose of, and only to the extent required for the purpose of, undertaking contact tracing; or

                     (b)  the person is:

                              (i)  an officer or employee of the data store administrator; or

                             (ii)  a contracted service provider for a government contract with the data store administrator;

                            and the collection, use or disclosure is for the purpose of, and only to the extent required for the purpose of:

                            (iii)  enabling contact tracing by persons employed by, or in the service of, State or Territory health authorities; or

                            (iv)  ensuring the proper functioning, integrity or security of COVIDSafe or of the National COVIDSafe Data Store; or

                     (c)  in the case of a collection or disclosure of COVID app data—the collection or disclosure is for the purpose of, and only to the extent required for the purpose of:

                              (i)  transferring encrypted data between communication devices through COVIDSafe; or

                             (ii)  transferring encrypted data, through COVIDSafe, from a communication device to the National COVIDSafe Data Store; or

                     (d)  the collection, use or disclosure is for the purpose of, and only to the extent required for the purpose of, the Commissioner performing the functions or exercising the powers of the Commissioner under or in relation to this Part; or

                     (e)  the collection, use or disclosure is for the purpose of, and only to the extent required for the purpose of:

                              (i)  investigating whether this Part has been contravened; or

                             (ii)  prosecuting a person for an offence against this Part; or

                      (f)  in the case of a u se of COVID app data by the data store administrator—the use is for the purpose of, and only to the extent required for the purpose of, producing de-identified statistical information about the total number of registrations through COVIDSafe; or

                     (g)  in the case of a u se of COVID app data that the data store administrator is required by section 94L to delete—the use consists of access by the data store administrator for the purpose of, and only to the extent required for the purpose of, confirming that the correct data is being deleted.

             (3)  Subsection (1) does not apply to the collection of COVID app data if:

                     (a)  the collection of the COVID app data:

                              (i)  occurs as part of the collection, at the same time, of data that is not COVID app data ( non-COVID app data ); and

                             (ii)  is incidental to the collection of the non-COVID app data ; and

                     (b)  the collection of the non-COVID app data is permitted under an Australian law; and

                     (c)  the COVID app data:

                              (i)  is deleted as soon as practicable after the person becomes aware that it had been collected; and

                             (ii)  is not otherwise accessed, used or disclosed by the person after it was collected.

Note:          A defendant bears an evidential burden in relation to the matters in this subsection: see subsection 13.3(3) of the Criminal Code .

             (4)  The admissibility of the non-COVID app data as evidence in any proceedings is not affected by the incidental collection of the COVID app data, or by the subsequent deletion of the COVID app data as required by subparagraph (3)(c)(i).

             (5)  COVID app data is data relating to a person that:

                     (a)  has been collected or generated (including before the commencement of this Part) through the operation of COVIDSafe; and

                     (b)  either:

                              (i)  is registration data; or

                             (ii)  is stored, or has been stored (including before the commencement of this Part), on a communication device.

However, it does not include:

                     (c)  information obtained, from a source other than directly from the National COVIDSafe Data Store, in the course of undertaking contact tracing by a person employed by, or in the service of, a State or Territory health authority; or

                     (d)  de-identified statistical information about the total number of registrations through COVIDSafe that is produced by:

                              (i)  an officer or employee of the data store administrator; or

                             (ii)  a contracted service provider for a government contract with the data store administrator.

             (6)  Contact tracing is the process of identifying persons who have been in contact with a person who has tested positive for the coronavirus known as COVID-19, and includes:

                     (a)  notifying a person that the person has been in contact with a person who has tested positive for the coronavirus known as COVID-19; and

                     (b)  notifying a person who is a parent , guardian or carer of another person that the other person has been in contact with a person who has tested positive for the coronavirus known as COVID-19; and

                     (c)  providing information and advice to a person who:

                              (i)  has tested positive for the coronavirus known as COVID-19; or

                             (ii)  is a parent, guardian or carer of another person who has tested positive for the coronavirus known as COVID-19; or

                            (iii)  has been in contact with a person who has tested positive for the coronavirus known as COVID-19; or

                            (iv)  is a parent, guardian or carer of another person who has been in contact with a person who has tested positive for the coronavirus known as COVID-19.

94E   COVID app data on communication devices

                   A person commits an offence if:

                     (a)  the person uploads, or causes to be uploaded, data from a communication device to the National COVIDSafe Data Store; and

                     (b)  the data is COVID app data; and

                     (c)  consent to the upload has not been given by:

                              (i)  the COVIDSafe user in relation to that device; or

                             (ii)  if the COVIDSafe user is unable to give consent—a parent, guardian or carer of the COVIDSafe user; or

                            (iii)  if the COVIDSafe user has requested a parent, guardian or carer of the COVIDSafe user to act on the COVIDSafe user’s behalf—that parent, guardian or carer.

Penalty:  Imprisonment for 5 years or 300 penalty units, or both.

94F   COVID app data in the National COVIDSafe Data Store

             (1)  A person commits an offence if:

                     (a)  the person retains data on a database outside Australia; and

                     (b)  the data is COVID app data that has been uploaded from a communication device to the National COVIDSafe Data Store.

Penalty:  Imprisonment for 5 years or 300 penalty units, or both.

             (2)  A person commits an offence if:

                     (a)  the person discloses data to another person who is outside Australia; and

                     (b)  the data is COVID app data that has been uploaded from a communication device to the National COVIDSafe Data Store; and

                     (c)  the person is not a person who:

                              (i)  is employed by, or in the service of, a State or Territory health authority; and

                             (ii)  discloses the data for the purpose of, and only to the extent required for the purpose of, undertaking contact tracing.

Penalty:  Imprisonment for 5 years or 300 penalty units, or both.

94G   Decrypting COVID app data

                   A person commits an offence if:

                     (a)  the person decrypts encrypted data; and

                     (b)  the data is COVID app data that is stored on a communication device.

Penalty:  Imprisonment for 5 years or 300 penalty units, or both.

94H   Requiring the use of COVIDSafe

             (1)  A person commits an offence if the person requires another person to:

                     (a)  download COVIDSafe to a communication device; or

                     (b)  have COVIDSafe in operation on a communication device; or

                     (c)  consent to uploading COVID app data from a communication device to the National COVIDSafe Data Store.

Penalty:  Imprisonment for 5 years or 300 penalty units, or both.

             (2)  A person commits an offence if the person:

                     (a)  refuses to enter into, or continue, a contract or arrangement with another person (including a contract of employment); or

                     (b)  takes adverse action (within the meaning of the Fair Work Act 2009 ) against another person; or

                     (c)  refuses to allow another person to enter:

                              (i)  premises that are otherwise accessible to the public; or

                             (ii)  premises that the other person has a right to enter; or

                     (d)  refuses to allow another person to participate in an activity; or

                     (e)  refuses to receive goods or services from another person, or insists on providing less monetary consideration for the goods or services; or

                      (f)  refuses to provide goods or services to another person, or insists on receiving more monetary consideration for the goods or services;

on the ground that, or on grounds that include the ground that, the other person:

                     (g)  has not downloaded COVIDSafe to a communication device; or

                     (h)  does not have COVIDSafe in operation on a communication device; or

                      (i)  has not consented to uploading COVID app data from a communication device to the National COVIDSafe Data Store.

Penalty:  Imprisonment for 5 years or 300 penalty units, or both.

             (3)  To avoid doubt:

                     (a)  subsection (2) is a workplace law for the purposes of the Fair Work Act 2009 ; and

                     (b)  the benefit that the other person derives because of an obligation of the person under subsection (2) is a workplace right within the meaning of Part 3-1 of that Act.

94J   Extended geographical jurisdiction for offences

                   Section 15.1 (extended geographical jurisdiction—category A) of the Criminal Code applies to all offences against this Division.

Division 3 Other obligations relating to COVID app data and COVIDSafe

94K   COVID app data not to be retained

                   The data store administrator must take all reasonable steps to ensure that COVID app data is not retained on a communication device:

                     (a)  for more than 21 days; or

                     (b)  in any case in which it is not possible to comply with paragraph (a) within 21 days—for longer than the shortest practicable period.

94L   Deletion of registration data on request

             (1)  If the COVIDSafe user or former COVIDSafe user in relation to a communication device, or a parent, guardian or carer of that person, requests the data store administrator to delete any registration data of the person that has been uploaded from the device to the National COVIDSafe Data Store, the data store administrator:

                     (a)  must take all reasonable steps to delete the data from the National COVIDSafe Data Store as soon as practicable; and

                     (b)  if it is not practicable to delete the data immediately—must not use or disclose the data for any purpose.

             (2)  A request under subsection (1) may only be made by a parent, guardian or carer of the COVIDSafe user if:

                     (a)  the COVIDSafe user is unable to make a request under subsection (1); or

                     (b)  the COVIDSafe user has requested that parent, guardian or carer to act on the COVIDSafe user’s behalf.

             (3)  Subsection (1) does not:

                     (a)  prevent the data store administrator from accessing data for the purpose of, and only to the extent required for the purpose of, confirming that the correct data is being deleted; or

                     (b)  require the data store administrator to delete from the National COVIDSafe Data Store data relating to the person that:

                              (i)  was uploaded from another communication device in relation to which another person is a COVIDSafe user; and

                             (ii)  was collected through the other device interacting with the device mentioned in subsection (1).

             (4)  This section does not apply to data that is de-identified.

94M   Deletion of data received in error

                   A person who receives COVID app data in error must, as soon as practicable:

                     (a)  delete the data; and

                     (b)  notify the data store administrator that the person received the data.

94N   Effect of deletion of COVIDSafe from a communication device

             (1)  The data store administrator must not collect from a person, through a particular communication device, COVID app data relating to the person if the person is a former COVIDSafe user in relation to that device.

             (2)  A person is a former COVIDSafe user , in relation to a communication device, at a particular time if:

                     (a)  COVIDSafe has been deleted from the device in relation to which the person was the COVIDSafe user; and

                     (b)  after COVIDSafe was last deleted from that device—COVIDSafe has not been downloaded to that device.

94P   Obligations after the end of the COVIDSafe data period

             (1)  After the end of the day determined under subsection 94Y(1), the data store administrator must not:

                     (a)  collect any COVID app data; or

                     (b)  make COVIDSafe available to be downloaded.

             (2)  As soon as reasonably practicable after the end of the day determined under subsection 94Y(1), the data store administrator must delete all COVID app data from the National COVIDSafe Data Store.

             (3)  As soon as reasonably practicable after the deletion, the data store administrator must:

                     (a)  inform the Health Minister and the Commissioner that all COVID app data has been deleted from the National COVIDSafe Data Store; and

                     (b)  take all reasonable steps to inform all COVIDSafe users (other than former COVIDSafe users) in relation to communication devices that:

                              (i)  all COVID app data has been deleted from the National COVIDSafe Data Store; and

                             (ii)  COVID app data can no longer be collected; and

                            (iii)  they should delete COVIDSafe from their communication devices.

Division 4 Application of general privacy measures

94Q   COVID app data is taken to be personal information

                   COVID app data relating to an individual is taken, for the purposes of this Act, to be personal information about the individual.

94R   Breach of requirement is an interference with privacy

             (1)  An act or practice in breach of a requirement of this Part in relation to an individual constitutes an act or practice involving an interference with the privacy of the individual for the purposes of section 13.

Note:          The act or practice may be the subject of a complaint under section 36.

             (2)  Subsections 7(1A) and (1B) do not limit what is taken to be an act or practice for the purposes of subsection (1) of this section, or for the purposes of the application of this Act in relation to an interference with the privacy of an individual involving a breach of a requirement of this Part.

94S   Breach of requirement may be treated as an eligible data breach

             (1)  For the purposes of this Act, if:

                     (a)  the data store administrator; or

                     (b)  an officer or employee of the data store administrator; or

                     (c)  a contracted service provider for a government contract with the data store administrator;

breaches a requirement of this Part in relation to COVID app data:

                     (d)  the breach is taken to be an eligible data breach by the data store administrator; and

                     (e)  an individual to whom the data relates is taken to be at risk from the eligible data breach.

             (2)  For the purposes of this Act, if:

                     (a)  a State or Territory health authority; or

                     (b)  person employed by, or in the service of, the State or Territory health authority;

breaches a requirement of this Part in relation to COVID app data:

                     (c)  the breach is taken to be an eligible data breach by the State or Territory health authority; and

                     (d)  an individual to whom the data relates is taken to be at risk from the eligible data breach.

             (3)  Part IIIC applies in relation to such a breach as if:

                     (a)  subsection 26WE(3) and sections 26WF, 26WH and 26WJ did not apply in relation to the breach; and

                     (b)  Subdivision B of Division 3 of that Part:

                              (i)  required the data store administrator, or State or Territory health authority, to notify the Commissioner that there were reason able grounds to believe that there had been an eligible data breach; and

                             (ii)  only required compliance with sections 26WK and 26WL in relation to the breach if the Commissioner required the administrator or authority so to comply; and

                     (c)  sections 26WN, 26WP, 26WQ, 26WS and 26WT did not apply in relation to the breach.

             (4)  Without limiting the circumstances in which the Commissioner may, under subparagraph (3)(b)(ii), require the administrator or authority so to comply, the Commissioner must so require if:

                     (a)  the Commissioner is satisfied that the breach may be likely to result in serious harm to any of the individuals to whom the information relates; and

                     (b)  subsection (5) does not apply.

             (5)  The Commissioner may decide not to require compliance, or to allow an extended period for compliance, if the Commissioner is satisfied on reasonable grounds that requiring compliance, or requiring compliance within the ordinary period for compliance, would not be reasonable in the circumstances, having regard to the following:

                     (a)  the public interest;

                     (b)  any relevant advice given to the Commissioner by:

                              (i)  an enforcement body; or

                             (ii)  the Australian Signals Directorate;

                     (c)  such other matters (if any) as the Commissioner considers relevant.

             (6)  Paragraph (5)(b) does not limit the advice to which the Commissioner may have regard.

94T   Commissioner may conduct an assessment relating to COVID app data

             (1)  The Commissioner’s power under section 33C to conduct an assessment includes the power to conduct an assessment of whether the acts or practices of an entity or a State or Territory authority in relation to COVID app data comply with this Part.

             (2)  Without limiting subsection 33C(2), if:

                     (a)  the Commissioner is conducting under that subsection an assessment of a matter of a kind mentioned in subsection (1) of this section; and

                     (b)  the Commissioner has reason to believe that an entity or a State or Territory authority being assessed has information or a document relevant to the assessment;

the Commissioner may, by writt en notice, require the entity or authority to give the information or produce the document within the period specified in the notice, which must not be less than 14 days after the notice is given to the entity or authority.

Note:          For a failure to give information etc., see section 66.

94U   Investigation under section 40 to cease if COVID data offence may have been committed

             (1)  This section applies if, in the course of an investigation under section 40, the Commissioner forms the opinion that:

                     (a)  an offence against Division 2 of this Part; or

                     (b)  an offence against section 6 of the Crimes Act 1914 , or section 11.1, 11.2, 11.4 or 11.5 of the Criminal Code , being an offence that relates to an offence against that Division;

may have been committed.

             (2)  The Commissioner must:

                     (a)  inform the Commissioner of Police or the Director of Public Prosecutions of that opinion; and

                     (b)  in the case of an investigation under subsection 40(1), give a copy of the complaint to the Commissioner of Police or the Director of Public Prosecutions, as the case may be; and

                     (c)  subject to subsection (5) of this section, discontinue the investigation except to the extent that it concerns matters unconnected with the offence that the Commissioner believes may have been committed.

             (3)  If the Commissioner of Police or the Director of Public Prosecutions:

                     (a)  has been informed of the Commissioner’s opinion under paragraph (2)(a); and

                     (b)  decides that the matter will not be, or will no longer be, the subject of proceedings for an offence;

the Commissioner of Police or the Director of Public Prosecutions, as the case requires, must give a written notice to that effect to the Commissioner.

             (4)  If the Commissioner of Police or the Director of Public Prosecutions:

                     (a)  has been informed of the Commissioner’s opinion under paragraph (2)(a); and

                     (b)  is satisfied that an investigation relating to the matter, or proceedings for an offence relating to the matter, will not be jeopardised, or otherwise affected, by continuation of the Commissioner’s investigation;

the Commissioner of Police or the Director of Public Prosecutions, as the case requires, may give a written notice to that effect to the Commissioner.

             (5)  Upon receiving notice under subsection (3) or (4) the Commissioner may continue the investigation discontinued under paragraph (2)(c).

94V   Referring COVID data matters to State or Territory privacy authorities

             (1)  If:

                     (a)  a complaint has been made under section 36 about an act or practice that may involve a breach of a requirement of this Part; and

                     (b)  before the Commissioner commences, or after the Commissioner has commenced, to investigate the matter, the Commissioner forms the opinion that:

                              (i)  the complainant has made, or could have made, a complaint relating to that matter to a State or Territory privacy authority; and

                             (ii)  that matter could be more conveniently or effectively dealt with by that State or Territory authority;

the Commissioner may decide not to investigate the matter, or not to investigate the matter further.

             (2)  If the Commissioner so decides, the Commissioner must:

                     (a)  transfer the complaint to that State or Territory authority; and

                     (b)  give notice in writing to the complainant stating that the complaint has been so transferred; and

                     (c)  give to that State or Territory authority any information or documents that relate to the complaint and are in the possession, or under the control, of the Commissioner.

             (3)  A complaint transferred under subsection (2) is taken, for the purposes of this Act, to have been made to that State or Territory authority.

94W   Commissioner may share information with State or Territory privacy authorities

             (1)  Subject to subsection (2), the Commissioner may share information or documents with a State or Territory privacy authority:

                     (a)  for the purpose of the Commissioner exercising powers, or performing functions or duties under this Act in relation to the requirements of this Part; or

                     (b)  for the purpose of the State or Territory privacy authority exercising its powers, or performing its functions or duties.

             (2)  The Commissioner may only share information or documents with a State or Territory privacy authority under this section if:

                     (a)  the information or documents were acquired by the Commissioner in the course of exercising powers, or performing functions or duties, under this Act; and

                     (b)  the Commissioner is satisfied on reasonable grounds that the State or Territory privacy authority has satisfactory arrangements in place for protecting the information or documents.

             (3)  To avoid doubt, the Commissioner may share information or documents with a State or Territory privacy authority under this section whether or not the Commissioner is transferring a complaint or part of a complaint to the authority.

94X   Application to State or Territory health authorities

             (1)  This Act applies in relation to a State or Territory health authority, as if the authority were an organisation, to the extent that the authority deals with, or the activities of the authority relate to, COVID app data.

             (2)  However, subsection (1) does not, in relation to a State or Territory health authority:

                     (a)  have the effect of applying Australian Privacy Principle 9 in relation to a government related identifier that has been assigned by that State or Territory or by a State or Territory authority of that State or Territory; or

                     (b)  have the effect of applying this Act in relation to data or information that is not COVID app data.

Division 5 Miscellaneous

94Y   Determining the end of the COVIDSafe data period

             (1)  Subject to subsection (2), the Health Minister must, by notifiable instrument, determine a day if the Health Minister is satisfied that, by that day, use of COVIDSafe:

                     (a)  is no longer required to prevent or control; or

                     (b)  is no longer likely to be effective in preventing or controlling;

the entry, emergence, establishment or spread of the coronavirus known as COVID-19 into Australia or any part of Australia.

             (2)  The Health Minister must not make a determination under subsection (1) unless the Health Minister has consulted, or considered recommendations from, the Commonwealth Chief Medical Officer or the Australian Health Protection Principal Committee.

             (3)  The Commonwealth Chief Medical Officer or the Australian Health Protection Principal Committee may recommend to the Health Minister that the Health Minister make a determination under subsection (1).

94Z   Agencies may be determined to be data store administrator

             (1)  The Secretary of the Health Department may, by notifiable instrument, determine that a particular agency is the data store administrator for the purposes of one or more provisions of this Part specified in the determination.

             (2)  The determination may limit the extent to which the agency is the data store administrator for those purposes.

             (3)  The Secretary of the Health Department must not determine under subsection (1) that any of the following is the data store administrator:

                     (a)  an enforcement body mentioned in paragraph (a) to (ea) of the definition of enforcement body in subsection 6(1);

                     (b)  an intelligence agency;

                     (c)  the Australian Geospatial-Intelligence Organisation;

                     (d)  the Defence Intelligence Organisation.

94ZA   Reports on operation and effectiveness of COVIDSafe and the National COVIDSafe Data Store

             (1)  The Health Minister must, as soon as practicable after:

                     (a)  the end of the 6 month period starting on the commencement of this Part; and

                     (b)  the end of each subsequent 6 month period (if any) starting on or before the day determined under subsection 94Y(1);

cause a report to be prepared on the operation and effectiveness of COVIDSafe and the National COVIDSafe Data Store during that 6 month period.

Note:          Section 94D prevents the inclusion of COVID app data in the report. It would not be a permitted collection, use or disclosure under subsection 94D(2).

             (2)  If the day determined under subsection 94Y(1) occurs during the 6 month period starting on the commencement of this Part, the report under subsection (1) of this section relating to that period must be prepared within 3 months after that day.

             (3)  The Health Minister must cause copies of a report prepared under subsection (1) to be laid before each House of the Parliament within 15 sitting days of that House after the completion of the preparation of the report.

94ZB   Reports by the Commissioner

             (1)  The Commissioner must, as soon as practicable after:

                     (a)  the end of the 6 month period starting on the commencement of this Part; and

                     (b)  the end of each subsequent 6 month period (if any) starting on or before the day determined under subsection 94Y(1);

cause a report to be prepared on the performance of the Commissioner’s functions, and the exercise of the Commissioner’s powers, under or in relation to this Part during the period.

Note:          Section 94D prevents the inclusion of COVID app data in the report. It would not be a permitted collection, use or disclosure under subsection 94D(2).

             (2)  If the day determined under subsection 94Y(1) occurs during the 6 month period starting on the commencement of this Part, the report under subsection (1) of this section relating to that period must be prepared within 3 months after that day.

             (3)  The Commissioner must publish a report prepared under subsection (1) on the Commissioner’s website.

             (4)  This section does not affect the matters that section 30 of the Australian Information Commissioner Act 2010 requires the Commissioner to include in an annual report.

94ZC   COVID app data remains property of the Commonwealth

                   COVID app data is the property of the Commonwealth, and remains the property of the Commonwealth even after it is disclosed to, or used by:

                     (a)  a State or Territory health authority; or

                     (b)  any other person or body (other than the Commonwealth or an authority of the Commonwealth).

94ZD   Operation of other laws

             (1)  This section cancels the effect of a provision of any Australian law (other than this Part) that, but for this section, would have the effect of permitting or requiring conduct, or an omission to act, that would otherwise be prohibited under this Part.

             (2)  However, the cancellation does not apply to a provision of an Act if the provision:

                     (a)  commences after this Part commences; and

                     (b)  expressly permits or requires the conduct or omission despite the provisions of this Part.

There have been a number of proposed amendments, from the Greens and the Centre Alliance. They are:

  • from Nick McKim:

(1)     Schedule 1, item 1, page 4 (line 6), at the end of the definition of registration data , add “, and includes the person’s phone number”.

[registration data]

(2)     Schedule  1 , item  2 , page 11 (line 3) , before “ A person ”, insert “ (1) ”.

[decrypting data store]

(3)     Schedule  1 , item  2 , page 11 (after line 7) , at the end of section  94G , add:

             (2)  A person commits an offence if:

                     (a)  the person decrypts encrypted data; and

                     (b)  the data is COVID app data that is stored on the National COVIDSafe Data Store; and

                     (c)  the decrypting of the data is not for the purpose of, and only to the extent required for the purpose of, undertaking contact tracing.

Penalty:   Imprisonment for 5 years or 300 penalty unit s, or both.

[decrypting data store]

(4)     Schedule 1, item 2, page 11 (after line 13), after paragraph 94H(1)(b), insert:

                   (ba)  show whether or not the other person has COVIDSafe downloaded or in operation on a communication device; or

[additional COVIDsafe offence]

( 5 )     Schedule  1 , item  2 , page 15 (before line 14) , before subsection  94R ( 2 ), insert:

          (1A)  An act or practice in breach of a requirement of the Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) (Emergency Requirements—Public Health Contact Information) Determination 2020 in relation to an individual, which occurs before the commencement of this Part, constitutes an act or practice involving an interference with the privacy of the individual for the purposes of section 13.

Note:          The act or practice may be the subject of a complaint under section 36.

[breach of biosecurity determination]

( 6 )     Schedule  1 , item  2 , page 15 (line 15) , after “ subsection (1) ”, insert “ or (1A) ”.

[breach of biosecurity determination]

(7)     Schedule 1, item 2, page 15 (line 18), at the end of subsection 94R(2), add “or the determination referred to in subsection (1A)”.

[breach of biosecurity determination]

  • by the Centre Alliance and Greens

(1)     Schedule 1, item 2, page 12 (after line 16), at the end of section 94H, add:

             (4)  A person commits an offence if the person engag es in conduct that is intended to coerce another person (including by physical intimidation or imposing a financial disadvantage) into doing any or all of the following:

                              (i)  downloading COVIDSafe to a communication device;

                             (ii)  having COVIDSafe in operation on a communication device;

                            (iii)  consenting to uploading COVID app data from a communication device to the National COVIDSafe Data Store.

Penalty:   Imprisonment for 5 years or 300 penalty unit s, or both.

[additional coercion offence]

(2)     Schedule 1, item 2, page 15 (after line 3), at the end of section 94P, add:

Commissioner to assess compliance with deletion obligations

             (4)  The Commissioner must:

                     (a)  conduct an assessment of the data store administrator’s compliance with the obligations in this section, to verify that all COVID app data from the National COVIDSafe Data Store has been deleted; and

                     (b)  as soon as practicable after completing the assessment, prepare and give to the Health Minister a writt en report of the assessment.

             (5)  The Health Minister must table a copy of the report in each House of Parliament within 15 sitting days after the Commissioner gives a copy of the report to the Minister.

             (6)  The data store administrator must provide the Commissioner with any assistance reasonably required to conduct the assessment. This section does not limit the Commissioner’s other powers under this Act.

[verifying deletion]

( 3 )     Schedule  1 , item  2 , page 20 (line 27) , omit “ subsection (2) ”, substitute “ subsections (2) and (4) ”.

[end of COVIDsafe data period]

( 4 )     Schedule  1 , item  2 , page 2 1 (after line 11) , at the end of section  94Y , add:

COVIDSafe data period ends if human biosecurity emergency ceases

             (4)  Despite subsections (1) and (2), if:

                     (a)  the Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) Declaration 2020 ceases to be in force on a day (the emergency declaration expiry day ); and

                     (b)  the Health Minister:

                              (i)  has not already determined a day under subsection (1); or

                             (ii)  has determined a day under subsection (1) that is later than the emergency declaration expiry day;

the Health Minister is taken to have determined the emergency declaration expiry day as the day under subsection (1).

Note:          The Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) Declaration 2020 is made under section 475 of the Biosecurity Act 2015. The period for which the declaration is in force can be extended under section 476 of that Act.

[end of COVIDsafe data period]

(5)     Schedule  1 , item  2 , page 21 (line 30) , omit “ 6 month period ”, substitute “ 3 month period ”.

[reporting period]

(6)     Schedule  1 , item  2 , page 21 (line 32) , omit “ 6 month period ”, substitute “ 3 month period ”.

[reporting period]

(7)     Schedule  1 , item  2 , page 22 (lines 2 to 3) , omit “ 6 month period ”, substitute “ 3 month period ”.

[reporting period]

(8)     Schedule  1 , item  2 , page 22 (lines 7 to 8) , omit “ 6 month period ”, substitute “ 3 month period ”.

[reporting period]

(9)     Schedule  1 , item  2 , page 22 (line 10) , omit “3 months ”, substitute “1 month ”.

[reporting period]

(10)   Schedule  1 , item  2 , page 22 (line 17) , omit “ 6 month period ”, substitute “ 3 month period ”.

[reporting period]

( 11 )   Schedule  1 , item  2 , page 22 (line 19) , omit “ 6 month period ”, substitute “ 3 month period ”.

[reporting period]

( 12 )   Schedule  1 , item  2 , page 22 (lines 27 to 28) , omit “ 6 month period ”, substitute “ 3 month period ”.

[reporting period]

( 13 )   Schedule  1 , item  2 , page 22 (line 30) , omit “3 months”, substitute “1 month ”.

[reporting period]

  • by Centre Alliance:

( 1 )     Schedule  1 , item  2 , page 11 (after line 1) , at the end of section  94F , add:

             (3)  A person commits an offence if:

                     (a)  the person copies data from the National COVIDSafe Data Store; and

                     (b)  the copied data is transferred to a database outside Australia or to another person who is outside Australia.

Penalty:   Imprisonment for 5 years or 300 penalty unit s, or both.

[additional data store offence]

( 2 )     Schedule  1 , item  2 , page 17 (line 24) , omit “ to cease if ”, substitute “ where ”.

[continued investigations]

( 3 )     Schedule  1 , item  2 , page 18 (line 6) , omit “ subsection (5) ”, substitute “ subsections (4) and (7) ”.

[continued investigations]

( 4 )     Schedule  1 , item  2 , page 18 (lines 10 to 32) , omit subsections  94U ( 3 ) to ( 5 ), substitute:

             (3)  If the Commissioner of Police or the Director of Public Prosecutions:

                     (a)  has been informed of the Commissioner’s opinion under paragraph (2)(a); and

                     (b)  is satisfied that an investigation relating to the matter, or proceedings for an offence relating to the matter, will be jeopardised, or otherwise affected, by continuation of the Commissioner’s investigation;

the Commissioner of Police or the Director of Public Prosecutions, as the case requires, must give a writt en notice to that effect to the Commissioner.

             (4)  If the Commissioner has not received a notice under subsection (3) within 14 days of informing the Commissioner of Police or the Director of Public Prosecutions of the Commissioner’s opinion under paragraph (2)(a), the Commissioner may continue the investigation discontinued under paragraph (2)(c).

             (5)  However, if the Commissioner receives a notice under subsection (3) after that 14 day period, the Commissioner must discontinue the investigation upon receiving the notice.

             (6)  If the Commissioner of Police or the Director of Public Prosecutions:

                     (a)  has given a notice under subsection (3); and

                     (b)  is satisfied that an investigation relating to the matter, or proceedings for an offence relating to the matter, will no longer be jeopardised, or otherwise affected, by continuation of the Commissioner’s investigation;

the Commissioner of Police or the Director of Public Prosecutions, as the case requires, must give a written notice to that effect to the Commissioner.

             (7)  Upon receiving a notice under subsection (6), the Commissioner may continue the investigation discontinued under paragraph (2)(c) or subsection (5).

There are amendments and probably improvements to the Bill that has passed the House of Representatives. It will be interesting to see if the amendments proposed by the Centre Alliance and the Greens are accepted.  The amendments are:

1)     Schedule 1, item 1, page 4 (line 6), at the end of the definition of registration data , add “, and includes the person’s phone number”.

[registration data]

(2)     Schedule  1 , item  2 , page 11 (line 3) , before “ A person ”, insert “ (1) ”.

[decrypting data store]

(3)     Schedule  1 , item  2 , page 11 (after line 7) , at the end of section  94G , add:

             (2)  A person commits an offence if:

                     (a)  the person decrypts encrypted data; and

                     (b)  the data is COVID app data that is stored on the National COVIDSafe Data Store; and

                     (c)  the decrypting of the data is not for the purpose of, and only to the extent required for the purpose of, undertaking contact tracing.

Penalty:   Imprisonment for 5 years or 300 penalty unit s, or both.

[decrypting data store]

(4)     Schedule 1, item 2, page 11 (after line 13), after paragraph 94H(1)(b), insert:

                   (ba)  show whether or not the other person has COVIDSafe downloaded or in operation on a communication device; or

[additional COVIDsafe offence]

( 5 )     Schedule  1 , item  2 , page 15 (before line 14) , before subsection  94R ( 2 ), insert:

          (1A)  An act or practice in breach of a requirement of the Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) (Emergency Requirements—Public Health Contact Information) Determination 2020 in relation to an individual, which occurs before the commencement of this Part, constitutes an act or practice involving an interference with the privacy of the individual for the purposes of section 13.

Note:          The act or practice may be the subject of a complaint under section 36.

[breach of biosecurity determination]

( 6 )     Schedule  1 , item  2 , page 15 (line 15) , after “ subsection (1) ”, insert “ or (1A) ”.

[breach of biosecurity determination]

(7)     Schedule 1, item 2, page 15 (line 18), at the end of subsection 94R(2), add “or the determination referred to in subsection (1A)”.

[breach of biosecurity determination]

  • By Senator McKim and Senator Rex Patrick are:

1)     Schedule 1, item 2, page 12 (after line 16), at the end of section 94H, add:

             (4)  A person commits an offence if the person engag es in conduct that is intended to coerce another person (including by physical intimidation or imposing a financial disadvantage) into doing any or all of the following:

                              (i)  downloading COVIDSafe to a communication device;

                             (ii)  having COVIDSafe in operation on a communication device;

                            (iii)  consenting to uploading COVID app data from a communication device to the National COVIDSafe Data Store.

Penalty:   Imprisonment for 5 years or 300 penalty unit s, or both.

[additional coercion offence]

(2)     Schedule 1, item 2, page 15 (after line 3), at the end of section 94P, add:

Commissioner to assess compliance with deletion obligations

             (4)  The Commissioner must:

                     (a)  conduct an assessment of the data store administrator’s compliance with the obligations in this section, to verify that all COVID app data from the National COVIDSafe Data Store has been deleted; and

                     (b)  as soon as practicable after completing the assessment, prepare and give to the Health Minister a writt en report of the assessment.

             (5)  The Health Minister must table a copy of the report in each House of Parliament within 15 sitting days after the Commissioner gives a copy of the report to the Minister.

             (6)  The data store administrator must provide the Commissioner with any assistance reasonably required to conduct the assessment. This section does not limit the Commissioner’s other powers under this Act.

[verifying deletion]

( 3 )     Schedule  1 , item  2 , page 20 (line 27) , omit “ subsection (2) ”, substitute “ subsections (2) and (4) ”.

[end of COVIDsafe data period]

( 4 )     Schedule  1 , item  2 , page 2 1 (after line 11) , at the end of section  94Y , add:

COVIDSafe data period ends if human biosecurity emergency ceases

             (4)  Despite subsections (1) and (2), if:

                     (a)  the Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) Declaration 2020 ceases to be in force on a day (the emergency declaration expiry day ); and

                     (b)  the Health Minister:

                              (i)  has not already determined a day under subsection (1); or

                             (ii)  has determined a day under subsection (1) that is later than the emergency declaration expiry day;

the Health Minister is taken to have determined the emergency declaration expiry day as the day under subsection (1).

Note:          The Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) Declaration 2020 is made under section 475 of the Biosecurity Act 2015. The period for which the declaration is in force can be extended under section 476 of that Act.

[end of COVIDsafe data period]

(5)     Schedule  1 , item  2 , page 21 (line 30) , omit “ 6 month period ”, substitute “ 3 month period ”.

[reporting period]

(6)     Schedule  1 , item  2 , page 21 (line 32) , omit “ 6 month period ”, substitute “ 3 month period ”.

[reporting period]

(7)     Schedule  1 , item  2 , page 22 (lines 2 to 3) , omit “ 6 month period ”, substitute “ 3 month period ”.

[reporting period]

(8)     Schedule  1 , item  2 , page 22 (lines 7 to 8) , omit “ 6 month period ”, substitute “ 3 month period ”.

[reporting period]

(9)     Schedule  1 , item  2 , page 22 (line 10) , omit “3 months ”, substitute “1 month ”.

[reporting period]

(10)   Schedule  1 , item  2 , page 22 (line 17) , omit “ 6 month period ”, substitute “ 3 month period ”.

[reporting period]

( 11 )   Schedule  1 , item  2 , page 22 (line 19) , omit “ 6 month period ”, substitute “ 3 month period ”.

[reporting period]

( 12 )   Schedule  1 , item  2 , page 22 (lines 27 to 28) , omit “ 6 month period ”, substitute “ 3 month period ”.

[reporting period]

( 13 )   Schedule  1 , item  2 , page 22 (line 30) , omit “3 months”, substitute “1 month ”.

[reporting period]

  • by Senator Rex Patrick are:

( 1 )     Schedule  1 , item  2 , page 11 (after line 1) , at the end of section  94F , add:

             (3)  A person commits an offence if:

                     (a)  the person copies data from the National COVIDSafe Data Store; and

                     (b)  the copied data is transferred to a database outside Australia or to another person who is outside Australia.

Penalty:   Imprisonment for 5 years or 300 penalty unit s, or both.

[additional data store offence]

( 2 )     Schedule  1 , item  2 , page 17 (line 24) , omit “ to cease if ”, substitute “ where ”.

[continued investigations]

( 3 )     Schedule  1 , item  2 , page 18 (line 6) , omit “ subsection (5) ”, substitute “ subsections (4) and (7) ”.

[continued investigations]

( 4 )     Schedule  1 , item  2 , page 18 (lines 10 to 32) , omit subsections  94U ( 3 ) to ( 5 ), substitute:

             (3)  If the Commissioner of Police or the Director of Public Prosecutions:

                     (a)  has been informed of the Commissioner’s opinion under paragraph (2)(a); and

                     (b)  is satisfied that an investigation relating to the matter, or proceedings for an offence relating to the matter, will be jeopardised, or otherwise affected, by continuation of the Commissioner’s investigation;

the Commissioner of Police or the Director of Public Prosecutions, as the case requires, must give a writt en notice to that effect to the Commissioner.

             (4)  If the Commissioner has not received a notice under subsection (3) within 14 days of informing the Commissioner of Police or the Director of Public Prosecutions of the Commissioner’s opinion under paragraph (2)(a), the Commissioner may continue the investigation discontinued under paragraph (2)(c).

             (5)  However, if the Commissioner receives a notice under subsection (3) after that 14 day period, the Commissioner must discontinue the investigation upon receiving the notice.

             (6)  If the Commissioner of Police or the Director of Public Prosecutions:

                     (a)  has given a notice under subsection (3); and

                     (b)  is satisfied that an investigation relating to the matter, or proceedings for an offence relating to the matter, will no longer be jeopardised, or otherwise affected, by continuation of the Commissioner’s investigation;

the Commissioner of Police or the Director of Public Prosecutions, as the case requires, must give a written notice to that effect to the Commissioner.

             (7)  Upon receiving a notice under subsection (6), the Commissioner may continue the investigation discontinued under paragraph (2)(c) or subsection (5).

[continued investigations]

The Attorney General’s Second Reading Speech provides:

The Privacy Amendment (Public Health Contact Information) Bill 2020 will ensure that there are strong ongoing privacy protections to support the download, use and eventual decommission of the Australian government’s COVIDSafe app.

At release, COVIDSafe was supported by interim privacy protections contained in the Minister for Health’s determination under the Biosecurity Act 2015. Building on this, the purpose of this bill is to enshrine the privacy protections in the determination into primary legislation by inserting a new part into the Privacy Act 1988, give the Australian Information Commissioner oversight of COVIDSafe app data and introduce additional provisions that clarify protections in the determination.

The bill guarantees that the Australian public can have confidence that their privacy will be protected if they download and use COVIDSafe. An increase in the uptake of COVIDSafe will help states and territories trace outbreaks and combat the spread of COVID-19.

Background

To understand the bill’s privacy protections, it is first crucial to understand how COVIDSafe operates and handles personal information. You will see that strong privacy protections have been built into the design of COVIDSafe as it requires users to provide the minimum amount of information required to contact trace which is encrypted until it is required by health officials.

COVIDSafe is a voluntary app developed by the Australian government that was launched on 26 April 2020. COVIDSafe can be installed on Android and iOS personal devices to collect information to assist state and territory health officials when they conduct contact tracing to combat the spread of COVID-19.

When a person downloads COVIDSafe, they are asked to register by entering a limited amount of personal information: a name or pseudonym, an age range, a mobile phone number and a postcode. Once verified by text message, this information is then uploaded in an encrypted form to the National COVIDSafe Data Store.

Once a user has registered, COVIDSafe works by using bluetooth signals to record encrypted data about close contacts with other users and stores this locally on their device. If this data is not uploaded to the National COVIDSafe Data Store, it is deleted on a rolling 21-day basis. Unlike manual contact tracing, COVIDSafe can record close contacts who are not known to the user—for example, people who sit near another user on the bus, at an event or in line at the supermarket. When a COVIDSafe user tests positive for COVID-19, they will be contacted by a health official in their state or territory as part of the usual contact tracing process. When making contact, the health official will then ask the person if they use COVIDSafe. If they do, the health official will send them a code by text message to enter in the app. If the code is entered, the user consents to uploading the encrypted data about their close contacts to the National COVIDSafe Data Store.

Once information about close contacts is uploaded, state and territory contact tracers can access this information to notify the positive user’s close contacts that they may have been exposed to the coronavirus. From this point, contact tracers will inform people at risk of COVID-19 that they have been exposed without identifying the infected app user. Contact tracers will step people at risk through what to do next, such as getting tested or self-isolating.

COVIDSafe, therefore, has the potential to significantly speed up existing manual contact-tracing processes, and in turn could accelerate the pace at which governments can ease restrictions while still keeping Australians safe.

Biosecurity declaration

The Australian public must have confidence that COVIDSafe protects their privacy for it to be used and highly effective in combating the spread of COVID-19. To this end, the Minister for Health, the Hon. Greg Hunt, made a determination under the Biosecurity Act on 25 April 2020—before the COVIDSafe launch. This determination provided strong interim privacy protections for data collected through COVIDSafe prior to the passage of this bill.

The determination contains provisions that:

ensure that data from COVIDSafe is only used to support state and territory health authorities’ contact-tracing efforts, and only to the extent required to do so,

require that users must consent before data from their device can be uploaded to the National COVIDSafe Data Store,

prevent data from COVIDSafe being retained outside of Australia, and protect against unauthorised disclosure outside of Australia,

require all COVIDSafe data held in the National COVIDSafe Data Store to be deleted at the end of the COVID-19 pandemic,

protect against decryption of COVIDSafe data stored on users’ devices, and

provide that no-one can be forced to download or use COVIDSafe or upload their data to the National COVIDSafe Data Store.

Finally, the determination created criminal offences for the breach of the above requirements, with a maximum penalty of five years imprisonment.

Enshrining the determination

The Australian government has now developed this bill to enshrine the COVIDSafe privacy protections in the determination in primary legislation.

The protections in the bill will apply to all COVIDSafe data from the point at which the bill commences, even if that data was created before the bill commenced. Until the bill is passed, the determination will continue to apply to the handling of COVIDSafe app data.

The bill will also override the effect of any previously enacted laws under section 94ZD. This means that the bill will apply in place of any other laws that may apply, including the determination, once it passes into law. At that point, those handling COVIDSafe app data will have a single legislative reference, being the Commonwealth Privacy Act.

Criminal offences under the bill

While I do not plan to address those areas of the bill which directly replicate the determination, I will note that key criminal offences from the determination continue to apply, and remain subject to the same penalties, being imprisonment for five years, a fine of 300 penalty units ($63,000), or both. These are, of course, the maximum penalties that could be applied and are reserved for the most serious types of offending. The offences to which they would relate include:

unauthorised collection, or use or disclosure of, COVIDSafe app data (section 94D),

uploading COVIDSafe app data to the National COVIDSafe Data Store without the consent of the individual to whom the data relates (section 94E),

storing the National COVIDSafe Data Store outside Australia (section 94F),

disclosing COVIDSafe app data outside Australia (except in the case of a disclosure by a state or territory health authority that is necessary for contact-tracing purposes, such as where a user who needs to be contacted is outside Australia) (section 94F),

uploading COVIDSafe app data from a mobile device to the National COVIDSafe Data Store without consent (while allowing for cases where a parent, guardian or carer uses COVIDSafe on an individual’s behalf) (section 94H),

decrypting COVIDSafe app data stored on a mobile device (section 94G), and

requiring a person to use the COVIDSafe app (section 94H).

Committing criminal offences will breach the Privacy Act

The bill ensures oversight of COVIDSafe app data by the Australian Information Commissioner. The offences under the bill will also be breaches of the Privacy Act in certain circumstances. Therefore, (under section 94R) if a person commits an offence under the bill and that person is either already required to comply with the Privacy Act or is a state or territory health authority handling COVIDSafe app data, then the person’s conduct will also breach the Privacy Act.

This gives individuals affected by the breach more options for enforcement because they will have the option to make a complaint to the commissioner in addition to being able to report the matter to law enforcement.

Broader application of the Privacy Act

The bill will go further than the determination by ensuring that COVIDSafe app data must also be treated as ‘personal information’ under the Privacy Act, by virtue of section 94Q. This automatically applies a range of existing Privacy Act protections to COVIDSafe app data, including privacy policy, notification, and security obligations. The commissioner will be able to undertake a formal assessment of whether an entity subject to the Privacy Act, or a state or territory health authority handling COVIDSafe app data, is complying with the requirements in this bill.

The commissioner will also have discretion to refer matters that may constitute a breach of a state or territory privacy law to the responsible state or territory privacy regulator.

There is also an additional requirement that the commissioner provide regular public reports on the performance and exercise of her new powers and functions under part VIIIA.

Application of Notifiable Data Breaches Scheme

The bill applies the existing Notifiable Data Breaches Scheme to COVIDSafe app data under section 94S. The bill requires the administrator of the National COVIDSafe Data Store, or a state or territory health authority handling COVIDSafe app data, to notify the commissioner of any data breach involving COVIDSafe app data. The commissioner will then have the power to require the breach to be notified to affected individuals.

The notification requirement would be automatic in the event of a data breach, which is much stronger than the protection in the Privacy Act’s existing data breach notification requirements.

Summary of further differences between the bill and determination

It should be noted that the bill also includes new clauses which:

provide limited exemptions to the offence of requiring someone to use COVIDSafe to preserve an individual’s ability to limit access to their private home,

ensure that no further data can be collected from former COVIDSafe users,

introduce and define the term ‘data store administrator’,

outline the process for all COVIDSafe data to be deleted at the end of the COVID-19 pandemic,

create reporting requirements, and

outline the process for repeal of the bill.

I will now outline why these changes have been made.

Requiring the use of COVIDSafe

The prohibition on requiring a person to use the COVIDSafe app has been clarified under section 94H. A person will not be liable for this offence if they require a person to use COVIDSafe before entering their private residence, reflecting the normal expectation that a person is generally free to deny another person access to their home for any reason. However, this exemption is limited and would not apply to other situations covered by the offence involving a commercial relationship, such as a landlord-tenant relationship, a share house relationship or an employment relationship.

Protections for former COVIDSafe users

Section 94N is a new provision that guarantees that COVIDSafe will not be used to collect any further data from people who have chosen to delete the app. Section 94N provides that, if a user re-registers for the app, data collection can resume. This protection provides further assurance that a user’s consent is central to COVIDSafe data collection.

Administration of the National COVIDSafe Data Store

With regard to administration of the National COVIDSafe Data Store, the bill designates the Australian Department of Health as the administrator of the National COVIDSafe Data Store and allows it to delegate some or all of these functions to certain Commonwealth government agencies under the proposed section 94Z. The Department of Health must make that delegation via a ‘notifiable instrument’, meaning the delegation will always be announced publicly. Importantly, an enforcement body or intelligence agency cannot be designated as the data store administrator.

Currently, the Digital Transformation Agency (DTA) is responsible for technical administration of COVIDSafe and the National COVIDSafe Data Store, in consultation with the Department of Health. When the bill comes into law, the Department of Health will formally delegate some of its administrator functions to the DTA to reflect this arrangement. If the Department of Health later delegates these functions to another agency, Health will need to publicly announce that fact via notifiable instrument.

Deleting the National COVIDSafe Data Store

Regarding deletion of the National COVIDSafe Data Store, the bill finally also includes a more specific process for deletion of the National COVIDSafe Data Store once the pandemic is over, compared to the determination. This includes a process for the minister to determine the end of the COVIDSafe data period under section 94Y and by outlining the actions that then need to be taken by section 94P.

Reporting requirements

Regarding reporting requirements, the bill includes a requirement that the Minister for Health report to the parliament as soon as practicable after each six-month period on the operation and effectiveness of the COVIDSafe app. This underscores the government’s commitment to transparency about the operation and effectiveness of COVIDSafe and the unprecedented privacy and security protections built around the app’s data handling.

Repeal of the b ill

Regarding repeal of the bill, schedule 2 of the bill will result in the legislation being automatically repealed 90 days after the Minister for Health issues a determination that COVIDSafe app is no longer required under section 94Y. The Acts Interpretation Act will apply to preserve the effect of the repealed law so that an investigation into a possible breach of a repealed law can continue or can be commenced after repeal.

Conclusion

By way of conclusion, this bill will guarantee that Australians’ privacy is protected when they choose to download and use COVIDSafe. By enshrining the biosecurity determination into primary legislation, and ensuring the Information Commissioner has the power to hear complaints about the mishandling of COVIDSafe app data under the Privacy Act, the public can be assured that the government is doing all we can to keep their data as secure as possible. With the passage of this bill, we sincerely hope that the Australian public will take note of the unprecedented strength of these privacy protections, choose to download the app and help their fellow Australians combat the spread of COVID-19. I commend the bill to the House.

Leave granted for second reading debate to continue immediately.

The Shadow Attorney General’s Second Reading speech provides:

Since the beginning of this public health crisis, Labor’s focus has been on saving lives and saving jobs. As the Leader of the Opposition has said on many occasions, Labor is looking for outcomes, not arguments. That is the spirit in which we have approached the Privacy Amendment (Public Health Contact Information) Bill 2020 and the government’s contact tracing app more generally.

My colleagues and I believe that a contact tracing app can be a valuable tool for protecting Australians from coronavirus. But, to be a valuable tool, the app has to work and Australians must have complete confidence that their privacy is protected and that the data collected by the app will never be used for any purpose other than contact tracing during the current health crisis. Without that confidence, millions of Australians will not download the app and its value as a public health tool will be severely compromised, even if it works effectively in a technical sense.

At the outset, the Prime Minister said that at least 40 per cent of the Australian population needed to download the app for it to be an effective tool—that means about 10 million Australians. The government is well short of that figure at the moment. I understand that about 5.5 million Australians have downloaded the COVIDSafe app so far, but my colleagues and I hope that this bill and Labor’s support for it will help to build the public confidence that is needed to persuade many millions more to download it.

One of the reasons why I support the passage of this bill is the very positive engagement that I have had with the Attorney-General over the last week. Following the release of the draft legislation, last Monday evening I approached the Attorney-General with a number of suggestions for improving the bill and boosting public confidence. To his credit, the Attorney-General considered, in good faith, all of the concerns I raised with him, and he has sought to address most of them in the version of the bill that is now before the House. Those amendments have improved the bill in a variety of ways. For example, there is now greater clarity about what data is protected by the strict privacy safeguards contained in the bill.

The bill now provides for greater oversight of the COVIDSafe app and the handling of COVIDSafe data by the Office of the Australian Information Commissioner. The bill now makes it clear that no intelligence agency or law enforcement agency can be given a role in administering the COVIDSafe data store. Where it is unlikely to prejudice a law enforcement investigation, the bill now allows the Office of the Australian Information Commissioner to continue an investigation even where the investigation overlaps with an investigation by law enforcement. And the bill now includes a number of public reporting requirements so that the Australian people can be kept informed about the operation and effectiveness of the app and the level of compliance with the privacy safeguards contained in the bill. This is now a stronger and better piece of legislation as a result of constructive engagement between Labor and the government. For that, I would like to give particular credit and extend my thanks to the Attorney-General and his office.

I understand that a number of my colleagues will speak about some of the suggestions from Labor that were not adopted by the government. While each of those concerns is important, they must be kept in perspective, particularly when it comes to the issue of privacy. To be clear: this bill will introduce the strongest privacy safeguards that have ever been put in place by any Australian parliament. That is despite the fact that the COVIDSafe app is voluntary and the data that it collects is, compared to other personal information that’s routinely collected by governments and corporations, relatively innocuous. This bill takes privacy seriously.

I would also like to assure Australians that this is not a case of set and forget. Labor will keep an eye on how the measures in the bill are being implemented to ensure that they are effective and working as intended. I expect the Attorney-General will be doing the same. Necessarily, this bill had to be drafted quickly and it has not gone through the usual parliamentary committee processes of review. As such, it has not received the same degree of scrutiny that a bill would typically be subject to. For that reason, I welcome last Friday’s announcement by the Senate Select Committee on COVID-19 that it intends to oversee the COVIDSafe app and this legislation by reviewing the rollout of the appropriate—

Zdnet has reported on the passage to date in COVIDSafe legislation enters Parliament with a few added privacy safeguards

 

 

Leave a Reply





Verified by MonsterInsights