The COVIDSafe Bill – good progress, but there's more to do

By Gavin Smith, Phil O'Sullivan
COVID-19 Cybersecurity & Privacy Data Technology Telecommunications

In brief 12 min read

The COVIDSafe app has been marketed as offering privacy 'protected by law'. On Sunday, the Federal Government released an exposure draft of legislation designed to put those protections in place, and to dispel lingering doubts about the app.

The Privacy Amendment (Public Health Contact Information) Bill 2020 (Bill) will supersede the Health Minister's determination under the Biosecurity Act 2015 (Cth) (Determination), which we discussed in our article COVIDSafe – what we now know. The Bill amends the Privacy Act 1988 (Cth), introducing a new Part VIIIA (Public Health Contact Information), which will be repealed at the end of the COVID-19 pandemic.

The Bill offers a robust level of privacy protection for COVID app data (importantly, including where handled by different State and Territory health authorities), and establishes a strict enforcement and oversight regime. On privacy protections, we think the Bill does a good job.

Some issues, however, remain to be resolved in this exposure draft, including a small number of important matters that we identified in our review of the Determination.  In particular, uncertainty remains about the following: 

  • whether data that is derived from COVID app data will be subject to the protections in the Bill – the current drafting suggests it is not;
  • whether WiFi-only (SIM-less) devices are captured in the definition mobile telecommunications device and, therefore, whether data collected from those devices will be subject to the protections in the Bill – again, the current drafting suggests that it will not be;
  • the scope of use of de-identified COVID app data, and protections against re-identification risk; and
  • precisely how the protections offered by the Bill will interact with the operation of the US CLOUD Act. 

We consider all of these to be eminently resolvable, but they must be dealt with clearly and decisively if the Government is to present the best possible case to convince the Australian public to download and use the COVIDSafe app.

Key takeaways

  • The definition of COVID app data is similar to that used in the Determination. The definition (and therefore the key restrictions under the Bill) does not capture information obtained by State and Territory health authorities through other sources when undertaking contact tracing.
  • However, the definition of COVID app data:
    • expressly excludes de-identified information; and
    • does not clearly include or cover information that may be derived by Federal, or State or Territory agencies from the information collected through COVIDSafe and which was never stored on a mobile telecommunications device. In our view, this remains a gap, and the definition should be clarified. 
  • The Bill expressly provides that State and Territory health authorities will be subject to the Privacy Act (including its enforcement provisions) as organisations to the extent they deal with, or their activities relate to, COVID app data. This deals with a substantial previous area of concern.
  • The Bill provides some further detail about what will constitute the 'end of the COVID-19 pandemic', which will occur when the Health Minister is satisfied that use of COVIDSafe is no longer required to prevent or control, or is no longer likely to be effective in preventing or controlling, the entry, emergence, establishment or spread of COVID into Australia or any part of Australia. This remains a subjective test and subject to the Health Minister's discretion.
  • As was the case in the Determination, the Bill leaves it open for the parameters about what constitutes close contact (for the purposes of contact tracing) to be changed over time, rather than 'locking in' the meaning of 'in contact' to the current parameters of individuals being 1.5 metres apart for more than 15 minutes. We suspect this is deliberate, in order to offer some flexibility for public health authorities to react if current levels of control of the pandemic are not maintained, and it is necessary (for public health purposes) to set new parameters in terms of what constitutes close contact. We expect there will be Parliamentary scrutiny on this point.
  • The Bill, in line with the Determination, makes it clear employers (and other persons) cannot require their employees to download or use the COVIDSafe app, including by making it unlawful to take adverse action against an employee on these grounds. While the Bill has altered the prohibition on refusal of entry to premises, so that it only applies to premises open to the public or which the individual has a right to enter – employers and others should be aware of the prohibitions on requiring use of the COVIDSafe app and will need to exercise caution when requesting information about an individual's use of the COVIDSafe app.
  • The Bill retains the offences in respect of COVID app data set out in the Determination, subject to minor changes. Each such offence will be subject to a maximum penalty of five years imprisonment and $315,000 for corporations, and will be able to be enforced by the Australian Information Commissioner (Commissioner).

What data is covered?

As with the Determination, the prohibited activities set out in the Bill relate to COVID app data. COVID app data is defined as data relating to a person that has been:

  • collected or generated through the operation of COVIDSafe;
  • stored on a mobile telecommunication device.

The definition expressly excludes de-identified information and information obtained by State and Territory health authorities through sources other than the National COVIDSafe Data Store (Data Store) in the course of performing contact tracing.

The exclusion for information separately obtained by State and Territory health authorities has been included on the grounds that COVIDSafe is an extension, and not a replacement of, normal manual contact tracing processes undertaken independently by respective health authorities. This may be viewed in some quarters as a missed opportunity to create an overarching regime governing all contact tracing data.  As it stands, contact tracing data collected through manual measures will be subject to a far less coherent and consistent regime. However, this legislation is designed only to support and provide protection for the COVIDSafe app – it was not intended to address broader contact tracing activity.   

As the protections provided by the Bill relate to data that is stored, or has been stored, on a mobile telecommunication device, it will also be critical to ensure that this definition captures all devices on which individuals are able to download and use COVIDSafe. The definition is linked to devices which use or are capable of using a public mobile telecommunications service, as that term is defined in the Telecommunications Act 1997 (Cth). At present, this appears not to capture data gathered from WiFi-only (SIM-less) devices like WiFi-only iPads or iPods. Although a mobile phone number is required as part of the registration process for COVIDSafe, there are currently no limitations on individuals downloading COVIDSafe to WiFi-only devices and using another mobile phone number for registration (eg individuals who do not have a smartphone or wish to download COVIDSafe to multiple devices they may carry with them). Clarification of the definition of mobile telecommunications device to include wifi-only devices will easily remedy this potential unintended gap.

Further, the exclusion of de-identified information and a failure to expressly address the treatment of data derived from COVID app data, without ever having been stored on a mobile telecommunications device, introduces a potential gap in the protections offered by the Bill.

The Bill actually narrows the reference from the Determination in relation to the production of statistical information that is de-identified. Under the Bill, the data store administrator may use COVID app data for the purpose of and only to the extent required to produce de-identified statistical information about the total number of registrations through COVIDSafe. This suggests that only one specific, and quite narrow, use case for de-identified data is permitted under the Bill. However, the Bill includes other, more general, references to de-identified data (which raise the possibility that the Government may be contemplating more uses of de-identified data than producing stats about registrations through COVIDSafe).  

This should also be clarified so there is a transparent understanding of how the data might be used in de-identified form. If, for example, broader references have been included because the Government intends to rely on an ability to use COVID app data, by de-identifying it, for the purpose of analysing contact patterns and the spread of the virus, this should be transparently disclosed so that the scope of any proposed de-identification, and the purposes for which such de-identified information may then be used can be understood and be subject to Parliamentary scrutiny.

This is only one part of the equation. As a practical matter, it will also be necessary to appropriately mitigate the risks of any re-identification of data. The bill does not currently deal with this.  We recommend that the Government should separately commit to an independent assurance review of the de-identification process and a regular assessment of any re-identification risk.

How are State and Territory health authorities caught?

Under the Bill, COVID app data may only be collected, used or disclosed by persons employed or in the service of State and Territory health authorities, where such handling is for the purpose of, and to the extent required for the purpose of, undertaking contact tracing.

The Bill provides that:

  • COVID app data is personal information for the purposes of the Privacy Act; and
  • State and Territory health authorities are organisations (ie. companies) for the purposes of the Privacy Act, to the extent that they deal with or their activities relate to COVID app data.

This ensures that the handling of COVID app data will be subject to the Privacy Act, as well as the specific protections in the Bill, so that (to the extent not inconsistent with the Bill) the Australian Privacy Principles, the notifiable data breach scheme and other enforcement provisions apply. This introduces clear and consistent baseline privacy protections for all Australians, a substantial improvement on the position set out in the Determination.

What will constitute the end of the COVID-19 pandemic?

The Bill provides more detail on how the COVIDSafe regime will be dismantled.

In particular, the Health Minister is required to determine the 'end of the COVIDSafe data period', being the day by which they are satisfied that use of COVIDSafe:

  • is no longer required to prevent or control; or
  • is no longer likely to be effective in preventing or controlling,

the entry, emergence, establishment or spread of COVID into Australia or any part of Australia. The Health Minister may only make this determination after they have consulted or considered recommendations from the Chief Medical Officer or the Australian Health Protection Principal Committee. 

While this is ultimately a matter within the discretion of the Health Minister, an additional check and balance has also been included to permit the Federal Chief Medical Officer or the Australian Health Protection Principal Committee to recommend to the Health Minister that the Health Minister make an end of period determination.     

From the date that is determined to be the end of the COVIDSafe data period:

  • the data store administrator must:
    • not collect any COVID app data or make COVIDSafe available to be downloaded; and
    • as soon as reasonably practicable, delete all COVID app data from the Data Store, and take all reasonable steps to inform all current users that:
      • all COVID app data has been deleted from the Data Store;
      • COVID app data can no longer be collected; and
      • the COVIDSafe app should be deleted; and
  • after a period of 90 days, the entirety of Part VIIIA will be repealed.

As we note above, these deletion steps will not cover any information that was originally COVIDSafe app data but which has been de-identified. 

Individual control over deletion

The Bill clarifies that – prior to the end of the COVID-19 pandemic – where a user requests that their registration data be deleted from the Data Store, the administrator must:

  • take all reasonable steps (but shall not be strictly required) to delete that registration data from the Data Store as soon as practicable; and
  • if not practicable to delete the registration data immediately, not use or disclose that data for any purpose (other than confirming the correct data is being deleted).

As with the other provisions of the Bill, this obligation to delete registration data expressly does not extend to de-identified data. It also does not extend to data uploaded by another person's mobile device or data about the requesting user's interactions with other mobile devices.

Noticeably, the prohibition under the Determination on causing COVID app data to be retained on a mobile device for more than 21 days has been replaced with an obligation on the data store administrator to take all reasonable steps to ensure that such data is not retained for longer than 21 days or, if that is not possible, the shortest practicable period. It is not clear why this obligation has been altered, though it might be the result of limitations in the current version of COVIDSafe and/or the Data Store's inability to comply.

Interaction with other legislation

Following concerns raised about the interaction between the governing legislation for COVIDSafe and other Australian and international legislation, the Bill seeks to ensure the protections and prohibitions on the use and disclosure of COVID app data are not undermined by existing Australian laws.

The Bill provides that the new Part VIIIA of the Privacy Act will override any other Australian law that would have the effect of permitting or requiring conduct that is prohibited by that Part. The only exception to this is legislation that is subsequently introduced which expressly permits or requires the conduct despite the provisions. This exception is included so as not to create an impermissible fetter on the right of future parliaments to make new laws.

However, as drafted, the provisions of the Bill would override the proposed Telecommunications Legislation Amendment (International Production Orders) Bill 2020 (IPO Bill). This would mean the COVID app data would not be able to be disclosed as part of an international production order issued under a relevant international agreement captured by the IPO Bill.

There is still some uncertainty as to the treatment of COVID app data by other international legislation. In particular, the operation of the US CLOUD (Clarifying Lawful Overseas Use of Data) Act (CLOUD ACT) continues to be a contentious point.

As noted in our 'COVIDSafe what we now know' Insight, the CLOUD Act applies to Amazon Web Services (AWS) as a US incorporated corporate group, and allows the US Government to compel information from US-based cloud and technology companies under warrant where such data is within the company's 'possession, custody or control'. A company can refuse to provide data where doing so would violate the law of a 'qualifying foreign government'.

Australia is not currently a qualifying foreign government and will not become one until Australia and the US execute a bilateral agreement. The IPO Bill noted above is a precursor and enabler to this. This means that data held by AWS could, at least theoretically, be at risk of access by the US Government until these arrangements are finalised. While we consider that to be highly unlikely, we do expect further discussion and Parliamentary scrutiny on this topic.