Privacy Amendment (Public Health Contact Information) Act 2020: Privacy protections for data collected through the Commonwealth COVIDSafe app | Practical Law

Privacy Amendment (Public Health Contact Information) Act 2020: Privacy protections for data collected through the Commonwealth COVIDSafe app | Practical Law

This update considers the Privacy Amendment (Public Health Contact Information) Act 2020 and its impacts on the collection, use and disclosure of data collected through the Commonwealth's COVIDSafe app.

Privacy Amendment (Public Health Contact Information) Act 2020: Privacy protections for data collected through the Commonwealth COVIDSafe app

by Practical Law Commercial
Published on 22 May 2020Australia, Federal
This update considers the Privacy Amendment (Public Health Contact Information) Act 2020 and its impacts on the collection, use and disclosure of data collected through the Commonwealth's COVIDSafe app.

Privacy Amendment (Public Health Contact Information) Act 2020

On 15 May 2020, the Privacy Amendment (Public Health Contact Information) Act 2020 (Act) was assented to in response to the 2019 novel coronavirus disease (COVID-19) pandemic. The Act enshrines in primary legislation the provisions initially introduced in the Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) (Emergency Requirements—Public Health Contact Information) Determination 2020 (Determination) relating to the collection, use and disclosure of data collected by the Commonwealth's COVIDSafe app (COVID app data).
The COVIDSafe app operates to assist in preventing the emergence and outbreak of COVID-19 in Australia by collecting personal information about users who come into contact with each other, to help facilitate contact tracing. The Act amends the Privacy Act 1988 (Cth) (Privacy Act) to strengthen privacy protections for users of the COVIDSafe app and COVID app data, and to ultimately encourage public acceptance and uptake of the COVIDSafe app. Following royal assent, the Act replaces the Determination.
References to sections in this update are to sections of the Privacy Act.

Strict limitations regarding the collection, use, disclosure and dealing of personal information

Under the Act, COVID app data will be taken to be personal information within the meaning of the Privacy Act (section 94Q). Paragraph 12 of the Explanatory Memorandum for the Act states that the collection of this data will be limited to the minimum amount reasonable and necessary in order to facilitate effective contract tracing. Additionally, COVID app data must be retained for no more than 21 days or otherwise the shortest practicable period for achieving the specific purpose of contact tracing (section 94K).
Once collected, only authorised health officials will be permitted to access the data (section 94D), and only after a user has given their informed consent for their encrypted data to be uploaded to the Commonwealth's national COVIDSafe database (section 94E and section 94F). Deletion of COVID app data is also a requirement in circumstances where a COVIDSafe user has specifically requested it or if it was received in error (section 94L(1) and section 94M).
The Act seeks to further address privacy concerns by providing that participation in the COVIDSafe app must be strictly voluntary (section 94H). The Act also introduces several serious offences relating to COVID app data and imposes significant civil and criminal penalties for misuse. These offences relate to:
  • Non-permitted collection, use or disclosure of COVID app data.
  • Uploading COVID app data without consent.
  • Retaining or disclosing uploaded data outside Australia.
  • Decrypting encrypted COVID app data.
(Section 94A).

Enforcement and reporting requirements

Enforcement of the legislation will be independently overseen by the Office of the Australian Information Commissioner (OAIC).
Under the legislation, data breach notification requirements are imposed on certain parties including the data store administrator and State or Territory health authorities (section 94S). The Commissioner's role in dealing with eligible data breaches is further enhanced by provisions in the Act which will allow the Commissioner to make assessments and conduct investigations; and to refer matters to, and share information or documents with, Stare or Territory privacy authorities (sections 94T, 94U, 94V and 94W).
Additionally, once COVID app data is collected, it remains the property of the Commonwealth, and the Commissioner is granted broad discretion to grant exemptions from the notification requirement on public interest grounds, or with regard to any other matters the Commissioner may consider relevant (section 94ZC and section 94S(5)).
Other regular reporting obligations under the legislation include the requirement for the:
  • Health Minister to report on the operation and effectiveness of the COVIDSafe app (section 94ZA).
  • Commissioner to report on the OAIC's performance of functions and exercise of powers under the Act (section 94ZB).
These reporting requirements are designed to ensure transparency and to build public confidence in the strong privacy protections that will apply under the Act.
For information on privacy law in Australia generally, see Practice note: overview, Australian data protection and privacy laws.
For information on privacy in the context of COVID-19, see Toolkit, Practical Law Australia's guide to COVID-19 resources: Privacy.
For a general guide to Practical Law Australia's resources that assist practitioners to understand and advise Australian businesses in relation to issues arising from COVID-19, see Toolkit, Practical Law Australia's guide to COVID-19 resources.