18 November 2020

The handling of personal information by COVIDSafe is being audited by the national privacy regulator for compliance with strict protections put in place by the Australian Government, with the first report due by the end of the year.

COVIDSafe is the app that has been made available by the Australian Government to help facilitate contact tracing.

The report will contain findings and recommendations from the first in a series of five assessments by the Office of the Australian Information Commissioner (OAIC).

Australian Information Commissioner and Privacy Commissioner Angelene Falk said the assessments are examining compliance and risk throughout the ‘information lifecycle’ of COVID app data.

"The privacy protections within the system were enshrined in law to give Australians confidence that their personal information will be safeguarded when they download and use the app," Commissioner Falk said.

"The changes to the Privacy Act 1988 also provided additional oversight powers for my office, including over state and territory health authorities accessing COVID app data.

"Our assessment program is examining the handling of personal information as it travels through the COVIDSafe app system, from notification, collection and storage, to access and deletion, including when the National COVIDSafe Data Store is deleted at the end of the pandemic."

On 16 May the Australian Government amended the Privacy Act to insert a new Part VIIIA to protect COVID app data and provide the OAIC with an oversight and assurance role.

The COVIDSafe provisions prohibit certain conduct in relation to the app, limit the purpose for which data may be collected, used or disclosed, require data to be stored in and not disclosed outside Australia, and set penalties for breaches of the law.

The provisions also extend existing regulatory powers to allow the OAIC to conduct an assessment of whether the acts or practices of an entity (including a state or territory authority) comply with the Australian Privacy Principles or Part VIIIA, and to require an entity or authority to give information or produce documents.

The COVIDSafe Assessment Program is examining:

  1. access controls applied to the National COVIDSafe Data Store by the Data Store Administrator
  2. access controls applied to the use of COVID app data by state or territory health authorities
  3. functionality of the COVIDSafe app against specified privacy protections set out under the COVIDSafe privacy policy and collection notices, and against the requirements of Part VIIIA
  4. compliance of the Data Store Administrator with data handling and deletion requirements under Part VIIIA, and
  5. the compliance of the Data Store Administrator with the deletion and notification requirements in Part VIIIA which relate to the end of the pandemic.

Reports will be published on the OAIC’s website following the completion of each COVIDSafe assessment. The Australian Information Commissioner will also report every six months on the performance of her powers under or in relation to Part VIIIA of the Privacy Act.