The COVIDSafe app and my privacy rights
The information on this page describes how the Privacy Act 1988 (Privacy Act) applies to the Australian Government’s COVIDSafe app.
What is the COVIDSafe app?
The COVIDSafe app is part of the Australian Government’s response to the COVID-19 pandemic and assists with contacting people who may have been exposed to the virus. Please visit the Department of Health website for more information about the app.
Can someone make me use the COVIDSafe app?
No. The app is voluntary. Whether or not you choose to download and use the app is entirely your choice. You cannot be required to download or use the app. If the app has been installed on a device you use at your workplace, your employer should delete the app upon your request.
It is an offence under the Privacy Act for any individual, organisation or government agency to require you to download or use the app. However, this does not apply to private citizens in their personal lives. For example, it is not an offence if a relative or friend asks you to download the app before visiting their home. It also does not apply to any other contact tracing apps or QR codes. For example, if a business is required under a public health order to collect your personal information for contact tracing purposes, and they ask you to provide your details through a State or Territory government app or QR code, or through another app or QR code, this is not an offence as they are not requiring you to use the COVIDSafe app.
What if someone tells me that I am required to download the app?
You cannot be required to download or use the COVIDSafe app to take part in an activity or provide or receive a good or service. This means that:
- a business cannot charge you more for a product or service just because you are not using the app
- a school cannot require students to use the app to attend on-site lessons
- a restaurant cannot refuse you service just because you don’t have the app
- a landlord cannot require a tenant to download the app
- an airline cannot refuse to let you fly just because you don’t have the app
- your employer cannot dismiss you, alter your position to your detriment, stop you entering your workplace, or pay you less just because you don’t have the app (even if you are using a work-issued phone)
- your sporting club cannot stop you from playing just because you don’t have the app.
If you have been told that you need to download or use the COVIDSafe app, you can lodge a complaint with us.
If I get the COVIDSafe app, what information will be collected about me?
If you download and register to use the COVIDSafe app, you will be asked to supply some registration information.
You will need to provide your:
- name (or a pseudonym)
- mobile phone number
- age range
This information will ensure your state or territory health authority has your details if you have been in contact with someone with the virus, and that people who are vulnerable are contacted first. Contact tracers will determine your risk category according to your age and proximity to a known cluster.
The National COVIDSafe Data Store, which is administered by the Digital Transformation Agency, will send your phone a new user ID every two hours. The user ID will be automatically encrypted and stored in the app on your phone. The user ID will also be stored in the National COVIDSafe Data Store.
The app will use Bluetooth signals every minute to detect and record details of phones nearby which are also using the COVIDSafe app. This process is called a ‘digital handshake’. The app does not use GPS or any other location-tracking system and does not record your (or anybody else’s) location.
The app will collect the following information about all digital handshakes it has made with other phones:
- make and model of the phone
- date and time of contact
- Bluetooth signal strength
- the phone’s encrypted user ID.
The app stores this data on your phone for 21 days, then automatically deletes it. However, if you test positive to COVID-19 and agree to upload the data on your phone to the National Data Store, this data will remain in the Data Store to assist contact tracers until it is no longer required by the contact tracers, and will be deleted once the Health Minister determines that the COVIDSafe app is no longer needed.
The app will not collect the name, phone number, age or postcode of other people, or any location information.
While you have the app on your phone, your digital handshake information will be sent to the phone of other COVIDSafe users, if you are close enough. If you delete the app, it will stop exchanging digital handshakes with other COVIDSafe users and delete any digital handshakes collected by the phone and not uploaded to the Data Store.
How will the COVIDSafe app protect people?
The COVIDSafe app is a tool to help speed up the process of tracing and contacting people who have potentially been exposed to the virus.
Contact tracing will occur whether or not you have the app. However, the app can make this process easier and more reliable because it does not rely on your memory of who you have been in contact with and will collect contacts from people you may not know.
The app will not protect you from catching the virus and it will not alert you in real time if you come close to someone who has the virus. You must practise appropriate physical distancing and good hygiene, whether or not you have the COVIDSafe app.
How does the Privacy Act protect the information collected through the COVIDSafe app?
The Privacy Act was amended on 14 May 2020 to protect data in the COVIDSafe app and the National COVIDSafe Data Store. The Privacy Act:
- prohibits anyone being required to download or use the app
- strictly limits the purposes for which data from the app can be collected, used or disclosed
- requires data to be deleted when it is no longer needed.
Information that has been collected or generated through the COVIDSafe app can only be collected, used or disclosed by:
- state or territory health officials who are contact tracing individuals possibly exposed to COVID-19
- the administrators of the COVIDSafe app and the National COVIDSafe Data Store, to enable the app, the Data Store and contact tracing to work properly and to ensure the integrity of the app and Data Store
- the Office of the Australian Information Commissioner and police enforcing these privacy protections.
Information that has been collected or generated through the COVIDSafe app cannot be accessed by police, or used in court proceedings, except where the suspected crime is a breach of Part VIIIA of the Privacy Act.
The National COVIDSafe Data Store is held in Australia, and it is an offence for the data to be retained or sent overseas.
What happens if my information is sent to a state or territory health department?
Information about you that is sent from the National COVIDSafe Data Store to a state or territory health department is still protected by the Privacy Act.
Information that a state or territory health department collects about you by any other method is not subject to the Privacy Act. For example, if someone you work with is diagnosed with COVID-19, they may tell a state or territory contact tracing team about any colleagues they have been in close contact with. This would happen whether or not you have the app.
Any information that has not come from the National COVIDSafe Data Store must be handled in line with the privacy law that applies in that state or territory. For example, if a contact tracing team calls you to ask for more information, the information you provide directly to them will be covered by the privacy law that usually applies to that state or territory health department.
When will my data be deleted?
The data held in your app about your close contacts (its record of ‘digital handshakes’) is automatically deleted once it is more than 21 days old.
You can delete the app from your phone at any time. This will delete all digital handshakes from your phone and will stop your phone creating any new digital handshakes.
You can also request the deletion of your registration data (your name, mobile phone number, age range and postcode) and your record of close contacts from the National COVIDSafe Data Store, using this online form.
You cannot ask for your ‘digital handshake’ data, which may be held in the National COVIDSafe Data Store as a result of other users uploading their close contacts, to be deleted. However, if your registration information is deleted this means that any digital handshakes that are uploaded to the National COVIDSafe Data Store by others who you have come into close contact with will not be able to be linked back to you.
Once the Health Minister has determined that the COVIDSafe app is no longer needed to prevent or control the spread of the virus, all data in the National COVIDSafe Data Store will be deleted as soon as is reasonably practicable, and users will be informed.
Who is enforcing the privacy protections for the COVIDSafe app?
The OAIC has an independent oversight function under the Privacy Act, and is actively monitoring and regulating compliance with the Privacy Act which governs the COVIDSafe app.
We have powers to:
- conduct audits
- investigate complaints
- order compensation to be paid to individuals who suffer from an interference with their privacy
- seek civil penalties against individuals and organisations which breach the law
- refer matters to the police if we think a crime has been committed
- refer matters to state and territory privacy regulators if appropriate.
How can I make a privacy complaint?
If you believe that any individual or organisation has breached the new COVIDSafe app law, you can:
- make a complaint to the OAIC and/or
- make a complaint to the Australian Federal Police.
For more information about how to make a complaint to the OAIC, see Privacy complaints.