Guidance for state and territory health authorities regarding COVIDSafe and COVID app data

A legal framework of privacy protections has been established under Part VIIIA of the Privacy Act 1988 (Privacy Act) to protect COVID app data. Amongst other things, these legislative provisions:

  • prohibit certain conduct;
  • outline the limited purposes for which COVID app data may be collected, used or disclosed;
  • require COVID app data to be stored in, and not disclosed outside of, Australia; and
  • set penalties for breaches of this law.

The object of Part VIIIA is to assist in preventing and controlling the entry, emergence, establishment or spread of COVID-19, by providing stronger privacy protections for COVID app data and COVIDSafe users in order to:

  • encourage public acceptance and uptake of the COVIDSafe app, and
  • enable faster and more efficient contact tracing.

The Bilateral Agreements between the federal Department of Health and state and territory health authorities set out additional obligations on collection, use and disclosure of COVID app data. These Agreements detail the ways in which COVID app data must be handled in accordance with the obligations under the Privacy Act.

This includes the requirement for state and territory health authorities, unless otherwise required by law, to delete COVID app data once it is no longer required for contact tracing purposes.

State and territory health authorities have a crucial role to play in achieving these objectives, and this guidance has been developed to assist health authorities in complying with Part VIIIA whilst achieving important public health outcomes.

Application of the Privacy Act to state and territory health authorities

Section 94ZC of the Privacy Act provides that COVID app data is and remains the property of the Commonwealth, even after it has been disclosed to or used by a state and territory health authority. Subsection 94X(1) extends coverage of the Privacy Act (including the Australian Privacy Principles (APPs), (with the exception of APP 9) to state and territory health authorities, to the extent that the authority deals with, or the activities of the authority relate to, COVID app data.

This means that where a state or territory health authority collects, uses or discloses COVID app data, the APPs apply, as well as the provisions of Part VIIIA. The Office of the Australian Information Commissioner’s (OAIC) regulatory oversight extends to the handling of COVID app data by
 state and territory health authorities. It is therefore important that state and territory health authorities understand the obligations and privacy protections that apply to COVID app data.

What is COVID app data?

COVID app data is data relating to any individual which is collected or generated through the operation of the COVIDSafe app and is either registration data, or is (or has been) stored on a communication device such as a mobile phone.

It is ‘personal information’ for the purposes of the Privacy Act.

This includes:

  • the data uploaded by the individual at the time they downloaded the app and registered to use it (‘registration data’), and
  • data that is or has been stored on an individual’s communication device about each contact made with another communication device using the app (‘digital handshake’ data).

Data that is accessed by state and territory health authorities through the National COVIDSafe Data Store is COVID app data. COVID app data must only be collected, used or disclosed for contact tracing purposes, and only to the extent required to undertake that contact tracing.

Data that is directly downloaded or extracted from the National COVIDSafe Data Store to a state or territory health authority’s local system, retains its identity as COVID app data, and the Privacy Act will apply to the handling of that data.

However, information collected by a state or territory health authority from a source other than directly from the National COVIDSafe Data Store will not be ‘COVID app data’. For example, if a health authority verifies a person’s contact details over the phone, and these are the same contact details that person used when registering for COVIDSafe, any new record of this information will not be COVID app data.

To facilitate their compliance with the Privacy Act, health authorities should ensure they have clear processes to determine whether/when COVID app data has been directly downloaded or extracted from the National COVIDSafe Data Store to their local system and whether/when the state or territory health authority deals with COVID app data.

Operation of other laws to COVID app data

Section 94ZD has the effect that Part VIIIA overrides any other inconsistent Australian law.

This means that no other Australian laws can override the provisions of Part VIIIA in relation to COVID app data, unless those laws commenced after Part VIIIA and expressly permit the conduct, despite Part VIIIA.

Requiring the use of COVIDSafe

The COVIDSafe app is voluntary. While use of the app may be encouraged, the Privacy Act provides that no individual, organisation or government agency can require any individual to download or use the app or upload their data to the National COVIDSafe Data Store. Criminal penalties apply for breach of these provisions.

Uploading data from the app

If an individual is diagnosed with COVID-19, a state or territory health official will ask the individual if they have been using the COVIDSafe app and if they agree to upload data about their close contacts. Consent must be obtained from that individual to upload the data from the app to the National COVIDSafe Data Store.

It is an offence for any individual, organisation or government agency to require an individual to upload their data, or cause for the data to be uploaded, from the app to the National COVIDSafe Data Store, without obtaining consent from that individual. In order to obtain valid consent:

  • the individual must be adequately informed of the implications of providing or withholding consent
  • the individual must give consent voluntarily
  • the consent must be current and specific
  • the individual must have the capacity to understand and communicate their consent.

Only the individual whose name and communication device number was provided at the time of initial registration for the app can consent to upload the data. If the individual is unable to give consent, due to being a child for example, consent to upload the data must be obtained from a parent, guardian or carer acting on that individual’s behalf.

Disclosure outside Australia

COVID app data must be stored on a database located in Australia. This applies to the storage of COVID app data in the National COVIDSafe Data Store and COVID app data that has been downloaded into a state or territory health authority data repository.

It is an offence to disclose COVID app data that has been uploaded to the National COVIDSafe Data Store to another individual outside Australia unless:

  • the disclosure is by a person employed or in the service of a state or territory health authority, and
  • the disclosure is for the purpose of, and only to the extent required for the purpose of, conducting contact tracing.

Collecting, using or disclosing COVID app data

COVID app data may only be collected, used or disclosed:

  • by a person employed or in the service of a state or territory health authority for the purpose of conducting contact tracing:
    • only to the extent required to undertake that contact tracing
  • by the National COVIDSafe Data Store administrator (or their contracted service provider):
    • to enable contact tracing by persons employed or in the service of a state or territory health authority
    • to ensure the proper functioning, integrity and security of the app or the National COVIDSafe Data Store
    • to delete registration data on request from (or on behalf of) an individual who is the subject of the registration data, and
    • to produce de-identified statistical information about the number of registrations for the app
  • by the OAIC:
    • to assess and investigate compliance with the Privacy Act in relation to the handling of COVID app data
    • to review compliance with the notifiable data breach scheme in relation to handling of COVID app data
    • to refer matters to state or territory privacy regulators as appropriate, and
    • to refer suspected breaches of the Privacy Act in relation to handling of COVID app data to the police or director of public prosecutions as appropriate.
  • by the police or director of public prosecutions:
    • to investigate and prosecute alleged breaches of the Privacy Act in relation to handling of COVID app data.

What is contact tracing?

Contact tracing is defined in subsection 94D(6) of the Privacy Act as the process of identifying persons who have been in contact with a person who has tested positive for the coronavirus known as COVID-19.  This process includes:

  • notifying a person that the person has been in contact with a person who has tested positive for the coronavirus known as COVID‑19, and
  • notifying a person who is a parent, guardian or carer of another person that the other person has been in contact with a person who has tested positive for the coronavirus known as COVID‑19, and
  • providing information and advice to a person who:
    • has tested positive for the coronavirus known as COVID‑19, or
    • is a parent, guardian or carer of another person who has tested positive for the coronavirus known as COVID‑19, or
    • has been in contact with a person who has tested positive for the coronavirus known as COVID‑19, or
    • is a parent, guardian or carer of another person who has been in contact with a person who has tested positive for the coronavirus known as COVID‑19.

The definition of ‘contact tracing’ incorporates parents, guardians and carers to recognise that there are people with particular needs, including persons with disability, the elderly, and children, where it may be appropriate for the contact tracer to talk to a person responsible for that person.

Obligations to protect and manage COVID app data appropriately

With the exception of APP 9, the APPs apply to state and territory health authorities in relation to their handling of COVID app data.

This includes APP 11.1, which requires organisations handling COVID app data to take reasonable steps to protect the data from misuse, interference, loss, unauthorised access, unauthorised modification and unauthorised disclosure.

Reasonable steps should include, where relevant, taking steps and implementing strategies in relation to the following:

  • privacy governance, culture and training
  • internal practices, procedures and systems
  • ICT security
  • access security
  • third party providers (including cloud computing)
  • data breaches
  • physical security
  • destruction and de-identification of data, and
  • data standards

As part of taking reasonable steps to protect COVID app data, state and territory health authorities should consider how they will protect personal information at all stages of the information lifecycle. This should be considered before the state and territory health authority collects COVID app data as well as when the information is collected and held, and when it is destroyed or de‑identified when no longer needed.

The OAIC has published APP Guidelines, including Chapter 11: APP 11 – Security of Personal Information.

APP 1 requires State and Territory health authorities, to:

  • implement practices, procedures and systems to ensure its compliance with all relevant privacy rules, and
  • have a clearly expressed and up-to-date privacy policy which explains how it manages COVID app data.

State and territory health authorities should put in place additional controls and procedures to ensure that only approved employees or personnel may access data in the National COVIDSafe Data Store for the purpose of contact tracing.

Deletion of data received in error

A person, including anyone employed by or in the service of a state or territory health authority, who receives COVID app data in error must, as soon as practicable, delete the data, and notify the data store administrator that the person received the data.

Data breaches

The notifiable data breach scheme in Part IIIC of the Privacy Act applies to certain conduct by the National COVIDSafe Data Store administrator, and state and territory health authorities.

A breach of any of the COVID app-related provisions in Part VIIIA of the Privacy Act by the National COVIDSafe Data Store administrator or by a state or territory health authority will be considered an ‘eligible data breach’. All individuals to whom the data relates are considered to be ‘at risk’ from the data breach and both the OAIC and affected individuals must be notified as soon as practicable about the data breach, unless the OAIC grants an exemption to the requirement to notify individuals. This is a lower threshold than for eligible data breaches under the notifiable data breach scheme in Part IIIC of the Privacy Act, which only become notifiable if the data breach is ‘likely to result in serious harm’ to any of the individuals to whom the information relates.

A failure to notify either the OAIC or the affected individuals of the data breach as required is an ‘interference with privacy’, which triggers the OAIC’s regulatory powers.

State and territory health authorities must therefore have clear procedures and plans in place to manage any data breaches in relation to COVID app data. The OAIC has published information about data breaches under the notifiable data breach scheme in Part IIIC of the Privacy Act, including the Data Breach Preparation and Response Guide and How to report a data breach, noting that different reporting thresholds apply under Part VIIIA of the Privacy Act.

Interference with privacy: OAIC powers

Section 94T of the Privacy Act allows the OAIC to conduct assessments of whether the acts or practices of an entity or a State and Territory authority (including health authorities) comply with the privacy obligations in Part VIIIA.

A breach of any of the new COVIDSafe app-related provisions of the Privacy Act, or the APPs, is considered an ‘interference with privacy’, which triggers the OAIC’s investigative and regulatory powers under the Privacy Act, in relation to regulated entities.

The OAIC has powers to:

  • conduct assessments
  • investigate complaints
  • commence investigations on its ‘own motion’
  • refer matters to state or territory privacy regulators
  • make a declaration that compensation be paid to individuals who suffer from an interference with their privacy
  • seek civil penalties for serious or repeated interferences with privacy, and
  • refer matters to the police if the OAIC thinks a crime has been committed.

The OAIC also has an obligation to report publicly every six months on the performance of the Information Commissioner’s functions and exercise of the Information Commissioner’s powers under the new COVIDSafe app-related provisions of the Privacy Act.

The Commonwealth Health Minister has an obligation to report every six months on the operation and effectiveness of COVIDSafe and the National COVIDSafe Data Store.

For more information

For more information contact the OAIC:

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au