Privacy obligations regarding COVIDSafe and COVID app data
A legal framework of privacy protections has been established under Part VIIIA of the Privacy Act 1988 (Privacy Act) to protect COVID app data. Amongst other things, these legislative provisions:
- prohibit certain conduct;
- outline the limited purposes for which COVID app data may be collected, used or disclosed;
- require COVID app data to be stored in, and not disclosed outside of, Australia; and
- set penalties for breaches of this law.
The Office of the Australian Information Commissioner (OAIC) has regulatory oversight of these new privacy protections. This extends to state and territory health authorities’ handling of COVID app data and their activities that relate to COVID app data.
What is COVID app data?
COVID app data is data relating to any individual which is collected or generated through the operation of the COVIDSafe app and is (or has been) stored on a communication device such as a mobile phone.
- the data provided by the individual at the time they downloaded the app and registered to use it (‘registration data’), and
- data stored on an individual’s communication device — and uploaded to the National COVIDSafe data store — about each contact made with another communication device using the app (‘digital handshake’ data).
De-identified information that is derived from COVID app data by the administrator of the National COVIDSafe Data Store, for the purpose of producing de-identified statistical information about the total number of registrations of the app, is not considered to be ‘COVID app data’ for the purposes of the Privacy Act.
The legal status of COVID app data
COVID app data is ‘personal information’ for the purposes of the Privacy Act.
When COVID app data is downloaded from the National COVIDSafe Data Store by a state or territory health authority, it retains its status as COVID app data under the Privacy Act. State and territory health authorities must therefore comply with the Privacy Act when handling COVID app data.
However, information collected by a state or territory health authority from a source other than directly from the National COVIDSafe Data Store will not be ‘COVID app data’. For example, when a diagnosed individual provides to a contact tracing team the names and mobile phone numbers of other individuals with whom they have recently come into contact, this will not be considered ‘COVID app data’, even if some or all of the same information is also held in the National COVIDSafe Data Store.
Requiring the use of COVIDSafe
The COVIDSafe app is voluntary. While use of the app may be encouraged, the Privacy Act provides that no individual, organisation or government agency can require any individual to download or use the app. Criminal penalties apply for breach of these provisions.
It is unlawful for any person to require an individual to:
- download the COVIDSafe app
- have the app in operation on their communication device, or
- upload data from the app to the National COVIDSafe Data Store.
An individual, organisation (including a small business operator) or agency which treats its staff, suppliers or customers differently, or which charges a different price for a service, depending on whether or not an individual has or is using the COVIDSafe app, might be considered to be unlawfully ‘requiring’ an individual to use the app. However, this does not apply to private citizens in their personal lives. For example, it is not an offence if a relative or friend asks you to download the app before visiting their home.
Uploading data from the app
If an individual is diagnosed with COVID-19, a state or territory health official will ask the individual if they have been using the COVIDSafe app and if they agree to upload data about their close contacts. Consent must be obtained from that individual to upload the data from the app to the National COVIDSafe Data Store.
Only the individual whose name and communication device number was provided at the time of initial registration for the app can consent to upload the data. If the individual is unable to give consent, due to being a child for example, consent to upload the data must be obtained from a parent, guardian or carer acting on that individual’s behalf.
It is an offence for any individual, organisation or government agency to require an individual to upload their data, or cause for the data to be uploaded, from the app to the National COVIDSafe Data Store, without obtaining consent from that individual.
Disclosure outside Australia
COVID app data in the National Data Store must be stored on a database in Australia.
It is an offence to disclose COVID app data that has been uploaded to the national COVIDSafe data store to another individual outside Australia unless:
- the disclosure is by a person employed or in the service of a state or territory health authority, and
- the disclosure is for the purpose of, and only to the extent required for the purpose of, conducting contact tracing.
Collecting, using or disclosing COVID app data
COVID app data may only be collected, used or disclosed:
- by a person employed or in the service of a state or territory health authority to conduct contact tracing:
- only to the extent required to undertake that contact tracing
- by the National COVIDSafe Data Store administrator (or their contracted service provider):
- to enable contact tracing by a person employed or in the service of a state or territory health authority
- to ensure the proper functioning, integrity and security of the app or the National COVIDSafe Data Store
- to delete registration data on request from (or on behalf of) an individual who is the subject of the registration data, and
- to produce de-identified statistical information about the number of registrations for the app
- by the OAIC:
- to assess and investigate compliance with the Privacy Act in relation to the handling of COVID app data
- to review compliance with the notifiable data breach scheme in relation to handling of COVID app data
- to refer matters to state or territory privacy regulators as appropriate, and
- to refer suspected breaches of the Privacy Act in relation to handling of COVID app data to the police or director of public prosecutions as appropriate.
- by the police or director of public prosecutions:
- to investigate and prosecute alleged breaches of the Privacy Act in relation to handling of COVID app data.
Obligations to protect and manage data appropriately
All parties handling COVID app data must also comply with the Australian Privacy Principles (APPs). With the exception of APP 9, the APPs will also apply to state and territory health authorities in relation to their handling of COVID app data.
This includes APP 11, which requires organisations handling COVID app data to take reasonable steps to protect the data from misuse, interference, loss, unauthorised access, unauthorised modification and unauthorised disclosure.
APP 1 also requires each organisation handling COVID app data, including state and territory health authorities, to:
- manage the data in an open and transparent way
- implement practices, procedures and systems to ensure its compliance with all relevant privacy rules, and
If COVID app data is incidentally collected as part of a wider, lawful collection of information (for example, during a criminal investigation), the data must be deleted as soon as practicable and must not otherwise be accessed, used or disclosed to anyone. The data also cannot be used as evidence in any proceedings.
Deletion of registration data on request
The National COVIDSafe Data Store administrator must, upon the request of the individual, their parent, guardian or carer, delete that individual’s registration data from the National COVIDSafe Data Store.
The information must be deleted as soon as is practicable and if it cannot be deleted immediately, it must not be used or disclosed for any purpose.
This requirement does not apply to digital handshake data, held in the National COVIDSafe Data Store, comprising of Bluetooth connections between the communication device of the individual who is seeking deletion (or on whose behalf the deletion is sought) and other communication devices, or to de-identified data.
At the end of the pandemic
The Health Minister must determine a date by which the Health Minister is satisfied that use of the COVIDSafe app is no longer required, or is no longer likely to be effective, in preventing or controlling the spread of COVID-19 in Australia.
Immediately after midnight on that declared date, the National COVIDSafe Data Store administrator must:
- prevent any new downloads of the COVIDSafe app by individuals
- stop any new uploads of data from the COVIDSafe app into the National COVIDSafe Data Store.
As soon as reasonably practicable after the declared date, the National COVIDSafe Data Store administrator must delete all COVID app data from the National COVIDSafe Data Store.
The National COVIDSafe Data Store administrator must also notify the Health Minister and the OAIC that all COVID app data has been deleted from the National COVIDSafe Data Store.
The National COVIDSafe Data Store administrator must also take all reasonable steps to notify all users of the COVIDSafe app (who have not already deleted the app) that their data has been deleted and they should now delete the app from their communication devices. The National COVIDSafe Data Store administrator must also take all reasonable steps to inform users that COVID app data can no longer be collected.
The notifiable data breach scheme has been extended to include certain conduct by the National COVIDSafe Data Store administrator, and state and territory health authorities.
A breach of any of the new COVID app-related provisions of the Privacy Act by the National COVIDSafe Data Store administrator, or by a state or territory health authority, will be considered an ‘eligible data breach’. All individuals to whom the data relates are considered to be ‘at risk’ from the data breach and both the OAIC and affected individuals must be notified as soon as practicable about the data breach, unless the OAIC grants an exemption to the requirement to notify individuals. This is a lower threshold than for eligible data breaches under the notifiable data breach scheme in Part IIIC of the Privacy Act, which only become notifiable if the data breach is ‘likely to result in serious harm’ to any of the individuals to whom the information relates.
A failure to notify the data breach as required is an ‘interference with privacy’, which triggers the OAIC’s powers.
Interference with privacy: OAIC powers
A breach of any of the new COVID app-related provisions of the Privacy Act, or the APPs, is considered an ‘interference with privacy’, which triggers the OAIC’s investigative and regulatory powers under the Privacy Act, in relation to regulated entities.
The OAIC has powers to:
- conduct assessments
- investigate complaints
- commence investigations on its ‘own motion’
- refer matters to state or territory privacy regulators
- make a declaration that compensation be paid to individuals who suffer from an interference with their privacy
- seek civil penalties for serious and repeated interferences with privacy, and
- refer matters to the police if the OAIC thinks a crime has been committed.
The OAIC also has an obligation to report publicly every six months on the performance of the Privacy Commissioner’s functions and exercise of the Privacy Commissioner’s powers under the new COVID app-related provisions of the Privacy Act.
The Health Minister has an obligation to report every six months on the operation and effectiveness of COVIDSafe and the National COVIDSafe Data Store.
For more information
For more information contact the OAIC:
- Enquiries Line 1300 363 992
- Online enquiries form