30 November 2022
This report outlines the findings in the Office of the Australian Information Commissioner’s (OAIC) privacy assessment of the state and territory health authority (STHA) access controls applied to the National COVIDSafe Data Store (NCDS). This assessment is also known as ‘COVIDSafe Assessment 2’. We conducted fieldwork for this assessment from September to December 2020.
This report summarises our oversight role of the COVIDSafe system and its participants; in particular our active engagement with STHAs regarding their access to COVID app data. The report also highlights the safeguards in place to protect COVID app data held by the states and territories.
We independently assessed whether, at the time of this assessment, STHAs were handling personal information in the COVIDSafe system in accordance with the provisions in Part VIIIA of the Privacy Act 1988 (Cth) that relate to STHAs. This assessment is the first time the OAIC has assessed whether state and territory government entities were handling personal information in accordance with Commonwealth laws.
The Privacy Act defines STHA as the state or territory authority responsible for administering health services in a state or territory. For this privacy assessment, we considered the following entities to be a STHA:
- ACT Health Directorate (ACT Health)
- New South Wales Ministry of Health (NSW Health)
- Northern Territory Health (NT Health)
- Queensland Department of Health (QLD Health)
- South Australia Department for Health and Wellbeing (SA Health)
- Tasmania Department of Health (TAS Health)
- Department of Health and Human Services Victoria (DHHS)
- Western Australia Department of Health (WA Health).
The purpose of this assessment was to determine whether:
- STHA were taking reasonable steps, in accordance with the requirements of Australian Privacy Principle (APP) 11.1, to protect the personal information accessed via, or collected from, the NCDS from misuse, interference and loss, as well as unauthorised access, modification or disclosure
- the acts or practices of STHA that related to handling COVID app data complied with the provisions in Part VIIIA of the Privacy Act that are relevant to the NCDS and STHAs, including s 94D and s 94F.
We found that, at the time of fieldwork:
- three STHAs collected COVID app data and stored it in either paper or electronic copies
- one STHA planned to collect COVID app data (but ultimately did not collect any)
- the remaining STHAs did not plan to collect COVID app data (and ultimately did not collect any).
We found that the STHA were generally taking reasonable steps to secure the personal information of registered users of the COVIDSafe app, in accordance with the requirements of APP 11.1.
We also found that STHA were complying with the data handling provisions under Part VIIIA of the Privacy Act that are relevant to the NCDS and STHA. We came to this conclusion based on:
- the bilateral agreements made between the Commonwealth Department of Health and each STHA, which set out responsibilities for ensuring the privacy and security of COVID app data
- the governance arrangements implemented by the STHAs and the Commonwealth Department of Health and Aged Care
- the processes and procedures STHAs implemented to collect, use and disclose COVID app data
- the storage, where applicable, of COVID app data.
We found a total of 20 medium privacy risks and 23 low privacy risks associated with STHA handling of COVID app data. More medium privacy risks were identified for the 3 STHA that collected COVID app data than the 5 STHA that did not. Ten medium privacy risks related to STHA handling of COVID app data, the remaining risks related to possible future scenarios.
The following privacy risks were identified in relation to 2 or more STHA:
- collecting COVID app data into a record, if not handled securely and if retained longer than required
- documentation of processes and procedures around the planned or actual collection, use, storage and disclosure of COVID app data
- a lack of Privacy Impact Assessments (PIA) having been undertaken or, where undertaken, recommendations not being actioned
- the need for an appropriate disposal authority with respect to COVID app data under the state and territory legislation applicable to the STHA
- data breach response plans were not fully aligned with the Notifiable Data Breaches (NDB) scheme.
For each medium privacy risk we made a recommendation about how to address it and for each low privacy risk we made a suggestion.
The STHA agreed to implement 17 of the 20 recommendations and 13 of the suggestions of this assessment. Six suggestions were noted by STHA. There were 3 recommendations and 4 suggestions that were not agreed by STHA. These mainly related to STHA that had made decisions not to access COVID app data and these STHA considered that the recommendations and suggestions were not required.
Section 94W of Part VIIIA of the Privacy Act provided the OAIC with additional powers to share information acquired in the course of performing functions or duties under Part VIIIA with state or territory privacy authorities for the purpose of those authorities exercising their powers. We did not use this power in relation to this privacy assessment as we did not find any privacy risks which, in our view, would be more appropriately dealt with by a state or territory privacy authority.
At the time of publishing this report, the OAIC considers no further action is required. The COVIDSafe data period has ended, the data is not available for STHAs to collect, and the STHA that had collected the data have confirmed they have deleted the data.
Part VIIIA of the Privacy Act granted the Australian Information Commissioner (AIC) a range of additional proactive and reactive regulatory powers which support the AIC’s legislative responsibilities for the privacy oversight of the COVIDSafe System.
We conducted this assessment under s 33C(1)(a) of the Privacy Act, which allows the OAIC to assess whether an entity maintains and handles the personal information it holds in accordance with the APPs. We also conducted this assessment under s 94T(1) of the Privacy Act, which extends s 33C to allow the OAIC to assess whether the acts or practices of an entity, or a ‘State or Territory authority’ (which includes STHA), in relation to COVID app data comply with Part VIIIA of that Act.
We have conducted 5 privacy assessments (the COVIDSafe Assessment Program) under s 33C and s 94T of the Privacy Act in relation to the COVIDSafe System. Each COVIDSafe Assessment examines different components of the COVIDSafe System, with the COVIDSafe Assessment Program designed to collectively follow the ‘information lifecycle’ of personal information collected by the Australian Government’s COVIDSafe app.
The COVIDSafe Assessment Program consists of:
- Assessment 1 – Access controls applied to the Data Store by the Data Store Administrator (DSA)
- Assessment 2 – Access controls applied to the use of COVID app data by STHA
- Assessment 4 – Compliance of the DSA with data handling, retention and deletion requirements under Part VIIIA
- Assessment 5 – Compliance of the DSA with the deletion and notification requirements in Part VIIIA which relate to the end of the COVIDSafe data period.
The COVIDSafe System refers to the system comprising the COVIDSafe app, the NCDS, the Health Official Portal and the technological, administrative and legal measures which ensure the effective operation of the system and its compliance with applicable legislation.
The COVIDSafe System has been described in detail in COVIDSafe Assessment 1: National COVIDSafe Data Store Access Controls.
The Minister for Health and Aged Care, the Hon Mark Butler MP, determined that on 16 August 2022 the use of COVIDSafe was no longer required to prevent or control the entry, emergence, establishment or spread of COVID‑19 into Australia or any part of Australia.
After this determination, the OAIC conducted Assessment 5 which examined the compliance of the Commonwealth Department of Health and Aged Care, as Data Store Administrator, with the COVID app data deletion and notification requirements in the Privacy Act. We found it complied with its obligations.
Part VIIIA of the Privacy Act was repealed on 14 November 2022.
 STHA refers to either singular State or Territory Health Authority or plural State and Territory Health Authorities, depending on context.
 As of 1 February 2021, the Department of Health and Human Services was separated into two new departments: the Department of Health (DH) and the Department of Families, Fairness and Housing (DFFH).