COVIDSafe Assessment 5: obligations after the end of the COVIDSafe data period

Publication date: 30 November 2022

Part 1: Executive summary

1.1 This report outlines the findings of the Office of the Australian Information Commissioner’s (OAIC) privacy assessment of the handling of COVID app data after the end of the COVIDSafe data period.[1]

1.2The purpose of this assessment was to assess whether the Department of Health and Aged Care (Health) as the Data Store Administrator (DSA) met the following obligations under section 94P[2] of the Privacy Act 1988 (Cth):

after the end of the day determined under s 94Y(1) of the Privacy Act, the DSA must not collect any COVID app data or make the COVIDSafe application available to be downloaded, in accordance with s 94P(1)
as soon as reasonably practicable after the end of the day determined under s 94Y(1), the DSA must delete all COVID app data from the National COVIDSafe Data Store (NCDS), in accordance with s 94P(2)
as soon as reasonably practicable after the deletion, the DSA must:
- inform the Health Minister and the Commissioner that all COVID app data has been deleted from the NCDS, and
- take all reasonable steps to inform all COVIDSafe users (other than former COVIDSafe users) in relation to communication devices that:
  - all COVID app data has been deleted from the NCDS, and
  - COVID app data can no longer be collected, and
  - they should delete COVIDSafe from their communication devices
  in accordance with s 94P(3).

1.3 The assessment found that Health has complied with the requirements of ss 94P(1) and (2), and has partially complied with s 94P(3).

1.4 The OAIC has made 2 suggestions to address identified privacy risks. The suggestions and Health’s responses are outlined in Parts 3 and 4 of this report.

Part 2: Introduction

Background

2.1 The COVIDSafe System, COVIDSafe legislative framework and the role of the OAIC have been described in detail in previous COVIDSafe assessments.[3] Further information on the COVIDSafe legislative framework and role of the OAIC can be found in Appendices B and C.

2.2 The NCDS is a cloud-based storage solution for information collected or generated using the COVIDSafe app. As of 5 October 2021, the NCDS is maintained by Health, as the DSA, and is hosted by Amazon Web Services (AWS).

2.3 COVID app data is data relating to any individual which is collected or generated through the operation of the COVIDSafe app and is either registration data,[4] or is (or has been) stored on a communication device such as a mobile phone.

End of the COVIDSafe data period

2.4 The obligations under s 94P of the Privacy Act commence after the end of the day determined by the Health Minister under s 94Y(1).

2.5 The Privacy (Public Health Contact Information) (End of the COVIDSafe data period) Determination 2022 was made on July 31 2022[5] by the Minister for Health and Aged Care and came into effect on 16 August 2022. This is referred to as the end of the COVIDSafe data period.

Part 3: Findings

3.1 This assessment has found that the DSA complied with most aspects of s 94P of the Privacy Act.

3.2 Our findings for each requirement of s 94P of the Privacy Act are outlined below, followed by suggestions to address identified privacy risks.

Paragraph 94P(1)(a) – Ceasing collection of COVID app data

3.3 Paragraph 94P(1)(a) requires that the DSA must not collect any COVID app data or make the COVIDSafe app available to be download after the end of the day determined under s 94Y(1).

3.4 The OAIC is satisfied that Health has complied with its obligations under s 94P(1). This is based on the following findings:

Health provided evidence demonstrating that the last registration occurred on the final day of the COVIDSafe data period (16 August 2022).[6]
The connection between an individual’s communication device and the NCDS was also switched off at this point, which prevents new registrations being loaded into the NCDS.[7] The Health Official Portal (HOP) was decommissioned at this stage, which had the effect of not allowing COVID app data to be uploaded to the NCDS.[8]

3.5 The technological process that Health used to meet its obligations under s 94P(1) included releasing a new version of the COVIDSafe app that effectively removed functionality from the app.[9] The OAIC notes that if a COVIDSafe user had not updated the app, it would still appear to be active to that user when it is not.

3.6 While users of the version of the COVIDSafe app that has not been updated may perceive the app to be active, it is apparent that data relating to periods after the COVIDSafe data period is no longer being uploaded into the NCDS. This is because the connection between the COVIDSafe user and the NCDS has been switched off and the HOP has been decommissioned which prevents access to the NCDS.

Paragraph 94P(1)(b) – Not making COVIDSafe available for download

3.7 Paragraph 94P(1)(b) of the Privacy Act creates an obligation for the DSA to no longer make the COVIDSafe app available for download after the end of the day determined under s 94Y(1).

3.8 The assessment found that Health is compliant with its obligations under s 94P(1)(b) as Health provided evidence that the app was no longer available for download on the Apple App Store and the Google Play Store from 16 August 2022.

3.9 While the listing of the app has been removed, it appears that former COVIDSafe users [10] may be able to redownload the app after the app has no longer been made available from both the Apple App Store and Google Play Store. However, when the app was decommissioned, Health released an updated version of the app (which Health identified as the ‘dead’ version of the app) advising users that the COVIDSafe app was no longer being used to assist health officials with contact tracing and instructing users to uninstall the app. A COVIDSafe users who redownloads the app would download the dead version of the app.

3.10 The assessment also identified that the COVIDSafe app may still be downloaded on Android devices via ‘sideloading’ which occurs when users are able to download the app via third-parties. During fieldwork Health informed the OAIC that sideloading should not be possible as Health had not authorised Google to permit third-party stores to download the app. Additionally, Health advised the OAIC that they have consulted with their internal Information Technology Security Advisor who advised that because the back end of the COVIDSafe app has been decommissioned and that it can no longer collect data, they consider that the risk of malicious activity is low.

3.11 As Health have not authorised any third party stores to permit sideloading, the OAIC is satisfied that Health is no longer making the COVIDSafe app available for download in accordance with s 94P(1)(b). The OAIC is also satisfied that the privacy risk is low as the HOP has been decommissioned and the NCDS is not capable of collecting COVID app data through these apps, should they exist. However, the OAIC suggests that Health continue to engage with Google to ensure the COVIDSafe app is not subject to sideloading.

Key finding

The Data Store Administrator ceased collecting COVID app data and did not make the COVIDSafe app available to download as of 16 August 2022.

Suggestion 1

The OAIC suggests that the Data Store Administrator should continue to engage with Google regarding ‘sideloading’ of the COVIDSafe app to prevent the COVIDSafe app from being available via these means.

Subsection 94P(2) – Deleting COVID app data from the NCDS

3.12 Subsection 94P(2) requires that as soon as reasonably practicable after the end of the day determined under s 94Y(1), the DSA must delete all COVID app data from the NCDS.

3.13 The assessment found that Health has deleted all COVID app data from the NCDS. This is because:

Health provided evidence that the NCDS and all back-up stores were deleted
on 30 September 2022.
COVID app data that was deleted included registration data,[11] diagnostic information, encrypted ID, digital handshakes.[12]
information on the NCDS that was not deleted were aggregated data sets derived from the NCDS for reporting or statistical purposes such as case data statistics.
As this information is not COVID app data, it must be retained in accordance with the Archives Act 1983 (Cth).[13]

3.14 Deletion occurred 45 days after the date determined to be the end of the COVIDSafe period.

3.15 Subsection 94P(2) requires deletion to occur ‘as soon as practicable’. The meaning of this timeframe was considered in the context of the deletion requirement under s 94D(3) of Part VIIIA of the Privacy Act in the explanatory memorandum for Privacy Amendment (Public Health Contact Information) Bill 2020 (Cth) (the Bill). The explanatory memorandum stated that this timeframe provides an appropriate degree of flexibility in cases where there may be compelling reasons not to delete the COVID app data immediately, while still reflecting the expectation that the COVID app data will be deleted in a timely fashion.[14] The OAIC considers these comments to also be relevant when interpreting this requirement under s 94P(2).

3.16 The assessment found that Health has complied with its obligations by deleting the data within the timeframe specified in s 94P(2). This is because:

while the determination to end the COVIDSafe data period was at the discretion of the Health Minister, Health advised the OAIC during fieldwork that they had taken proactive steps in advance of this determination to plan for the deletion of COVID app data and decommissioning of the COVIDSafe app.
the NCDS contained both COVID app data and non-COVID app data. Health advised the OAIC that as part of the decommissioning process, they engaged with both the internal legal and records management teams to ensure that the met their obligations under s 94P of the Privacy Act and the requirements of the Archives Act. Health sought legal advice regarding the legal obligations in relation to the concurrent obligations of the Privacy Act to delete all COVID app data and prohibitions in the Archives Act against deleting Commonwealth records unless required by law. As described above, this process ensured that data that was considered COVID app data was identified and subsequently deleted, and data that was not considered COVID app data was retained and will be archived in accordance with the Archives Act.
the COVIDSafe program was a major government project involving multiple layers of governance. In this context, it was appropriate to take a careful approach to the deletion of COVID app data.

3.17 For the above reasons, the Assessment found that Health complied with its obligations under s 94P(2).

Key finding

All COVID app data was deleted from the National COVIDSafe Data Store as soon as reasonably practicable.

Subsection 94P(3) – Notification requirements

3.18 Subsection 94P(3) requires that, as soon as reasonably practicable after the deletion, the DSA must:

inform the Health Minister and the Commissioner that all COVID app data has been deleted from the NCDS
take all reasonable steps to inform all COVIDSafe users (other than former COVIDSafe users) in relation to communication devices that all COVID app data has been deleted from the NCDS, COVID app data can no longer be collected and that they should delete COVIDSafe from their communication devices.

Informing the Health Minister and Commissioner

3.19 This assessment found that Health has met its obligations under s 94P(3)(a) of the Privacy Act on the basis that:

Health informed the Health Minister of the deletion of COVID app data from the NCDS via letter on 18 October 2022 (19 days after deletion)
Health informed the Commissioner of the deletion of COVID app data from the NCDS via letter on 12 October 2022 (13 days after deletion).

3.20 Health advised the OAIC that processes to comply with these obligations commenced directly after deletion of COVID app data, and that the periods taken to notify the Health Minister and Commissioner respectively was due to internal clearance timeframes when preparing these communications.

3.21 The OAIC considers that these timeframes are compliant with the requirements under s 94P(3)(a) and are as soon as reasonably practicable after the deletion.

Informing COVIDSafe users

3.22 Paragraph 94P(3)(b) requires Health to take all reasonable steps to inform all COVIDSafe users of the matters referred to in paragraph 3.18 above.

3.23 The explanatory memorandum to the Bill states that this obligation is intended to permit the notification requirement to be met through a broad range of communication activities, such as public announcements and related communications activities.[15]

3.24 During fieldwork, Health advised the OAIC that they prepared a detailed communication plan to inform users that the COVIDSafe app was being decommissioned. Prior to and after the deletion of data from the NCDS, Health made a number of notifications to users concerning the deletion of COVID app data and encouraging users to delete the app using a range of communication channels:

Prior to deletion, these included announcements from the Minister, media articles and an update to the app to include an in-app notice that it is no longer used by the Commonwealth to support contact tracing efforts. There have also been push notifications to approximately 3.3 million COVIDSafe users and a limited number of SMS text messages (approximately 80,0000) sent to COVIDSafe app users. SMS text messages were sent to COVIDSafe app users identified to have older legacy versions of COVIDSafe that were unable to receive in-app push notifications.
Following the deletion, the Health and COVIDSafe websites were updated to advise the public of the deletion of the data. Health stated that as COVID app data was required to send SMS text messages or in-app push notifications, it was unable to communicate directly to COVIDSafe users after deletion of all COVID data from the NCDS.

3.25 These communications also occurred at a time of very low activity in the COVIDSafe System. For example, from 16 November 2021 to 15 May 2022, there were no uploads by COVIDSafe users who tested positive to COVID-19.[16]

3.26 In this context, given the various communication channels used by Health and noting the inability to directly communicate with COVIDSafe users after deletion of COVID app data had occurred, the OAIC is satisfied that Health has taken all reasonable steps to communicate with COVIDSafe users.

3.27 However, s 94P(3)(b) requires 3 specific matters to be communicated to COVIDSafe users:

all COVID app data has been deleted from the NCDS, and
COVID app data can no longer be collected, and
they should delete COVIDSafe from their communication devices.

3.28 The assessment found that Health appropriately informed COVIDSafe users that all COVID app data has been deleted and users should delete the app.

3.29 With the exception of messaging in the ‘dead app’, however, Health’s communications did not address the requirement at s 94P(3)(b)(ii) that that users should be advised that COVID app data can no longer be collected.

3.30 Accordingly, the assessment found that Health has partially complied with the requirements of s 94P(3).

3.31 We consider that this raises a low privacy risk given our findings above that COVID app data is no longer in fact being collected in the NCDS. The OAIC suggests that Health address this risk by updating its website communications to address this matter.

Key finding

The Data Store Administrator informed the Commissioner and the Minister that all COVID app data has been deleted as soon as reasonably practicable. The Data Store Administrator took all reasonable steps to advise COVIDSafe users that all COVID app data has been deleted from the National COVIDSafe Data Store and they should delete COVIDSafe from their communication devices. The Data Store Administrator did not take all reasonable steps to advise COVIDSafe uses that data can no longer be collected.

Suggestion 2

The OAIC suggests that the Data Store Administrator, as soon as reasonably practicable, take all reasonable steps to notify COVIDSafe users in accordance with subpara 94P(3)(b)(ii). This could include updating website communications informing users of the relevant matters under para 94P(3)(b).

Part 4: Suggestions and responses

Suggestion 1

OAIC suggestion

4.1 The OAIC suggests that the Data Store Administrator should continue to engage with Google regarding ‘sideloading’ of the COVIDSafe app to prevent the COVIDSafe app from being available via these means.

Stakeholder response to the Suggestion

4.2 The Department agrees with this suggestion.

The Department engaged with Google and was advised sideloading bypasses the Google platform and they cannot eliminate the issue nor prevent the App from being available via means outside of the Google Play Store. The Department has carried out all possible other risk mitigation activities on this issue including releasing a non-functional version of the App which has no ability to collect COVIDSafe data. The Department will continue to monitor developments by Google on the issue of sideloading.

Suggestion 2

OAIC suggestion

4.3 The OAIC suggests that the Data Store Administrator, as soon as reasonably practicable, take all reasonably steps to notify COVIDSafe users in accordance with subpara 94P(3)(b)(ii). This could include updating website communications informing users of the relevant matters under para 94P(3)(b).

Stakeholder response to the Suggestion

4.4 The Department agrees with this suggestion.

Users were informed that COVID app data was no longer collected via the COVIDSafe app. Information was provided throughout the deletion and decommission process to users via COVIDSafe web pages on COVIDSafe.gov.au and Health.gov.au, noting the COVIDSafe app was no longer being used and the Data Store Administrator must not allow any further information to be uploaded to the National COVIDSafe Data Store. There was an inferred assumption that, in no longer providing health officials with data for contact tracing, the data needed for this function was also not being collected.

The Department has made updates to website communication to specifically state COVID app data is/can be no longer collected.

Part 5: Description of assessment

Objective and scope of assessment

COVIDSafe Risks[17]

This assessment provides assurance that the Department of Health and Aged Care (Health) is effectively managing the following risk:

Any retention of personal information collected through the COVIDSafe app after the end of the COVID-19 pandemic in contravention of section 94P of the Privacy Act.

5.1 The objective of this assessment is to determine whether Health as the DSA has actioned its obligations to comply with the cessation of collection, deletion and notification requirements of section 94P of the Privacy Act. The scope is limited to the requirements in s 94P.

Timing, location and assessment techniques

5.2 The OAIC conducted both a risk-based and a compliance-based assessment under Part VIIIA of the Privacy Act.

5.3 Assessment 5 involved the following activities:

review of relevant policies, procedures, design and technical documentation provided by Health
fieldwork, which included interviewing key members of staff at within Health during October 2022.

5.4 Where the OAIC identified privacy risks and considered those risks to be low risks, the OAIC made suggestions about how to address those risks. For more information about OAIC privacy risk ratings, refer to the Appendix D of this report or the OAIC’s ‘Risk based assessments – privacy risk guidance’. Chapter 7 of the OAIC’s Guide to privacy regulatory action provides further detail on this approach.

5.5 The OAIC engaged PricewaterhouseCoopers (PwC) to assist with undertaking the COVIDSafe Assessment Program to provide independent assurance to Australian citizens that data in the COVIDSafe app is meeting legislative requirements. The OAIC considered PwC observations in preparing this report.

Appendix A: Section 94P of the Privacy Act

94P Obligations after the end of the COVIDSafe data period

After the end of the day determined under subsection 94Y(1), the data store administrator must not:
1. collect any COVID app data; or
2. make COVIDSafe available to be downloaded.
As soon as reasonably practicable after the end of the day determined under subsection 94Y(1), the data store administrator must delete all COVID app data from the National COVIDSafe Data Store.
As soon as reasonably practicable after the deletion, the data store administrator must:
1. inform the Health Minister and the Commissioner that all COVID app data has been deleted from the National COVIDSafe Data Store; and
2. take all reasonable steps to inform all COVIDSafe users (other than former COVIDSafe users) in relation to communication devices that:
  1. all COVID app data has been deleted from the National COVIDSafe Data Store; and
  2. COVID app data can no longer be collected; and
  3. they should delete COVIDSafe from their communication devices.

Appendix B: COVIDSafe legislative framework

1.1 The personal information collected by the COVIDSafe app through the COVIDSafe System is protected by the following:

The Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) (Emergency Requirements—Public Health Contact Information) Determination 2020 (Cth) (the Biosecurity Determination)
The Privacy Act, which includes:
- The APPs
- Part VIIIA – Public health contact information.

The Biosecurity Determination

1.2 The Biosecurity Determination was issued by the Minister for Health on 25 April 2020 under the Biosecurity Act 2015 (Cth) and was repealed on 16 May 2020 following commencement of the Privacy Amendment (Public Health Contact Information) Act 2020 (Cth) (Privacy Amendment Act).

1.3 The Biosecurity Determination included requirements for the collection, use and disclosure of COVID app data and was regulated by the Australian Federal Police, not the OAIC.

Privacy Act – the Australian Privacy Principles

1.4 The Privacy Act promotes and protects the privacy of individuals and regulates how APP entities, which includes Australian Government agencies and organisations, handle personal information.

1.5 The APPs at Schedule 1 of the Privacy Act are the cornerstone of the privacy protection framework in the Act. The 13 APPs govern standards, rights and obligations around:

the collection, use and disclosure of personal information
an organisation or agency’s privacy governance and accountability
the integrity and correction of personal information
the rights of individuals to access their personal information.

1.6 The APPs apply to any ‘personal information’ collected by Australian Government agencies in relation to the COVIDSafe System.

Privacy Amendment (Public Health Contact Information) Act 2020 (Privacy Amendment Act) and Part VIIIA of the Privacy Act

1.7 The Australian Government passed the Privacy Amendment Act on 14 May 2020 which amended the Privacy Act by inserting Part VIIIA – Public health contact information into the Privacy Act. Part VIIIA commenced on 16 May 2020.

1.8 Part VIIIA of the Privacy Act provides strong privacy protections for personal information collected through the COVIDSafe app. The Australian Information Commissioner (AIC) has an independent oversight function in relation to COVIDSafe under the Privacy Act and is actively monitoring and regulating compliance.

1.9 Specific privacy protections under Part VIIIA include:

section 94K: COVID app data not to be retained
section 94L: Deletion of registration data on request
section 94F: Effect of deletion of COVIDSafe from a communication device.

1.10 The provisions dealing with privacy protection are supported by procedural amendments which relate to or assist with oversight of the COVIDSafe System by the OAIC, including:

section 94T: expands the assessment power in s 33C to include assessments of whether the acts or practices of an entity or a STHA in relation to COVIDSafe data comply with Part VIIIA of the Privacy Act
section 94Y: provides the Minister for Health with the power to determine, by notifiable instrument, the end of the COVIDSafe data period
section 94ZB: requires the AIC to report on the performance of their functions and powers relating to Part VIIIA of the Privacy Act every six months
section 94ZC: provides that COVIDSafe data remains the property of the Commonwealth even after disclosure to and use by STHA.

Appendix C: Role of the OAIC

1.1 The new Part VIIIA of the Privacy Act has granted the AIC a range of additional proactive and reactive regulatory powers which support the AIC’s legislated responsibilities in relation to the privacy oversight of the COVIDSafe System.

1.2 The OAIC is undertaking five privacy assessments (the COVIDSafe Assessment Program) under ss 33C and 94T of the Privacy Act to proactively execute its oversight function in relation to the COVIDSafe System.

1.3 The five COVIDSafe privacy assessments (COVIDSafe Assessment Program) are:

Assessment 1 – Access controls applied to the Data Store by the DSA
Assessment 2 – Access controls applied to the use of COVID app data by State or Territory Health Authorities
Assessment 3 – Functionality of the COVIDSafe app against specified privacy protections set out under the COVIDSafe privacy policy and collection notices, and against the requirements of Part VIIIA
Assessment 4 – Compliance of the DSA with data handling, retention and deletion requirements under Part VIIIA
Assessment 5 – Compliance of the DSA with the deletion and notification requirements in Part VIIIA which relate to the end of the pandemic.

1.4 Each COVIDSafe Assessment targets different components of the COVIDSafe System, with the COVIDSafe Assessment Program designed to collectively follow the ‘information lifecycle’ of personal information collected by the Australian Government’s COVIDSafe app.

1.5 In undertaking the COVIDSafe Assessment Program, the OAIC seeks to provide independent assurance to Australians that personal information in the COVIDSafe app is being handled in accordance with Part VIIIA and the APPs.

1.6 The OAIC engaged PwC under s 24 of the Australian Information Commissioner Act 2010 (Cth) to assist the OAIC with the COVIDSafe Assessment Program. PwC worked jointly with OAIC staff to assist the AIC to conduct elements of the fieldwork for this assessment and provide independent assurance that access to COVID app data is meeting legislative requirements.

Appendix D: Privacy risk guidance

Privacy risk rating	Entity action required	Likely outcome if risk is not addressed
High risk Entity must, as a high priority, take steps to address mandatory requirements of Privacy and related legislation	Immediate management attention is required This is an internal control or risk management issue that if not mitigated is likely to lead to the following effects	Likely breach of relevant legislative obligations (for example, APP, TFN, Credit, privacy safeguard, Part VIIIA) or not likely to meet significant requirements of a specific obligation (for example, an enforceable undertaking) Likely adverse or negative impact upon the handling of individuals’ personal information Likely violation of entity policies or procedures Likely reputational damage to the entity, such as negative publicity in national or international media Likely adverse regulatory impact, such as Commissioner Initiated Investigation (CII), enforceable undertakings, material fines Likely ministerial involvement or censure (for agencies)
Medium risk Entity should, as a medium priority, take steps to address Office expectations around requirements of Privacy and related legislation	Timely management attention is expected This is an internal control or risk management issue that may lead to the following effects	Possible breach of relevant legislative obligations (for example, APP, TFN, Credit privacy safeguard, Part VIIIA) or meets some (but not all) requirements of a specific obligation Possible adverse or negative impact upon the handling of individuals’ personal information Possible violation of entity policies or procedures Possible reputationaldamage to the entity, such as negative publicity in local or regional media Possible adverse regulatory impacts, such as Commissioner Initiated Investigation (CII), public sanctions (CII report) or follow up assessment activities Possible ministerial involvement or censure (for agencies)
Low risk Entity could, as a lower priority than for high and medium risks, take steps to better address compliance with requirements of Privacy and related legislation	Management attention is suggested This is an internal control or risk management issue, the solution to which may lead to improvement in the quality and/or efficiency of the entity or process being assessed	Risks are limited, and may be within acceptable entity risk tolerance levels Unlikely to breach relevant legislative obligations (for example, APP, TFN, Credit privacy safeguard, Part VIIIA) Minimum compliance obligations are being met

Privacy risk rating

Entity action required

Likely outcome if risk is not addressed

High risk

Entity must, as a high priority, take steps to address mandatory requirements of Privacy and related legislation

Immediate management attention is required

This is an internal control or risk management issue that if not mitigated is likely to lead to the following effects

Likely breach of relevant legislative obligations (for example, APP, TFN, Credit, privacy safeguard, Part VIIIA) or not likely to meet significant requirements of a specific obligation (for example, an enforceable undertaking)
Likely adverse or negative impact upon the handling of individuals’ personal information
Likely violation of entity policies or procedures
Likely reputational damage to the entity, such as negative publicity in national or international media
Likely adverse regulatory impact, such as Commissioner Initiated Investigation (CII), enforceable undertakings, material fines
Likely ministerial involvement or censure (for agencies)

Medium risk

Entity should, as a medium priority, take steps to address Office expectations around requirements of Privacy and related legislation

Timely management attention is expected

This is an internal control or risk management issue that may lead to the following effects

Possible breach of relevant legislative obligations (for example, APP, TFN, Credit privacy safeguard, Part VIIIA) or meets some (but not all) requirements of a specific obligation
Possible adverse or negative impact upon the handling of individuals’ personal information
Possible violation of entity policies or procedures
Possible reputationaldamage to the entity, such as negative publicity in local or regional media
Possible adverse regulatory impacts, such as Commissioner Initiated Investigation (CII), public sanctions (CII report) or follow up assessment activities
Possible ministerial involvement or censure (for agencies)

Low risk

Entity could, as a lower priority than for high and medium risks, take steps to better address compliance with requirements of Privacy and related legislation

Management attention is suggested

This is an internal control or risk management issue, the solution to which may lead to improvement in the quality and/or efficiency of the entity or process being assessed

Risks are limited, and may be within acceptable entity risk tolerance levels
Unlikely to breach relevant legislative obligations (for example, APP, TFN, Credit privacy safeguard, Part VIIIA)
Minimum compliance obligations are being met

Footnotes

[1] This assessment was conducted under para 33C(1)(a) of the Privacy Act 1988 (Cth), which allows the OAIC to assess whether an entity maintains and handles the personal information it holds in accordance with the Australian Privacy Principles (APPs).

This assessment was also conducted under s 94T(1) of the Privacy Act which extends s 33C to allow the OAIC to assess whether the acts or practices of an entity or a State or Territory authority in relation to COVID app data comply with Part VIIIA of that Act.

[2] See appendix 1- Section 94P of the Privacy Act

[3] See COVIDSafe Assessment 1: National COVIDSafe Data Store Access Controls, COVIDSafe Assessment 3: COVIDSafe Application Functionality, Privacy Policy and Collection Notices and COVIDSafe Assessment 4: Retention, Destruction and Deletion of COVID App Data

COVIDSafe Assessment 3: COVIDSafe Application Functionality, Privacy Policy and Collection Notices.[1]

[4] Registration Data’ (a user’s registration information, including name (or pseudonym), age range, postcode and phone number) entered by COVIDSafe users is encrypted and stored in the NCDS. Digital handshakes may be uploaded to the NCDS, following a COVIDSafe user testing positive for COVID-19 and consenting to upload the data to the NCDS.

[5] The Privacy (Public Health Contact Information) (End of the COVIDSafe data period) Determination 2022.

[6] The registration process for a user to register to use COVIDSafe is set out in paras 2.9-2.16 of COVIDSafe Assessment 3: COVIDSafe application functionality, privacy policy and collection notices.

[7] Communication device is defined at s 6 of the Privacy Act as an item of customer equipment (within the meaning of the Telecommunications Act 1997).

[8] The process for accessing COVIDSafe data via the HOP is set out in paras 2.5 and 2.6 of COVIDSafe Assessment 3: COVIDSafe application functionality, privacy policy and collection notices

[9] The functionality of the COVIDSafe app is described at paras 2.3-2.6 of COVIDSafe Assessment 1: National COVIDSafe Data Store Access Controls

[10] Former COVIDSafe user is defined at s 94N(2) of the Privacy Act:

(2)A person is a former COVIDSafe user, in relation to a communication device, at a particular time if:
- (a)COVIDSafe has been deleted from the device in relation to which the person was the COVIDSafe user; and
- (b)after COVIDSafe was last deleted from that device—COVIDSafe has not been downloaded to that device.

[11] Under s 6 of the Privacy Act, Registration data, of a person, means the information about the person that was uploaded from a communication device when the person was registered through COVIDSafe

[12] The information exchanged in a ‘digital handshake’ is set out at paras 2.17 and 2.18 of COVIDSafe Assessment 3: COVIDSafe application functionality, privacy policy and collection notices.

[13] A definition of COVID app data is contained at s 94D(5) of the Privacy Act. Relevantly, para 95D(5)(d) states that COVID app data does not include:

(d)de‑identified statistical information about the total number of registrations through COVIDSafe that is produced by:
- (i)an officer or employee of the data store administrator; or
- (ii)a contracted service provider for a government contract with the data store administrator.

[14] Explanatory Memorandum, Privacy Amendment (Public Health Contact Information) Bill 2020 (Cth), [48].

This was also considered in relation to s 94L of the Privacy Act at paras 3.32-3.45 of COVIDSafe Assessment 4: retention, destruction and deletion of COVID app data where it was stated that the ‘as soon as practicable’ timeframe allows for an appropriate degree of flexibility, but does reflect an obligation to delete Registration Data as soon as reasonably possible and without undue delay.

[15] Explanatory Memorandum, Privacy Amendment (Public Health Contact Information) Bill 2020 (Cth), [121]

[16] Third report on the operation and effectiveness of COVIDSafe and the National COVIDSafe data Store (health.gov.au)

[17] COVIDSafe app risks as noted in the Department of Health and Aged Care COVIDSafe app Privacy Impact Assessment published 24 April 2020.