COVIDSafe Report May–November 2021

Report under Part VIIIA of the Privacy Act 1988

15 December 2021

About this report

The Australian Government launched the voluntary COVIDSafe app (COVIDSafe) on 27 April 2020.

On 16 May 2020, the Office of the Australian Information Commissioner (OAIC) was granted additional functions and powers in relation to COVIDSafe under Part VIIIA of the Privacy Act 1988.

The object of Part VIIIA is to assist in preventing and controlling the entry, emergence, establishment or spread of COVID‑19 into or within Australia by providing stronger privacy protections for COVID app data and COVIDSafe users in order to:

  1. encourage public acceptance and uptake of COVIDSafe, and
  2. enable faster and more effective contact tracing.

Part VIIIA expands the Commissioner’s regulatory oversight role to apply to state and territory health authorities, to the extent that they deal with COVID app data.

It enhances the Commissioner’s role in dealing with eligible data breaches and conducting assessments and investigations in relation to COVIDSafe and COVID app data. It enables the Commissioner to refer matters to, and share information or documents with, state or territory privacy authorities. It also applies the Privacy Act’s rules and privacy protections and Commonwealth oversight to state and territory health authorities in relation to COVID app data.

In accordance with section 94ZB of the Privacy Act, this report sets out the performance of the Commissioner’s functions and the exercise of the Commissioner’s powers under or in relation to Part VIIIA.

This report covers the period 16 May to 15 November 2021.

Executive summary

The Commissioner has an independent oversight function for the COVIDSafe system under the Privacy Act and is actively monitoring and regulating compliance. The Commissioner has powers to:

covid exec summary

During the reporting period 16 May to 15 November 2021, the OAIC received 15 enquiries about the COVIDSafe system.

We progressed the COVIDSafe Assessment Program, finalising 2 assessments.

The OAIC also developed new guidance about COVID-19 check-in apps that included information about COVIDSafe, and promoted our existing guidance about the COVIDSafe system.

The Commissioner was not required to exercise her powers in relation to complaints, investigations, Commissioner-initiated investigations, information sharing and data breaches.

Commissioner’s powers

The OAIC’s first COVIDSafe report detailed the Commissioner’s powers in relation to the COVIDSafe system.

During the reporting period of 16 May to 15 November 2021, the following matters were recorded in relation to Part VIIIA:

Table 1 — Number of matters related to the COVIDSafe system

Regulatory function

Number

Enquiries received

15

Complaints received

0

Investigations

0

Commissioner-initiated investigations

0

Information sharing

0

Assessments finalised

2

Assessments underway

2

Data breach notifications received

0

COVIDSafe guidance and advice

During the reporting period, the OAIC published new guidance – the COVID-19 check-in apps privacy FAQs – to address the differences between privacy protections for the COVIDSafe system and various check-in apps.

We continued to promote our existing COVIDSafe guidance to increase awareness and understanding of the system’s privacy protections and entities’ obligations under the Privacy Act.

Enquiries

The OAIC received 15 enquiries about the COVIDSafe system during the reporting period, including 13 from individuals, one from a private organisation and one from a government agency.

We provided general information in response to 9 enquiries and provided assistance on how to make a complaint in response to 6 enquiries.

Figure 1 – Enquiries about the COVIDSafe system received by month – May–November 2021

covid exec summary

Figure 1 long text description

Types of enquiries

General enquiries or concerns about COVIDSafe

We received 8 enquiries raising general issues or concerns about the COVIDSafe system, including:

  • an enquiry seeking clarification about the difference between how COVIDSafe and state and territory government check-in apps are regulated
  • an enquiry about our COVIDSafe privacy assessments.
Request to download or use COVIDSafe

We received 7 enquiries about a request to download or use COVIDSafe, including:

  • an enquiry about whether the COVIDSafe app is voluntary
  • an enquiry from an individual asking if their employer could require employees to download COVIDSafe.

Figure 2 – Types of enquiries about the COVIDSafe system received May–November 2021

covid exec summary

Figure 2 long text description

Assessments

We detailed our COVIDSafe Assessment Program in the first COVIDSafe report. During the period covered by this report, the OAIC:

Summary of COVIDSafe assessments 1 and 3

Assessment 1

Assessment 1 examined the access controls applied to the National COVIDSafe Data Store by the Data Store Administrator. The final report for assessment 1 was published on 25 June 2021.

The assessment found the Commonwealth Department of Health (Health) and the Digital Transformation Agency (DTA) are taking reasonable steps, in accordance with Australian Privacy Principle (APP) 11, to secure personal information held in the Data Store. The assessment also found Health and the DTA are complying with the data handling provisions under Part VIIIA of the Privacy Act that relate to the Data Store.

The assessment identified 4 medium and 2 low privacy risks associated with COVIDSafe, the Data Store and the Health Official Portal relating to:

  • documentation of key governance systems and practices
  • documentation and delivery of training in relation to the handling of COVID app data
  • access security, in particular, documentation relating to logical access controls applied to the Data Store.

The OAIC made 4 recommendations and 2 suggestions to address these privacy risks, which Health and the DTA accepted in full.

Assessment 3

Assessment 3 focused on the functionality of COVIDSafe against specified privacy protections set out under the COVIDSafe privacy policy and collection notices, and against the requirements of Part VIIIA. The final report for assessment 3 was published on 25 October 2021.

The assessment found the Australian Government, represented by Health and the DTA:

  • has a clearly expressed and up-to-date privacy policy for COVIDSafe that meets the requirements of APP 1
  • is taking reasonable steps to inform COVIDSafe users of the collection of COVID app data at the time of collection via a collection notice that complies with the requirements of APP 5.

The OAIC made 2 recommendations to address medium privacy risks relating to the need for an appropriate collection notice available at or before the collection of personal information from individuals making requests to have their registration information deleted from the Data Store. The OAIC also made 6 suggestions to address low privacy risks relating to the COVIDSafe privacy policy and collection notice and compliance with APPs 1 and 5.

At the time of consultation for the assessment report, the responsibility for the administration of COVIDSafe and the Data Store was being transitioned from the DTA to Health. Consequently, Health responded on behalf of both agencies, accepting all recommendations and suggestions in full.

Inspector-General of Intelligence and Security COVIDSafe report

The Inspector-General of Intelligence and Security assists ministers in overseeing and reviewing the legality and propriety of the activities of 6 of Australia’s intelligence and security agencies, including their compliance with Part VIIIA of the Privacy Act. These agencies are:

  • Australian Security Intelligence Organisation
  • Australian Secret Intelligence Service
  • Australian Signals Directorate
  • Australian Geospatial-Intelligence Organisation
  • Defence Intelligence Organisation
  • Office of National Intelligence.

The Inspector-General has reviewed the agencies’ compliance with Part VIIIA between 16 May and 15 November 2021 and provided an unclassified report for the Commissioner to consider in preparing this report.

The report notes:

  • There is no evidence that any agency has deliberately targeted or decrypted, accessed or used any COVID app data.
  • Incidental collection in the course of the lawful collection of other data has occurred (and is permitted by the Privacy Act). IGIS found the agencies have appropriate policies and procedures in place regarding any incidental collection of COVID app data and are adhering to them. Agencies are taking reasonable steps to quarantine and delete such data as soon as practicable after becoming aware it has been collected.
  • IGIS has not received any complaints or public interest disclosures about COVID app data.

The IGIS report is provided as Attachment A to this report and is also published on the IGIS website.

Glossary

Term

Definition

Australian Privacy Principles (APPs)

The APPs are the cornerstone of the privacy protection framework in the Privacy Act 1988. They apply to any organisation or agency the Privacy Act covers.

There are 13 APPs and they govern standards, rights and obligations around:

  • the collection, use and disclosure of personal information
  • an organisation or agency’s governance and accountability
  • integrity and correction of personal information
  • the rights of individuals to access their personal information.

Contact tracing

Section 94D(6): The process of identifying persons who have been in contact with a person who has tested positive for the coronavirus known as COVID‑19, and includes:

(a)      notifying a person that the person has been in contact with a person who has tested positive for the coronavirus known as COVID‑19; and

(b)     notifying a person who is a parent, guardian or carer of another person that the other person has been in contact with a person who has tested positive for the coronavirus known as COVID‑19; and

(c)      providing information and advice to a person who:

(i)        has tested positive for the coronavirus known as COVID‑19; or

(ii)      is a parent, guardian or carer of another person who has tested positive for the coronavirus known as COVID‑19; or

(iii)   has been in contact with a person who has tested positive for the coronavirus known as COVID‑19; or

(iv)   is a parent, guardian or carer of another person who has been in contact with a person who has tested positive for the coronavirus known as COVID‑19.

COVID app data

Section 94D(5): Data relating to a person that:

(b)     has been collected or generated (including before the commencement of this Part) through the operation of COVIDSafe; and

(c)      either:

(i)        is registration data; or

(ii)      is stored, or has been stored (including before the commencement of this Part), on a communication device.

However, it does not include:

(d)     information obtained, from a source other than directly from the National COVIDSafe Data Store, in the course of undertaking contact tracing by a person employed by, or in the service of, a State or Territory health authority; or

(e)      de‑identified statistical information about the total number of registrations through COVIDSafe that is produced by:

(i)        an officer or employee of the data store administrator; or

(ii)      a contracted service provider for a government contract with the data store administrator.

COVIDSafe app (COVIDSafe)

Section 6(1): An app that is made available or has been made available (including before the commencement of this Part), by or on behalf of the Commonwealth, for the purpose of facilitating contact tracing.

National COVIDSafe Data Store (Data Store)

Section 6(1): The database administered by or on behalf of the Commonwealth for the purpose of contact tracing.

National COVIDSafe Data Store Administrator (Data Store Administrator)

From 16 May 2020 to 26 September 2021, the Digital Transformation Agency (DTA) was the sole Data Store Administrator. Between 27 September and 4 October 2021, this function transitioned to the Department of Health (Health). From 5 October 2021, Health is the sole Data Store Administrator and the DTA no longer has access to COVID app data and information collected through COVIDSafe.

Long text descriptions

Figure 1 – Enquiries about the COVIDSafe system received by month – May–November 2021

Figure 1 is a column chart showing the number of enquiries received by month in May to November 2021.

Month

Enquiries received

May

3

June

5

July

4

August

0

September

1

October

2

November

0

Back to Figure 1

Figure 2 – Types of enquiries about the COVIDSafe system received May–November 2021

Figure 2 is a doughnut chart showing the types of enquiries about COVIDSafe received in May to November 2021.


Type of enquiry

Enquiries received

Request to download or use COVIDSafe

47% (7)

General enquiry or concern about COVIDSafe

53% (8)

Back to Figure 2