Privacy update on the COVIDSafe app

19 August 2022

The Minister for Health and Aged Care (the Minister) has determined that the COVIDSafe app is no longer required to prevent or control the entry, emergence, establishment or spread of COVID-19 in Australia.

The determination commenced on 16 August.

The purpose of a determination

A legal framework of privacy protections was established in 2020 under Part VIIIA of the Privacy Act 1988 (the Privacy Act) to protect COVID app data.

This includes a requirement for a determination to be made once the Minister is satisfied that the COVIDSafe app is no longer required or likely to be effective in preventing or controlling the spread of COVID-19 in Australia.

The Minister received a recommendation from the Commonwealth Chief Medical Officer, supporting the decision to end the COVID app data period, as required by the Privacy Act.

What happens now that a determination has been made

The National COVIDSafe Data Store administrator (the Department of Health and Aged Care):

  • must not collect any COVID app data, and
  • must not make the COVIDSafe app available to be downloaded.

As soon as reasonably practicable after the commencement of the determination, all COVID app data must be deleted from the National COVIDSafe Data Store (NCDS).

The Department of Health and Aged Care is currently in the process of ensuring that all COVID app data collected from users is deleted from the NCDS and no COVID app data will be retained.

The Department of Health and Aged Care will advise COVIDSafe app users that COVID app data can no longer be collected through the app, and that users should uninstall the app from their devices.

Once all COVID app data has been deleted from the NCDS, COVIDSafe app users will be informed that has occurred through updates to the Department of Health and Aged Care’s COVIDSafe website.

What does this mean for COVIDSafe app users?

Individuals who have downloaded the COVIDSafe app and who registered as a user do not need to take any steps to ensure their COVID app data is deleted from the NCDS.

The Department of Health and Aged Care will ensure that any data that was collected from users of the COVIDSafe app will be permanently deleted.

However, during decommissioning, COVIDSafe app users may receive push notifications and SMS texts informing them that the COVIDSafe app is no longer in use and will be encouraged to uninstall the app from devices. Uninstalling the COVIDSafe app will ensure that COVID app data is deleted from an individual’s personal device.

Individuals are encouraged to follow advice from the Department of Health and Aged Care in relation to uninstalling the app from their device.

Importantly, this process relates specifically to the COVIDSafe app and does not impact on other, ongoing public health measures in relation to COVID-19 – for example, other contact tracing processes or requirements to provide personal information to support the ongoing public health response.

Privacy oversight

The Office of the Australian Information Commissioner (OAIC) has an independent oversight function of the COVIDSafe app under the Privacy Act and is actively monitoring and regulating compliance with important privacy protections.

The OAIC is empowered to conduct assessments to ensure that the privacy protections in Part VIIIA of the Privacy Act are being complied with.

The OAIC will undertake an assessment to provide assurance that the COVIDSafe app information management requirements have been met following the Minister’s determination.