30 November 2022

The Office of the Australian Information Commissioner (OAIC) has published its final six‑monthly COVIDSafe privacy report and completed its COVIDSafe assessment program, which examined compliance and risk throughout the ‘information lifecycle’ of COVID app data.

The regular reports showed the OAIC did not receive any complaints or data breach notifications with regard to the COVIDSafe system.

The Minister for Health and Aged Care determined on 16 August 2022 that COVIDSafe was no longer required to prevent or control the entry, emergence, establishment or spread of COVID-19 in Australia.

Australian Information Commissioner and Privacy Commissioner Angelene Falk said the strict privacy protections enshrined in law in May 2020 to protect COVID app data had worked effectively.

“As we said at the outset, legislation provides the strongest form of protection to codify privacy safeguards and give Australians confidence in the protection of their personal information within the COVIDSafe system,” she said.

The OAIC’s last two assessments covered:

  • the access controls applied to COVID app data by state and territory health authorities
  • the compliance of the Department of Health and Aged Care as the National COVIDSafe Data Store Administrator with the deletion and notification requirements for the end of the COVIDSafe data period under section 94P of the Privacy Act 1988.

The assessment found the Department of Health and Aged Care had deleted all COVID app data from the National COVIDSafe Data Store in accordance with legislative requirements.

Note to editors

  • On 16 May 2020, the OAIC was granted additional functions and powers in relation to COVIDSafe under Part VIIIA of the Privacy Act.
  • Part VIIIA expanded the Commissioner’s regulatory oversight role to apply to state and territory health authorities, to the extent that they dealt with COVID app data. It enhanced the Commissioner’s role in dealing with eligible data breaches and conducting assessments and investigations in relation to COVIDSafe and COVID app data. It enabled the Commissioner to refer matters to, and share information or documents with, state or territory privacy authorities. It also applied the Privacy Act’s rules and privacy protections and Commonwealth oversight to state and territory health authorities in relation to COVID app data.
  • Section 94ZB of the Privacy Act required the OAIC to report every six months on the performance of the Commissioner’s functions and the exercise of her powers under or in relation to Part VIIIA.