As the COVID-19 pandemic has evolved, the Federal Australian government has been quick to respond with measures to keep the public informed and to reduce the spread, first with an app designed to keep people up to date with official information on COVID-19 and now with the release of its contact tracing app, CovidSafe (app). However the introduction of the app has raised some concerns – on one hand, the app has been praised as a timely response to track and monitor the spread of COVID-19, on the other, it has been challenged as an app with the potential to erode data privacy of Australians.
What does the CovidSafe app do?
CovidSafe uses location data to identify people who have been in contact with a mobile phone owner of an individual who has tested positive for COVID-19.
CovidSafe works by using ‘contact tracing’ through recognising other devices with the app installed and Bluetooth enabled. When another user is recognised, the app notes the date, time, distance and duration of the contact and the other user’s reference code. Location data is used to facilitate this but it is not collected at this time.
What does CovidSafe collect?
When CovidSafe is downloaded, the following information must be input:
- name (which does not need to be your real name);
- mobile number;
- age range; and
While the collection of this information is considered necessary for effective contact tracing, the app has been met with resistance and opposition from members of the public over the lack of transparency and certainty as to use of their data. Now more than ever, people want to know how their data will be used, who will access it and to whom it will be disclosed.
The power to collect personal information
Under Australian Privacy Principle (APP) 3 a government agency may only collect personal information that is reasonably necessary for, or directly related to one of more of its functions or activities. However, as coronavirus has been declared a state of emergency by the Federal Government, the ‘emergency provisions’ of the Biosecurity Act 2015 (Cth) (Biosecurity Act) and Part VIA of the Privacy Act 1988 (Cth) come into play. While a Determination by the Mister of Health under the Biosecurity Act makes specific rules in relation to CovidSafe, the Privacy Act continues to apply except to the extent that it is inconsistent with the Determination.
The Biosecurity Act Determination
Under the Biosecurity Act, the Minister for Health was able to exercise the power to make the Biosecurity (Human Biosecurity Emergecny) (Human Coronavirus with Pandemic Potential (Emergency requirements – Public Health Contact Information) Determination 2020 (Determination), which effectively enables the roll out of CovidSafe.
The Determination creates a suite of rules in relation to the app, including that the collection and disclosure of data from the app may only be used for the purpose of contact tracing. The Determination also states that the app may only store data from other devices for a period of 21 days, whilst all other data will be retained in the National CovidSafe Data Store until the pandemic is over. To reinforce these rules and protections, the Government has released the Privacy Amendment (Public Health Contact Information) Bill 2020, which will enshrine these protections in primary legislation and amend the Privacy Act.
The Privacy Act
Section 80P of the Privacy Act relates to the handling of personal information in emergencies and disasters, and states that when an emergency declaration has been made, an entity may:
“collect, use or disclose personal information relating to an individual if:
(a) the entity reasonably believes that the individual may be involved in the emergency or disaster; and
(b) the collection, use or disclosure is for a permitted purpose in relation to the emergency or disaster…”
What constitutes a permitted purpose is broad in scope and includes a purpose that directly relates to the Commonwealth’s response to an emergency. As guidance, section 80H of the Privacy Act gives a cross section of examples of what could be considered a permitted purpose, which includes but is not limited to:
- “assisting individuals involved in the emergency or disaster to obtain services such as repatriation services, medical or other treatment, health services and financial or other humanitarian assistance;”
- “assisting with law enforcement in relation to the emergency or disaster”; and/or
- “coordination or management of the emergency or disaster”
Given that the definition of permitted purpose is broad in scope, the collection of data through the app as outlined in the Determination would be considered a permitted purpose under section 80P. The imminent amendments to the Privacy Act designed to build upon the Determination will set out in clear terms how the app is to be used and for what purposes.
What limits are there on the information collected through the app?
To limit the overall reach of the emergency provisions of the Privacy Act, it is an offence to disclose information received under Part VIA in a way not permitted by other provisions in the Privacy Act (s 80Q).
One important Australian Privacy Principle (APP) under the Privacy Act in the context of CovidSafe, is APP 11, which states that an APP entity must destroy or deidentify personal information when it is no longer required for the purpose for which it was collected. However, the waters around whether data must be destroyed or deidentified become murky if the personal information in question is contained in a Commonwealth Record (as defined in the Archives Act 1983 (Cth) (Archives Act)). When it comes to Commonwealth Records, agencies are not required to destroy or de-identify the personal information, even if the personal information collected is no longer required for any purpose which it may be used or disclosed under the APPs. Instead, agencies are required to comply with the provisions of the Archives Act in relation to Commonwealth records.
To combat the concerns around the information from the app forming part of a Commonwealth record, section 7(5) of the Determination imposes an obligation on the Federal Government to delete its records of the CovidSafe app and the data from the app which have been uploaded once the pandemic has concluded. Importantly, this requirement will override any other requirement requiring that the data be archived.
Looking to the GDPR
The outbreak of COVID-19 and the concerns surrounding CovidSafe have emphasized the importance of data privacy in Australia. Call are emerging for Australia to revamp its privacy framework to reflect a higher standard of privacy protection, under such as the European Union’s General Data Protection Regulation (GDPR).
One integral component of the GDPR is the ‘right to be forgotten’, otherwise known as the right of erasure, which gives EU citizens the power to demand that data held about them is deleted (Art 17). If Australia adopts a similar regime, this means that individuals may potentially request deketuib. of all ,all the data collected from the app about them at any time, instead of having the data retained by the Government until the end of the pandemic..
While the right to be forgotten will likely offer individuals an increased sense of comfort and control over their data, it’s important to note that the right to be forgotten in the GDPR, does not come without its limits. For example, it is limited when it conflicts with the right of freedom of expression and information or if the data subject to an erasure request is:
- necessary to comply with legal obligations or defend legal claims;
- required for scientific or historical research purposes or statistical purposes; or
- required for archiving purposes in the public interest.
Whether or not Australia moves to a more comprehensive privacy framework similar to the GDPR in the long term, it is critical that any short term measures to respond to COVID-19, which involve the collection and handling of personal information, are designed and implemented with appropriate privacy safeguards.
The collection of data through CovidSafe has raised significant concerns in the community that this sort of technology may enable the Government to monitor the movements of Australians without limits. As we work towards flattening the curve, privacy must be considered holistically and weighed against the importance of public health. This means that CovidSafe and any other tools and measures introduced by the Government to address the current public health crisis, need to be carefully considered. Data privacy under these measures must be treated as a key component in the larger ecosystem of rights and obligations. Treatment of personal data in other jurisdictions such as the EU, will offer helpful guidance on appropriate standards of privacy protection.