Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
 Download Current HansardDownload Current Hansard    View Or Save XMLView/Save XML

Previous Fragment    Next Fragment
Wednesday, 13 May 2020
Page: 2195

Go To First Hit


Senator RUSTON (South AustraliaMinister for Families and Social Services and Manager of Government Business in the Senate) (09:32): I move:

That this bill be now read a second time.

I seek leave to have the second reading speech incorporated in Hansard.

Leave granted.

The speech read as follows—

The Privacy Amendment (Public Health Contact Information) Bill 2020 will ensure that there are strong ongoing privacy protections to support the download, use and eventual decommissioning of the Australian Government's COVIDSafe» app.

At release, «COVIDSafe» was supported by interim privacy protections contained in the Minister for Health's Determination under the Biosecurity Act 2015. Building on this, the purpose of this Bill is to:

1. Enshrine the privacy protections in the Determination into primary legislation by inserting a new Part into the Privacy Act 1988

2. Give the Australian Information Commissioner oversight of «COVIDSafe» app data, and

3. Introduce additional provisions that clarify protections in the Determination.

The Bill guarantees that the Australian public can have confidence that their privacy will be protected if they download and use «COVIDSafe» . An increase in the uptake of «COVIDSafe» will help States and Territories to trace outbreaks and combat the spread of COVID-19.

Background

To understand the Bill's privacy protections, it is first crucial to understand how «COVIDSafe» operates and handles personal information. You will also see that strong privacy protections have been built into the design of «COVIDSafe» , as it requires users to provide the minimal amount of information required for contact tracing, which is encrypted until it is required by Health officials.

«COVIDSafe» is a voluntary app developed by the Australian Government that was launched on 26 April 2020. «COVIDSafe» can be installed on Android and iOS personal devices to collect information to assist State and Territory health officials when they conduct contact tracing to combat the spread of COVID-19.

When a person downloads «COVIDSafe» , they are asked to register by entering a limited amount of personal information: a name or pseudonym, an age range, a mobile phone number and a postcode. Once verified by text message, this information is then uploaded in an encrypted form to the National «COVIDSafe» Data Store.

Once a user has registered, «COVIDSafe» works by using Bluetooth signals to record encrypted data about close contacts with other users and stores this locally on their device. If this data is not uploaded to the National «COVIDSafe» Data Store, it is deleted on a rolling 21-day basis. Unlike manual contact tracing, «COVIDSafe» can record close contacts who are not known to the user - for example, people who sit near a user on the bus, at an event, or in line at the supermarket. When a «COVIDSafe» user tests positive for COVID-19, they will be contacted by a health official in their state or territory as part of the usual contact tracing process. When making contact, the health official will ask the person if they use «COVIDSafe» . If they do, the health official will send them a code by text message to enter in the app. If the code is entered, the user consents to uploading the encrypted data about their close contacts to the National «COVIDSafe» Data Store.

Once information about close contacts is uploaded, state and territory contact tracers can access this information to notify the positive user's close contacts that they may have been exposed to the coronavirus. From this point, contact tracers will inform people at risk of COVID-19 that they have been exposed, without identifying the infected app user. Contact tracers will step people at risk through what to do next, such as getting tested or self-isolating.

«COVIDSafe» has the potential to significantly speed up existing manual contact tracing processes, and in turn could accelerate the pace at which governments can ease restrictions while still keeping Australians safe.

Biosecurity declaration

The Australian public must have confidence that «COVIDSafe» protects their privacy for it to be used and highly effective in combating the spread of COVID-19. To this end, the Minister for Health, the Hon Greg Hunt MP, made a determination under the Biosecurity Act on 25 April 2020—before COVIDSafe's launch. This Determination provided strong interim privacy protections for data collected through «COVIDSafe» , prior to the passage of this Bill.

The Determination contains provisions that:

ensure that data from «COVIDSafe» is only used to support State and Territory health authorities' contact tracing efforts, and only to the extent required to do so

require that users must consent before data from their device can be uploaded to the National «COVIDSafe» Data Store

prevent data from «COVIDSafe» being retained outside of Australia, and protect against unauthorised disclosure outside of Australia

require all «COVIDSafe» data held in the National «COVIDSafe» Data Store to be deleted at the end of the COVID-19 pandemic

protect against decryption of «COVIDSafe» data stored on users' devices, and

provide that no one can be forced to download or use «COVIDSafe» or upload their data to the National «COVIDSafe» Data Store.

Finally, the Determination created criminal offences for the breach of the above requirements, with a maximum penalty of five years' imprisonment.

Enshrining the Determination

The Australian Government has now developed this Bill to enshrine the «COVIDSafe» privacy protections in the Determination in primary legislation.

The protections in the Bill will apply to all «COVIDSafe» data from the point at which the Bill commences, even if that data was created before the Bill commenced. Until the Bill is passed, the Determination will continue to apply to the handling of «COVIDSafe» app data.

The Bill will also override the effect of any previously-enacted laws under section 94ZD. This means that the Bill will apply in place of any other laws that may apply, including the Determination, once it passes into law. At that point, those handling the «COVIDSafe» app data will have a single legislative reference - the Commonwealth Privacy Act.

Criminal offences under the Bill

While I do not plan to address those areas of the Bill which directly replicate the Determination, I note that key criminal offences from the Determination continue to apply, and remain subject to the same penalties. These penalties are imprisonment for five years, a fine of 300 penalty units ($63,000), or both. The offences include:

Unauthorised collection, or use or disclosure of, «COVIDSafe» app data (section 94D)

Uploading «COVIDSafe» app data to the National «COVIDSafe» Data Store without the consent of the individual to whom that data relates (section 94E)

Storing the National «COVIDSafe» Data Store outside Australia (section 94F)

Disclosing «COVIDSafe» app data outside Australia (except in the case of a disclosure by a State or Territory health authority that is necessary for contact tracing purposes, such as where a user who needs to be contacted is outside Australia) (section 94F)

Uploading «COVIDSafe» app data from a mobile device to the National «COVIDSafe» Data Store without consent (while allowing for cases where a parent, guardian or carer uses «COVIDSafe» on an individual's behalf) (section 94H)

Decrypting «COVIDSafe» app data stored on a mobile device, (section 94G) and

Requiring a person to use the «COVIDSafe» app (section 94H).

Committing criminal offences will breach the Privacy Act

The Bill ensures oversight of «COVIDSafe» app data by the Australian Information Commissioner (the Commissioner). The offences under the Bill will also be breaches of the Privacy Act in certain circumstances. Therefore, (under section 94R) if a person commits an offence under the Bill and that person is either:

already required to comply with the Privacy Act, or

is a State or Territory health authority handling «COVIDSafe» app data

then the person's conduct will also breach the Privacy Act.

This gives individuals affected by the breach more options for enforcement because they will have the option to make a complaint to the Commissioner in addition to being able to report the matter to law enforcement.

Broader application of the Privacy Act

The Bill will go further than the Determination by ensuring that «COVIDSafe» app data must also be treated as 'personal information' under the Privacy Act (section 94Q). This automatically applies a range of existing Privacy Act protections to «COVIDSafe» app data, including privacy policy, notification, and security obligations. The Commissioner will be able to undertake a formal assessment of whether an entity subject to the Privacy Act, or a State or Territory health authority handling «COVIDSafe» app data, is complying with the requirements in the Bill.

The Commissioner will also have discretion to refer matters that may constitute a breach of a State or Territory privacy law to the responsible State or Territory privacy regulator.

There is an additional requirement that the Commissioner provide regular public reports on the performance and exercise of her new powers and functions under Part VIIIA.

Application of Notifiable Data Breaches scheme

The Bill applies the existing Notifiable Data Beaches Scheme to «COVIDSafe» app data under section 94S. The Bill requires the administrator of the National «COVIDSafe» data store, or a State or Territory health authority handling «COVIDSafe» app data to notify the Commissioner of any data breach involving «COVIDSafe» app data. The Commissioner will then have the power to require that breach to be notified to affected individuals.

The notification requirement would be automatic in the event of a data breach (much stronger than the Privacy Act's existing data breach notification requirements).

Summary of further differences between the Bill and Determination

The Bill also includes new clauses which:

provide limited exemptions to the offence of requiring someone to use «COVIDSafe» to preserve an individual's ability to limit access to their private home

ensure that no further data can be collected from former «COVIDSafe» users

introduce and define the term 'Data Store Administrator'

outline the process for all «COVIDSafe» data to be deleted at the end of the COVID-19 pandemic,

create reporting requirements, and

outline the process for repeal of the Bill.

I will now outline why these changes have been made.

Requiring the use of «COVIDSafe»

The prohibition on requiring a person to use the «COVIDSafe» app has been clarified under section 94H. A person will not be liable for this offence if they require a person to use «COVIDSafe» before entering their private residence, reflecting the normal expectation that a person is generally free to deny another person access to their home for any reason. However, this exemption is limited—it would not apply to other situations covered by the offence involving a commercial relationship, such as a landlord/tenant relationship, a share house relationship or an employment relationship.

Protections for former «COVIDSafe» users

Section 94N is a new provision that guarantees that «COVIDSafe» will not be used to collect any further data from people who have chosen to delete the app. Section 94N provides that if a user re-registers for the app, data collection can resume. This protection provides further assurance that a user's consent is central to «COVIDSafe» data collection.

Administration of the National «COVIDSafe» Data Store

The Bill designates the Australian Department of Health as the administrator of the National «COVIDSafe» Data Store, and allows it to delegate some or all of these functions to certain Commonwealth Government agencies under the proposed section 94Z. The Department of Health must make that delegation via a 'notifiable instrument', meaning the delegation will always be announced publicly. Importantly, an enforcement body or intelligence agency cannot be designated as the Data Store administrator.

Currently, the Digital Transformation Agency ( «DTA» ) is responsible for technical administration of «COVIDSafe» and the National «COVIDSafe» Data Store, in consultation with the Department of Health. When the Bill comes into law, the Department of Health would formally delegate some of its administrator functions to the «DTA» to reflect this arrangement. If the Department of Health later delegates these functions to another agency, Health will need to publicly announce that fact via notifiable instrument.

Deleting the National «COVIDSafe» Data Store

Finally, the Bill also includes a more specific process for deletion of the National «COVIDSafe» Data Store once the pandemic is over, compared to the Determination. This includes a process for the Minister for Health to determine the end of the «COVIDSafe» Data Period under section 94Y and by outlining the actions that then need to be taken by section 94P.

Reporting requirements

The Bill includes a requirement that the Minister for Health report to the Parliament as soon as practicable after each 6 month period on the operation and effectiveness of the «COVIDSafe» app. This underscores the Government's commitment to transparency about the operation and effectiveness of «COVIDSafe» and the unprecedented privacy and security protections built around the app's data handling.

Repeal of the Bill

Schedule 2 of the Bill will result in the legislation being automatically repealed 90 days after the Minister for Health issues a determination that the «COVIDSafe» app is no longer required under section 94Y. The Acts Interpretation Act 1901 will apply to preserve the effect of the repealed law so that an investigation into a possible breach of a repealed law can continue or can be commenced after repeal.

Conclusion

This Bill will guarantee that Australians' privacy is protected when they choose to download and use «COVIDSafe» . By enshrining the Biosecurity Determination into primary legislation, and ensuring the Information Commissioner has the power to hear complaints about the mishandling of «COVIDSafe app data under the Privacy Act, the public can be assured that the Government is doing all it can to keep their data as secure as possible. With the passage of this Bill, we sincerely hope that the Australian public will take note of the unprecedented strength of these privacy protections, choose to download the app, and help their fellow Australians combat the spread of COVID-19.