Explanatory Memorandum
(Circulated by authority of the Attorney-General, the Honourable Christian Porter MP)GENERAL OUTLINE
1. This Bill elevates the provisions of the Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) (Emergency Requirements-Public Health Contact Information) Determination 2020 (the Determination) into primary legislation and introduces additional measures to strengthen privacy protections. The purpose of the Bill is to assist in preventing and controlling the entry, emergence, establishment or spread of the coronavirus known as COVID-19 into Australia or any part of Australia, by amending the Privacy Act 1988 (Privacy Act) to provide stronger privacy protections for users of the Commonwealth's COVIDSafe app and data collected through the app (COVID app data) than the protections that would otherwise apply under Australian law.
2. As with the Determination, the Bill imposes strict requirements on the collection, use and disclosure of COVID app data. The Bill ensures data collected by COVIDSafe will only be used to facilitate contact tracing activities by State and Territory health officials or those in the service of State and Territory health authorities, and for the proper functioning, integrity and security of COVIDSafe and the National COVIDSafe Data Store.
3. Misuse of COVID app data will constitute a criminal offence. If the responsible person is subject to the Privacy Act because of the Bill or under the ordinary operation of the Privacy Act, individuals will also be able to make a complaint to the Information Commissioner under the Privacy Act. COVID app data will remain continually protected through encryption and the Bill makes it an offence to decrypt COVID app data stored on a communication device.
4. The Bill allows the reporting of de-identified statistics about the total number of registrations through COVIDSafe. This has been included to allow for evaluation and to ensure an appropriate degree of transparency and accountability about the collection, use and disclosure of COVID app data, without infringing on the privacy of the individual. De-identified data is information that is no longer about an identifiable individual or an individual who is reasonably identifiable.
5. The Bill is consistent with the approach that the use of the COVIDSafe app is strictly voluntary and that a COVIDSafe user's informed consent is required to allow the app to collect data about the user and upload that data to the National COVIDSafe Data Store. The Bill specifically prohibits imposing a requirement on a person to download the COVIDSafe app, have the app in operation, or give consent for encrypted contact information to be uploaded to the National COVIDSafe Data Store at the point of a positive COVID-19 diagnosis.
6. The Bill requires the Commonwealth to store COVID app data uploaded through the COVIDSafe app in the Commonwealth's National COVIDSafe Data Store, for the principal purpose of facilitating COVID-19 contact tracing activities by State and Territory health authorities. The Bill provides that the data held in the National COVIDSafe Data Store must be retained in Australia, and COVID app data that is or has been stored in the National COVIDSafe Data Store must not be disclosed to a person outside of Australia (except for the purposes of contact tracing by a State or Territory Government health official).
7. The Bill also provides a mechanism for COVIDSafe app users (and former users) to request the deletion of registration data uploaded from the user's device. When the data store administrator receives such a request, they must take all reasonable steps to delete the data. The Bill also includes a requirement to delete COVID app data received in error and imposes an obligation to delete COVID app data from the National COVIDSafe Data Store at the end of the COVIDSafe data period (which will be determined by the Health Minister, with consideration of any advice from the Commonwealth Chief Medical Officer or the Australian Health Protection Principal Committee).
8. The Bill provides that any COVID app data relating to an individual is taken to be 'personal information' under the Privacy Act, and enables the Office of the Australian Information Commissioner (OAIC) to investigate complaints about breaches of the legislation and undertake assessments of compliance with privacy obligations under the legislation. Importantly, these powers allow the OAIC to investigate and assess State and Territory health authorities in relation to their handling of COVID app data.
9. Under the Bill, the OAIC has the ability to require State and Territory authorities' cooperation with assessments and investigations and the power to refer matters as appropriate to the Commissioner of Police or the Director of Public Prosecutions to investigate criminal offences. The OAIC also has the power to refer matters to, and share information with State and Territory privacy regulators as appropriate. The scope of the OAIC's powers in relation to State and Territory authorities is strictly limited to COVID app data.
10. The Bill also extends the Notifiable Data Breaches scheme in Part IIIC of the Privacy Act to breaches involving COVID app data, including breaches of COVID app data held by the administrator of the National COVIDSafe Data Store and State and Territory health authorities. The data store administrator and State and Territory health authorities will be required to notify the Commissioner of any breach of a requirement contained in the Bill. The Commissioner can then respond to that notification by requiring the entity to prepare a statement about the breach in consultation with the Commissioner, and take reasonable steps to provide that statement to individuals to whom the COVID app data relates.
11. The Commissioner will have a discretion to grant an exemption, or a time-limited exemption, from the notification requirement on public interest grounds, and with regard to advice from a law enforcement body or the Australian Signals Directorate and any other matters the Commissioner considers relevant. This matches the Commissioner's pre-existing discretion under the Privacy Act, and is intended to ensure that data breach notification is not required in cases where it may interfere with a police investigation into an offence committed under one of the provisions of the Bill.
12. The Bill's requirements operate in place of any inconsistent requirements that would otherwise apply under Australian law. This includes any more stringent requirements about retaining Commonwealth records under the Archives Act 1983 or less stringent requirements about handling personal information under the Privacy Act. However, the remainder of the Privacy Act, to the extent it is not inconsistent with the Bill, continues to apply to COVID app data that is personal information about an individual.
FINANCIAL IMPACT
13. This Bill has no significant impact on Commonwealth expenditure or revenue.