Explanatory Memorandum
(Circulated by authority of the Attorney-General, the Honourable Christian Porter MP)Statement of Compatibility with Human Rights
Prepared in accordance with Part 3 of the Human Rights (Parliamentary Scrutiny) Act 2011
Privacy Amendment (Public Health Contact Information) Bill 2020
1. This Bill is compatible with the human rights and freedoms recognised or declared in the international instruments listed in section 3 of the Human Rights (Parliamentary Scrutiny) Act 2011.
Overview of the Bill
2. The Bill introduces strong privacy protections that apply to data collected through the COVIDSafe app to facilitate COVID-19 contact tracing efforts by State and Territory health authorities. These protections will be subject to criminal offences and oversight by the Australian Information Commissioner under the Privacy Act 1988 (Privacy Act), including the ability for individuals to make complaints to the Commissioner. The protections ensure that individuals must not be required to download, use or upload data through COVIDSafe by any person, and that informed consent is required before the Commonwealth collects data relating to a person through the COVIDSafe app. The protections also limit the ability to disclose COVID app data that is or has been stored in the Commonwealth's National COVIDSafe Data Store outside of Australia. The Commonwealth will also be required to delete the National COVIDSafe Data Store when COVIDSafe is no longer required or is no longer likely to be effective as part of Australia's response to COVID-19 (which must be determined based on expert medical advice).
Human rights implications
Right to health
3. Article 12 of the International Covenant on Economic, Social and Cultural Rights (ICESCR) promotes the right of all individuals to enjoy the highest attainable standards of physical and mental health. This includes the application of measures for the prevention, treatment and control of epidemic, endemic, occupational and other diseases (Article 12(2)).
4. The United Nations Committee on Economic, Social and Cultural Rights (UNCESCR) states in General Comment No 14 (2000) that health is a 'fundamental human right indispensable for the exercise of other human rights', and that the right to health is not to be understood as the right to be healthy, but rather entails a right to 'a system of health protection which provides equality of opportunity for people to enjoy the highest attainable level of health'.
5. The UNCECSR also states in General Comment No 14 that the 'highest attainable standard of health' takes into account the country's available resources, and that this right may be understood as a right of access to a variety of public health and health care facilities, goods, services, programs, and conditions necessary for the realisation of the highest attainable standard of health.
6. The purpose of COVIDSafe is to assist relevant State and Territory health authorities with contact tracing. Contact tracing is critical to containing the spread of COVID-19 by identifying individuals who may have been exposed to the virus, assisting them to take appropriate steps to avoid further transmission and providing advice about medical services available to them. Understanding the nature and extent of community transmission of COVID-19 is fundamental to the public health response to the pandemic.
7. The Bill promotes the right to health by assisting health authorities:
- a.
- facilitate efficient and accurate contact tracing via COVIDSafe to control the spread of COVID-19 in Australia and render appropriate health services as necessary
- b.
- provide access to critical health information about COVID-19 to individuals and families, and
- c.
- provide access to health services for groups that are more severely impacted by COVID-19, including older people, people with disability, Indigenous people and pregnant women.
Right to protection against arbitrary or unlawful interference with privacy
8. The protection against arbitrary or unlawful interference with privacy is contained in Article 17 of the International Covenant on Civil and Political Rights (ICCPR). Article 17 provides that no one shall be subjected to arbitrary or unlawful interference with his or her privacy, family, home or correspondence, nor to unlawful attacks on his or her honour or reputation, and that everyone has the right to the protection of the law against such interference or attacks.
9. Although the United Nations Human Rights Committee has not defined 'privacy', it should be understood to comprise freedom from unwarranted and unreasonable intrusions into activities that society recognises as falling within the sphere of individual autonomy.
10. The right to privacy under Article 17 can be permissibly limited in order to achieve a legitimate objective and where the limitations are lawful and not arbitrary. The term 'unlawful' in Article 17 of the ICCPR means that no interference can take place except as authorised under domestic law. Additionally, the term 'arbitrary' in Article 17(1) of the ICCPR means that any interference with privacy must be in accordance with the provisions, aims and objectives of the ICCPR and should be reasonable in the particular circumstances. The Committee has interpreted 'reasonableness' to mean that any limitation must be proportionate and necessary in the circumstances.
11. The measures in the Bill will promote the right to privacy by establishing a temporary standalone framework for the collection, use, disclosure and dealing of personal information, which introduces stronger provisions where appropriate than existing protections for this information handling under the Privacy Act. In this way, the Bill promotes the right to privacy by creating a stronger information privacy framework for COVID app data than would otherwise exist under prevailing law. The penalties introduced under this temporary standalone framework - including criminal penalties of up to five years imprisonment or 300 penalty units, or both - are considered to be reasonable, necessary and proportionate in light of the Bill's objective to provide genuine privacy safeguards that build confidence in the COVIDSafe app. This in turn is intended to bolster the uptake and effectiveness of COVIDSafe as a new tool to help Australia respond to the serious health risks posed by COVID-19, until the point where COVIDSafe is no longer required or would no longer be effective.
12. To the extent that measures in the Bill that authorise the collection, use, disclosure or dealing of personal information may interfere with the right to privacy, they are lawful and non-arbitrary. The Bill aims to achieve the legitimate objective of combatting the community spread of COVID-19. COVIDSafe achieves this by collecting personal information about users who come into contact with each other, but limiting this collection to the minimum amount of information reasonable and necessary in order to facilitate effective contact tracing. COVIDSafe does not collect geolocation data. Should a user be diagnosed with COVID-19, State or Territory health authorities will use the information collected by COVIDSafe to contact other users whom the diagnosed person came into a contact with and inform them of the necessary next steps to contain the spread of the virus.
13. The Bill contains multiple protections to ensure that personal information is being collected in an appropriate and non-invasive manner in order to achieve the legitimate aims and objectives of contact tracing. Further, if a person is diagnosed with COVID-19 they will still have a choice as to whether to upload close contact data. The consent-based model ensures that this collection of personal information is reasonable, necessary and proportionate to achieving the legitimate aim of combatting COVID-19 through contact tracing.
14. The measures in this Bill reduce privacy risks, and safeguard the individual's right to privacy through the further measures described below.
Choice whether to install the app
15. COVIDSafe is completely voluntary to download and use. The Bill ensures that individuals are given a free and informed choice regarding whether to download and use COVIDSafe by creating safeguards to protect individuals from disadvantage or other adverse consequences should an individual decide not to download or use COVIDSafe.
16. For example, an employer cannot make downloading or using COVIDSafe a condition of employment. A retailer cannot refuse a person entry to their premises, refuse to provide goods or services or insist on providing goods or services on different monetary terms, on the ground that a person has not installed or is not using COVIDSafe. At the same time, the Bill includes appropriate safeguards to ensure persons at private properties or residences remain able to control who enters that premises on any basis (excluding landlord/tenant or similar relationships, or employment/commercial relationships).
17. Requiring a person to download, use, or consent to upload COVID app data is an offence under this Bill and carries a maximum penalty of five years imprisonment or 300 penalty units, or both. This measure provides strong incentives against imposing requirements relating to the download and use of COVIDSafe.
Stringent limitations on the collection, use, disclosure and dealing of personal information
18. The Bill limits when personal information is shared to ensure that an individual's personal information is only accessed when it is critical to do so to protect the health and wellbeing of the community and those with whom the individual has come into close contact. This will be achieved through providing that the personal information collected may only be used for particular specified purposes by relevant bodies, with broad prohibitions on the use of that information for other purposes. These protections will apply to information collected through the COVIDSafe app at any time, including before commencement of the Bill.
19. When personal information is uploaded to the National COVIDSafe Data Store following a positive COVID-19 diagnosis, only State and Territory health authorities may access relevant data for the purpose of contact tracing. Officials, employees or contractors of the data store administrator may also access data but only for the purpose of enabling contact tracing by a State or Territory health authority, ensuring the proper functioning of the Data Store and ensuring that the Data Store is accurate and secure from unauthorised access. Access for law enforcement purposes or by the Information Commissioner will only be permitted to the extent necessary to enforce the privacy protections contained in the Bill.
20. State and Territory health authorities will put in place additional controls and procedures to ensure that only approved employees or personnel may access data in the National COVIDSafe Data Store for the purpose of contact tracing. Similarly, the data store administrator will put in place additional controls and procedures to ensure that only approved officials, employees or contractors may access data in the National COVIDSafe Data Store for the purposes permitted in the Bill.
21. The Bill also makes it unlawful for a person to decrypt COVID app data that is stored on a communication device. Breach of this provision is subject to a maximum penalty of five years imprisonment or 300 penalty units, or both. This measure provides strong incentives against attempting to decrypt COVID app data, protecting the integrity and security of users' personal information.
22. By strictly limiting the collection, use, disclosure and dealing of an individual's personal information, the Bill promotes the right to privacy.
Reporting requirements
23. The Bill also includes regular reporting obligations for the Health Minister to report on the operation and effectiveness of the COVIDSafe app and the National COVIDSafe Data Store, and for the Information Commissioner to report on the Commissioner's performance of functions and exercise of powers under the Bill. This is designed to ensure an appropriate degree of transparency and to build public confidence in the strong privacy protections that will apply under the Bill.
Conclusion
24. The Privacy Amendment (Public Health Contact Information) Bill 2020 is compatible with human rights because it promotes the rights to health and privacy, and to the extent that it may limit those rights, those limitations are reasonable, necessary and proportionate.
Copyright notice
© Australian Taxation Office for the Commonwealth of Australia
You are free to copy, adapt, modify, transmit and distribute material on this website as you wish (but not in any way that suggests the ATO or the Commonwealth endorses you or any of your services or products).