Second Reading Speech
Mr PORTER (Pearce - Attorney-General, Minister for Industrial Relations and Leader of the House)I move:
That this bill be now read a second time.
The Privacy Amendment (Public Health Contact Information) Bill 2020 will ensure that there are strong ongoing privacy protections to support the download, use and eventual decommission of the Australian government's COVIDSafe app.
At release, COVIDSafe was supported by interim privacy protections contained in the Minister for Health's determination under the Biosecurity Act 2015. Building on this, the purpose of this bill is to enshrine the privacy protections in the determination into primary legislation by inserting a new part into the Privacy Act 1988, give the Australian Information Commissioner oversight of COVIDSafe app data and introduce additional provisions that clarify protections in the determination.
The bill guarantees that the Australian public can have confidence that their privacy will be protected if they download and use COVIDSafe. An increase in the uptake of COVIDSafe will help states and territories trace outbreaks and combat the spread of COVID-19.
Background
To understand the bill's privacy protections, it is first crucial to understand how COVIDSafe operates and handles personal information. You will see that strong privacy protections have been built into the design of COVIDSafe as it requires users to provide the minimum amount of information required to contact trace which is encrypted until it is required by health officials.
COVIDSafe is a voluntary app developed by the Australian government that was launched on 26 April 2020. COVIDSafe can be installed on Android and iOS personal devices to collect information to assist state and territory health officials when they conduct contact tracing to combat the spread of COVID-19.
When a person downloads COVIDSafe, they are asked to register by entering a limited amount of personal information: a name or pseudonym, an age range, a mobile phone number and a postcode. Once verified by text message, this information is then uploaded in an encrypted form to the National COVIDSafe Data Store.
Once a user has registered, COVIDSafe works by using bluetooth signals to record encrypted data about close contacts with other users and stores this locally on their device. If this data is not uploaded to the National COVIDSafe Data Store, it is deleted on a rolling 21-day basis. Unlike manual contact tracing, COVIDSafe can record close contacts who are not known to the user - for example, people who sit near another user on the bus, at an event or in line at the supermarket. When a COVIDSafe user tests positive for COVID-19, they will be contacted by a health official in their state or territory as part of the usual contact tracing process. When making contact, the health official will then ask the person if they use COVIDSafe. If they do, the health official will send them a code by text message to enter in the app. If the code is entered, the user consents to uploading the encrypted data about their close contacts to the National COVIDSafe Data Store.
Once information about close contacts is uploaded, state and territory contact tracers can access this information to notify the positive user's close contacts that they may have been exposed to the coronavirus. From this point, contact tracers will inform people at risk of COVID-19 that they have been exposed without identifying the infected app user. Contact tracers will step people at risk through what to do next, such as getting tested or self-isolating.
COVIDSafe, therefore, has the potential to significantly speed up existing manual contact-tracing processes, and in turn could accelerate the pace at which governments can ease restrictions while still keeping Australians safe.
Biosecurity declaration
The Australian public must have confidence that COVIDSafe protects their privacy for it to be used and highly effective in combating the spread of COVID-19. To this end, the Minister for Health, the Hon. Greg Hunt, made a determination under the Biosecurity Act on 25 April 2020 - before the COVIDSafe launch. This determination provided strong interim privacy protections for data collected through COVIDSafe prior to the passage of this bill.
The determination contains provisions that:
- •
- ensure that data from COVIDSafe is only used to support state and territory health authorities' contact-tracing efforts, and only to the extent required to do so,
- •
- require that users must consent before data from their device can be uploaded to the National COVIDSafe Data Store,
- •
- prevent data from COVIDSafe being retained outside of Australia, and protect against unauthorised disclosure outside of Australia,
- •
- require all COVIDSafe data held in the National COVIDSafe Data Store to be deleted at the end of the COVID-19 pandemic,
- •
- protect against decryption of COVIDSafe data stored on users' devices, and
- •
- provide that no-one can be forced to download or use COVIDSafe or upload their data to the National COVIDSafe Data Store.
Finally, the determination created criminal offences for the breach of the above requirements, with a maximum penalty of five years imprisonment.
Enshrining the determination
The Australian government has now developed this bill to enshrine the COVIDSafe privacy protections in the determination in primary legislation.
The protections in the bill will apply to all COVIDSafe data from the point at which the bill commences, even if that data was created before the bill commenced. Until the bill is passed, the determination will continue to apply to the handling of COVIDSafe app data.
The bill will also override the effect of any previously enacted laws under section 94ZD. This means that the bill will apply in place of any other laws that may apply, including the determination, once it passes into law. At that point, those handling COVIDSafe app data will have a single legislative reference, being the Commonwealth Privacy Act.
Criminal offences under the bill
While I do not plan to address those areas of the bill which directly replicate the determination, I will note that key criminal offences from the determination continue to apply, and remain subject to the same penalties, being imprisonment for five years, a fine of 300 penalty units ($63,000), or both. These are, of course, the maximum penalties that could be applied and are reserved for the most serious types of offending. The offences to which they would relate include:
- •
- unauthorised collection, or use or disclosure of, COVIDSafe app data (section 94D),
- •
- uploading COVIDSafe app data to the National COVIDSafe Data Store without the consent of the individual to whom the data relates (section 94E),
- •
- storing the National COVIDSafe Data Store outside Australia (section 94F),
- •
- disclosing COVIDSafe app data outside Australia (except in the case of a disclosure by a state or territory health authority that is necessary for contact-tracing purposes, such as where a user who needs to be contacted is outside Australia) (section 94F),
- •
- uploading COVIDSafe app data from a mobile device to the National COVIDSafe Data Store without consent (while allowing for cases where a parent, guardian or carer uses COVIDSafe on an individual's behalf) (section 94H),
- •
- decrypting COVIDSafe app data stored on a mobile device (section 94G), and
- •
- requiring a person to use the COVIDSafe app (section 94H).
Committing criminal offences will breach the Privacy Act
The bill ensures oversight of COVIDSafe app data by the Australian Information Commissioner. The offences under the bill will also be breaches of the Privacy Act in certain circumstances. Therefore, (under section 94R) if a person commits an offence under the bill and that person is either already required to comply with the Privacy Act or is a state or territory health authority handling COVIDSafe app data, then the person's conduct will also breach the Privacy Act.
This gives individuals affected by the breach more options for enforcement because they will have the option to make a complaint to the commissioner in addition to being able to report the matter to law enforcement.
Broader application of the Privacy Act
The bill will go further than the determination by ensuring that COVIDSafe app data must also be treated as 'personal information' under the Privacy Act, by virtue of section 94Q. This automatically applies a range of existing Privacy Act protections to COVIDSafe app data, including privacy policy, notification, and security obligations. The commissioner will be able to undertake a formal assessment of whether an entity subject to the Privacy Act, or a state or territory health authority handling COVIDSafe app data, is complying with the requirements in this bill.
The commissioner will also have discretion to refer matters that may constitute a breach of a state or territory privacy law to the responsible state or territory privacy regulator.
There is also an additional requirement that the commissioner provide regular public reports on the performance and exercise of her new powers and functions under part VIIIA.
Application of Notifiable Data Breaches Scheme
The bill applies the existing Notifiable Data Breaches Scheme to COVIDSafe app data under section 94S. The bill requires the administrator of the National COVIDSafe Data Store, or a state or territory health authority handling COVIDSafe app data, to notify the commissioner of any data breach involving COVIDSafe app data. The commissioner will then have the power to require the breach to be notified to affected individuals.
The notification requirement would be automatic in the event of a data breach, which is much stronger than the protection in the Privacy Act's existing data breach notification requirements.
Summary of further differences between the bill and determination
It should be noted that the bill also includes new clauses which:
provide limited exemptions to the offence of requiring someone to use COVIDSafe to preserve an individual's ability to limit access to their private home,
- •
- ensure that no further data can be collected from former COVIDSafe users,
- •
- introduce and define the term 'data store administrator',
- •
- outline the process for all COVIDSafe data to be deleted at the end of the COVID-19 pandemic,
- •
- create reporting requirements, and
- •
- outline the process for repeal of the bill.
I will now outline why these changes have been made.
Requiring the use of COVIDSafe
The prohibition on requiring a person to use the COVIDSafe app has been clarified under section 94H. A person will not be liable for this offence if they require a person to use COVIDSafe before entering their private residence, reflecting the normal expectation that a person is generally free to deny another person access to their home for any reason. However, this exemption is limited and would not apply to other situations covered by the offence involving a commercial relationship, such as a landlord-tenant relationship, a share house relationship or an employment relationship.
Protections for former COVIDSafe users
Section 94N is a new provision that guarantees that COVIDSafe will not be used to collect any further data from people who have chosen to delete the app. Section 94N provides that, if a user re-registers for the app, data collection can resume. This protection provides further assurance that a user's consent is central to COVIDSafe data collection.
Administration of the National COVIDSafe Data Store
With regard to administration of the National COVIDSafe Data Store, the bill designates the Australian Department of Health as the administrator of the National COVIDSafe Data Store and allows it to delegate some or all of these functions to certain Commonwealth government agencies under the proposed section 94Z. The Department of Health must make that delegation via a 'notifiable instrument', meaning the delegation will always be announced publicly. Importantly, an enforcement body or intelligence agency cannot be designated as the data store administrator.
Currently, the Digital Transformation Agency (DTA) is responsible for technical administration of COVIDSafe and the National COVIDSafe Data Store, in consultation with the Department of Health. When the bill comes into law, the Department of Health will formally delegate some of its administrator functions to the DTA to reflect this arrangement. If the Department of Health later delegates these functions to another agency, Health will need to publicly announce that fact via notifiable instrument.
Deleting the National COVIDSafe Data Store
Regarding deletion of the National COVIDSafe Data Store, the bill finally also includes a more specific process for deletion of the National COVIDSafe Data Store once the pandemic is over, compared to the determination. This includes a process for the minister to determine the end of the COVIDSafe data period under section 94Y and by outlining the actions that then need to be taken by section 94P.
Reporting requirements
Regarding reporting requirements, the bill includes a requirement that the Minister for Health report to the parliament as soon as practicable after each six-month period on the operation and effectiveness of the COVIDSafe app. This underscores the government's commitment to transparency about the operation and effectiveness of COVIDSafe and the unprecedented privacy and security protections built around the app's data handling.
Repeal of the bill
Regarding repeal of the bill, schedule 2 of the bill will result in the legislation being automatically repealed 90 days after the Minister for Health issues a determination that COVIDSafe app is no longer required under section 94Y. The Acts Interpretation Act will apply to preserve the effect of the repealed law so that an investigation into a possible breach of a repealed law can continue or can be commenced after repeal.
Conclusion
By way of conclusion, this bill will guarantee that Australians' privacy is protected when they choose to download and use COVIDSafe. By enshrining the biosecurity determination into primary legislation, and ensuring the Information Commissioner has the power to hear complaints about the mishandling of COVIDSafe app data under the Privacy Act, the public can be assured that the government is doing all we can to keep their data as secure as possible. With the passage of this bill, we sincerely hope that the Australian public will take note of the unprecedented strength of these privacy protections, choose to download the app and help their fellow Australians combat the spread of COVID-19. I commend the bill to the House.
Leave granted for second reading debate to continue immediately.
Copyright notice
© Australian Taxation Office for the Commonwealth of Australia
You are free to copy, adapt, modify, transmit and distribute material on this website as you wish (but not in any way that suggests the ATO or the Commonwealth endorses you or any of your services or products).