Home | Databases | WorldLII | Search | Feedback Australian Senate Standing Committee for the Scrutiny of Bills - Scrutiny Digests

Privacy Amendment (Public Health Contact Information) Bill 2020 [2020] AUSStaCSBSD 110 (17 June 2020)

Privacy Amendment (Public Health Contact Information) Bill 2020

Significant penalties ^[11]

1.26 Item 2 of Schedule 1 to the bill seeks to insert new Part VIIIA into the Privacy Act 1988 (Privacy Act). Division 2 of Part VIIIA (proposed sections 94D to 94H) establishes a series of offences relating to the COVIDSafe app and COVID app data. In this regard, Division 2 provides that the following forms of conduct would be punishable by 5 years' imprisonment, 300 penalty units ($63 000), or both:

• collecting, using or disclosing COVID app data, where the collection, use or disclosure is not permitted;^[12]

• uploading COVID app data, or causing COVID app data to be uploaded, to the National COVIDSafe Data Store, without the consent of the COVIDSafe user or their parent, guardian or carer;^[13]

• retaining COVID app data that has been uploaded to the National COVIDSafe Data Store on a database outside Australia;^[14]

• disclosing COVID app data that has been uploaded to the National COVIDSafe Data Store to a person outside Australia;^[15]

• decrypting COVID app data that is stored on a communications device;^[16]

• requiring a person to download or use the COVIDSafe app, or requiring a person to consent to uploading COVID app data from a communications device to the National COVIDSafe Data Store;^[17]

• taking specified forms action against a person, on the grounds that the person has not downloaded the COVIDSafe app, does not have the COVIDSafe app in operation, or has not consented to uploading COVID app data from a communications device to the National COVIDSafe Data Store.^[18]

1.27 In relation to the offence in proposed subsection 94D(1), the explanatory memorandum states that:

The maximum penalty for contravening subsection 94D(1) is five years imprisonment or 300 penalty units, or both. All penalties for offences under this Part are equal to the penalty for failing to comply with the Determination (made on 25 April 2020, and which would be repealed by item 1 of Schedule 2 as described later in this memorandum). Equivalent penalties represent the continued need for heightened protections for COVID app data.^[19]

1.28 The explanatory memorandum does not appear to contain an explanation as to the significance of the penalties in proposed sections 94E to 94H. However, the explanation provided in relation to subsection 94D(1) is relevant to those sections.

1.29 The committee acknowledges the importance of providing robust safeguards against the misuse of COVID app data and providing reassurance to the Australian community, and notes that other Commonwealth legislation imposes comparable penalties for offences relating to the use and disclosure of sensitive data.^[20] However, given the significance of the penalties that may be imposed under proposed sections 94D to 94H, the committee would expect a comprehensive justification for the penalty in each of those provisions to be included in the explanatory memorandum.

1.30 In addition, the relevant penalties should be justified by reference to similar offences under Commonwealth law. This not only promotes consistency, but guards against the risk that the liberty of a person is unduly limited through the application of disproportionate penalties. In this respect, the committee notes that the Guide to Framing Commonwealth Offences states that a penalty 'should be consistent with penalties for existing offences of a similar kind or...seriousness. This should include a consideration of...other comparable offences in Commonwealth legislation'.^[21]

1.31 As the explanatory memorandum does not appear to provide a sufficiently detailed justification as to why it is considered necessary and appropriate to impose significant penalties for the offences in proposed sections 94D to 94H, the committee requests the minister's detailed advice as to the justification for the significant penalties that may be imposed under those provisions, by reference to comparable Commonwealth offences and the requirements in the Guide to Framing Commonwealth Offences.

Reversal of evidential burden of proof^[22]

1.32 Proposed subsection 94D(1) provides that it is an offence for a person to collect, use or disclose COVID app data, where collection, use or disclosure is not permitted under section 94D. Proposed subsection 94D(3) creates an exemption (offence-specific defence) to this offence, which provides that the offence does not apply to the collection of COVID app data, if:

• the collection of the COVID app data occurs as part of, or is incidental to, the collection, at the same time, of data that is not COVID app data (non-COVID app data); and

• the collection of the non-COVID app data is permitted under Australian law; and

• the COVID app data is deleted as soon as practicable after the person becomes aware that it has been collected, and is not otherwise accessed, used or disclosed by the person after it is collected.

1.33 Subsection 13.3(3) of the Criminal Code Act 1995 provides that a defendant who wishes to rely on any exception, exemption, excuse, qualification or justification bears an evidential burden in relation to that matter.

1.34 At common law, it is ordinarily the duty of the prosecution to prove all elements of an offence. This is an important aspect of the right to be presumed innocent until proven guilty. Provisions that reverse the burden of proof and require a defendant to disprove, or raise evidence to disprove, one or more elements of an offence, interferes with this common law right.

1.35 In this instance, the defendant bears an evidential burden (requiring the defendant to raise evidence about the matter), rather than a legal burden (requiring the defendant to positively prove the matter). Nevertheless, the committee expects the reversal of the evidential burden of proof to be justified.

1.36 In relation to proposed subsection 94D(3), the explanatory memorandum states that:

This defence recognises that there may be circumstances where COVID app data is inadvertently collected as part of a wider collection of information. Inserting the positive obligations of data deletion and no further interactions with the data ensures that the defence is limited to only incidental data collection, and that in these circumstances, the collecting person can derive no benefit from that collection.^[23]

1.37 The committee notes that the Guide to Framing Commonwealth Offences provides that a matter should only be included in an offence-specific defence where:

• it is peculiarly within the knowledge of the defendant; and

• it would be significantly more difficult and costly for the prosecution to disprove than for the defendant to establish the matter.^[24]

1.38 In this instance, it appears that the majority of the matters set out in subsection 94D(3) would meet the criteria set out in the Guide. However, it is not clear that all the matters in that subsection would meet those criteria. For example, it appears that whether the collection of data is permitted under Australian law is a factual matter, rather than a matter that would be peculiarly within the defendant's knowledge.

1.39 The committee draws its scrutiny concerns in relation to proposed subsection 94D(3), which reverses the evidential burden of proof, to the attention of senators.

Privacy^[25]

1.40 The bill sets out a series of measures relating to the COVIDSafe app^[26] and to COVID app data. According to the explanatory memorandum, these measures provide stronger privacy protections for users of the app, and data collected through the app, than the protections that would otherwise apply under Australian law.^[27] The relevant measures include new, targeted offences,^[28] specific obligations relating to COVID app data and COVIDSafe,^[29] and provisions which specify how general privacy protections elsewhere in the Privacy Act apply to COVIDSafe and COVID app data.^[30]

1.41 In the view of the committee, these are important protections for individuals using the COVIDSafe app. However, the committee notes that certain terms in the bill—which are essential to the operation of the new measures—are broadly defined. From a scrutiny perspective, the committee is concerned that this may undermine the value of the measures as privacy safeguards.

Definition of 'COVID app data'

1.42 In particular, the committee is concerned that the scope of the information collected through the operation of the COVIDSafe app is unclear. In this regard, the bill defines 'COVID app data' as data relating to a person that:

• has been collected or generated (including before the commencement of Part VIIIA) through the operation of COVIDSafe; and

• is either registration data, or data that is, or has been, stored on a mobile communications device (including before Part VIIIA commenced).^[31]

1.43 However, the bill does not specify the type of data that is collected or generated through the operation of the COVIDSafe app, nor does it define 'registration data'. The explanatory memorandum states that COVID app data includes data calculated or otherwise derived from within the COVIDSafe app on a mobile communications device, and notes that the COVIDSafe app does not collect geolocation data.^[32] However, there is nothing to this effect on the face of the bill.

1.44 In addition, the committee notes that where a user of the COVIDSafe app tests positive for COVID-19, and uploads decrypted records of their contacts over the previous 21 days, these decrypted records do not clearly fall within the definition of 'COVID app data'. This is because the decrypted records are not collected or generated from the operation of the app or stored on the user's device. It is also not clear that data transformed or derived from COVID app data by state or territory health officials falls within the definition of 'COVID app data'.

1.45 As the scope of 'COVID app data' is unclear, it is not apparent how such data would be deidentified, and whether the de-identification process would sufficiently protect individuals' privacy. For example, it is unclear whether data which has been de-identified could be reverse engineered, such that it could be used to identity users of the COVIDSafe app.

Definition of 'contact tracing' and 'in contact'

1.46 The bill defines 'contact tracing' as the process of identifying persons who have been 'in contact' with a person who has tested positive for the coronavirus known as COVID-19.^[33] It also provides that a person has been 'in contact' with another person where the operation of COVIDSafe in relation to the person indicates that they may have been in the proximity of the other person.^[34] The explanatory memorandum states that a person will only be considered to be 'in contact' with another person where they are both COVIDSafe users with the COVIDSafe app operating, and the COVIDSafe app detects the presence of another person 'within detectable proximity'.^[35] However, it is unclear how close one telecommunications device with the COVIDSafe app must be to another before it is registered as being 'in contact'. Also unclear is the duration for which two communications devices with the COVIDSafe app must be in proximity to each other before one user's app registers the other as being 'in contact'.

1.47 The Privacy Impact Assessment indicates that where the COVIDSafe app detects another device with the app installed within its Bluetooth signal range, it will create a record ('digital handshake') of this contact every minute.^[36] The Privacy Impact Assessment also states that, where a user consents, all digital handshakes will be uploaded to the National COVIDSafe Data Store.^[37] This suggests that the scope of the data which may be collected and shared through the COVIDSafe app is broad, and may contradict the position that the app only collects data about other users who come within 1.5 metres, for at least 15 minutes.

Committee comment

1.48 These matters are significant for privacy purposes, because they provide an indication of the scope of the data that an individual may collect when they carry their mobile device, the scope data that may be shared, and the scope of the data that may be uploaded to the National COVIDSafe Data Store.

1.49 To clarify the nature and type of information that is collected under the bill, the committee requests the minister's detailed advice as to:

• the scope of the information that is collected or generated through the COVIDSafe app, including whether 'COVID app data' includes:

• decrypted records of a user's contacts over the previous 21 days, in circumstances where the user has tested positive for COVID-19; or

• data transformed or derived from COVID app data by state or territory health officials; and

• when the COVIDSafe app will make a record of a 'digital handshake' between users of the app, and upload that record to the National COVIDSafe Data Store, including:

• how close users must be to each other in order for the app to record a 'digital handshake'; and

• how long users must be in proximity to each other for the app to record a 'digital handshake'.

1.50 The committee also requests the minister's advice as to how COVID app data will be de-identified, and how the de-identification process will protect the privacy of individuals.

Privacy^[38]

1.51 As noted above, proposed subsection 94H(1) provides that it is an offence to require a person to download the COVIDSafe app to a communications device, to have the app in operation on a communications device, or to upload data to the National COVIDSafe Data Store. Proposed subsection 94H(2) provides that it is an offence for a person to take proscribed actions against a person, on the grounds that the person has not downloaded, or is not using, the COVIDSafe app, or has not consented to uploading data to the National COVIDSafe Data Store.^[39]

1.52 The explanatory memorandum states that:

The purposes of these offences taken together is to ensure that no person can require, coerce, or otherwise oblige (whether directly or indirectly) another person to install or have COVIDSafe operating on their communications device, or to upload...data from a communications device to the National COVIDSafe data store.^[40]

1.53 In addition, the statement of compatibly indicates that the offences in proposed section 94H are intended to safeguard individuals' privacy, by ensuring individuals are given a free and informed choice as to whether to download and use COVIDSafe. It also states that the offences provide strong incentives against requiring individuals to download and use the app.

1.54 The offences in proposed section 94H appear to provide strong deterrents against requiring individuals to download and use COVIDSafe, or to upload data to the National COVIDSafe data store. However, it is unclear whether these offences as currently drafted would capture attempts to incentivise individuals to undertake these activities. Additionally, it is unclear whether the offences as currently drafted would capture persons who indirectly incentivise the downloading of the app by placing additional requirements or conditions on individuals who have not downloaded it (for example, where a restaurant has a general requirement that patrons must provide their contact details, but this requirement is waived for those patrons who have downloaded the app). The explanatory memorandum is silent on these matters.

1.55 The committee is concerned that the failure to include the provision of financial incentives as conduct that is prohibited under proposed section 94H may undermine the value of that provision as a privacy safeguard.

1.56 The committee requests the minister's advice as to whether the offences in section 94H of the Act would apply to making discounts, payments and other incentives (including placing additional requirements or conditions on individuals who have not downloaded the app) contingent on a person downloading or using the COVIDSafe app, or uploading COVID app data to the National COVIDSafe Data Store.

No requirement to table or publish reports^[41]

1.57 Proposed section 94ZA requires the Health Minister to cause reports to be prepared on the operation and effectiveness of COVIDSafe and the National COVIDSafe Data Store during the six-month period starting on the commencement of Part VIIIA of the Act, and during each subsequent six-month period.

1.58 Proposed section 94ZB similarly requires the Information Commissioner to cause reports to be prepared on the performance of the Commissioner's function, and the exercise of the Commissioner's powers, during the six-month period starting on the commencement of Part VIIIA, and during each subsequent six-month period.

1.59 The explanatory memorandum indicates that the reports prepared under proposed sections 94ZA and 9ZB are intended to inform and reassure the public about the operation of Part VIIIA (that is, the Part relating to the COVIDSafe app and COVID app data). In this respect, it states that:

[Reports prepared under section 94ZB are] expected to provide another source of public information and assurance about the operation of Part VIIIA, in addition to any public statements the Commissioner may choose to make from time to time about the...performance of functions and exercise of powers.^[42]

1.60 However, the bill does not appear to require the report prepared by the Health Minister under section 94ZA to be published online, and does not appear to require the report prepared by the Commissioner to be tabled in Parliament.

1.61 Tabling documents in Parliament is important to parliamentary scrutiny, as it alerts parliamentarians to the existence of documents and provides opportunities for debate that are not available where documents are not made public or are only published online. Making documents related to the performance of Commonwealth entities and programs available online promotes transparency and accountability. Consequently, where a bill does not require the tabling or publication of documents associated with review processes, the committee would expect an appropriate justification to be included in the explanatory memorandum.

1.62 In this instance, the explanatory memorandum does not provide an explanation as to why reports prepared by the Health Minister are not required to be published online, or why reports prepared by the Commissioner are not required to be tabled in Parliament.

1.63 Noting that there may be impacts on parliamentary scrutiny where reports associated with the operation of regulatory schemes are not available to the Parliament or published online, the committee requests the minister's advice as to:

• why the bill does not require reports prepared by the Health Minister under proposed section 94ZA to be published online; and

• why the bill does not require reports prepared by the Information Commissioner under proposed section 94ZB to be tabled in Parliament.

[11] Schedule 1, item 2, proposed sections 94D, 94E, 94F, 94G and 94H. The committee draws senators’ attention to these provisions pursuant to Senate Standing Order 24(1)(a)(i).

[12] Proposed subsection 94D(1).

[13] Proposed section 94E.

[14] Proposed subsection 94F(1).

[15] Proposed subsection 94F(2). A person may disclose the COVID app data if they are employed by, or in the service of, a State or Territory health authority, and the disclosure is only for the purpose of undertaking contact tracing.

[16] Proposed section 94G.

[17] Proposed subsection 94H(1).

[18] Proposed subsection 94H(2). Relevant actions include: refusing to enter into or continue a contract or arrangement with the person; taking adverse action against the person (within the meaning of the Fair Work Act 2009); refusing to allow the person to enter certain premises; refusing to allow the person to participate in an activity; refusing to receive goods or services from a person, or insisting the person offer goods or services at a discount; and refusing to provide goods or services from the person, or insisting that the person pay a premium.

[19] Explanatory memorandum, p. 13.

[20] For example, subsection 59(3) of the My Health Records Act 2012 makes it an offence for a person to collect, use or disclose information contained in a healthcare recipient's My Health Record, where the person is unauthorised to do so.

[21] Attorney-General's Department, Guide to Framing Commonwealth Offences, Infringement Notices and Enforcement Powers, September 2011, p. 39.

[22] Schedule 1, item 2, subsection 94D(3). The committee draws senators’ attention to this provision pursuant to Senate Standing Order 24(1)(a)(i).

[23] Explanatory memorandum, p. 17.

[24] Attorney-General's Department, A Guide to Framing Commonwealth Offences, Infringement Notices and Enforcement Powers, September 2011, p. 50.

[25] Schedule 1, item 2 proposed subsections 94D(5) and (6), definition of 'COVID app data' and 'contact tracing'. The committee draws senators’ attention to these provision pursuant to Senate Standing Order 24(1)(a)(i).

[26] 'COVIDSafe is defined in subsection 6(1) of the Privacy Act, as amended by item 1 of the bill, as an app that is made available or has been made available (including before the commencement of Part VIIIA), by or on behalf of the Commonwealth, for the purpose of facilitating contact tracing.

[27] Explanatory memorandum, p. 2.

[28] Division 2, Part VIIIA.

[29] Division 3, Part VIIIA.

[30] Division 4, Part VIIIA.

[31] Paragraphs 94E(5)(a) and (b).

[32] Explanatory memorandum, p. 18.

[33] Subsection 94E(6). Subsection 6(1) of the Privacy Act, as amended by item 1 of the present Act, provides that a person has been 'in contact' with another person if the operation of COVIDSafe in relation to the person indicates that the person may have been in the proximity of the other person.

[34] Subsection 6(1) of the Privacy Act, as amended by item 1 of the present Act.

[35] Explanatory memorandum, p. 10.

[36] Maddocks, The COVIDSafe Application, Privacy Impact Assessment, 24 April 2020, pp. 19-20.

[37] Maddocks, The COVIDSafe Application, Privacy Impact Assessment, 24 April 2020, pp. 19-20.

[38] Schedule 1, item 2, section 94H. The committee draws senators’ attention to this provision pursuant to Senate Standing Order 24(1)(a)(i).

[39] The proscribed actions include taking adverse action against the person (within the meaning of the Fair Work Act 2009); refusing to allow the person to enter premises; and refusing to provide good or services to the person.

[40] Explanatory memorandum, p. 21.

[41] Schedule 1, item 2, sections 94ZA and 94ZB. The committee draws senators’ attention to these provisions pursuant to Senate Standing Order 24(1)(a)(v).

[42] Explanatory statement, p. 36.