|
|
Home
| Databases
| WorldLII
| Search
| Feedback
Australian Senate Standing Committee for the Scrutiny of Bills - Scrutiny Digests |
|
Purpose
|
This bill seeks to amend the Privacy Act 1988 to assist in
preventing and controlling the entry, emergence, establishment or spread of the
coronavirus known as COVID-19 into Australia
or any part of Australia by
providing specific privacy protections for users of the Commonwealth’s
COVIDSafe app and data collected
through the app.
The bill also seeks to elevate the provisions of the related determination
into primary legislation and to introduce additional measures
to strengthen
privacy protections
|
|
Portfolio
|
Attorney-General
|
|
Introduced
|
House of Representatives on 12 May 2020
|
|
Bill status
|
Received the Royal Assent on 15 May 2020
|
2.115 In Scrutiny Digest 8 of 2020 the committee requested the minister's advice as to why it is considered necessary and appropriate to impose significant penalties for the offences in proposed sections 94D to 94H.[39]
Minister's response[40]
2.116 The minister advised:
The Privacy Amendment (Public Health Contact Information) Act 2020 (the Act) was introduced to elevate the interim provisions contained in the Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) (Emergency Requirements – Public Health Contact Information) Determination 2020 (the Determination) into primary legislation. The penalty for non-compliance with a Determination made under the Biosecurity Act 2015 is imprisonment for five years, a fine of 300 penalty units, or both. These penalties are commensurate with the seriousness of non-compliance, given the Health Minister can only make Determinations under the Biosecurity Act during a biosecurity emergency.
The Act maintains the key criminal offences under the Determination and imposes the same penalties of imprisonment for five years, a fine of 300 penalty units, or both. It is important that penalties under the Act mirror those under the Determination to ensure that the same penalty applies to an offence regardless of whether the offence was committed under the Determination or the Act. This approach is consistent with the Guide to Framing Commonwealth Offences, Infringement Notices and Enforcement Powers, which recommends consistent penalties across legislation.
While the penalties contained in the Act represent unprecedented safeguards for data, the highest possible level of protections are necessary to maintain public confidence in the COVIDSafe app and encourage the installation and use of the app. The COVIDSafe app facilitates effective contact tracing, which is a critical component of Australia's COVID-19 response.
The maximum penalties contained in the Act aim to provide an effective deterrent to the commission of offences under the Act and reflect the seriousness of the offences. While the penalties in the Act are higher than some other penalties imposed under the Privacy Act 1988, consistent with the Guide to Framing Commonwealth Offences, Infringement Notices and Enforcement Powers, this higher penalty is justified because of the serious consequences of the commission of the offence. In addition, the prosecutor and relevant court have the discretion to pursue or impose a range of penalties based on the seriousness of the offence, with only the most serious offences attracting the maximum penalty. Similarly, if prohibited conduct under the Act is investigated as an interference with privacy rather than a criminal offence, the Information Commissioner has discretion to seek a civil penalty proportionate to the seriousness of the interference with privacy.
Committee comment
2.117 The committee thanks the Attorney-General for this response. The committee notes the Attorney-General's advice that the penalties in the bill 'represent unprecedented safeguards for data' to reflect the importance of safeguarding COVIDSafe app data and ensuring public confidence to encourage the installation and use of the app. The committee also notes the Attorney-General's advice that the consequences of the commission of an offence under the bill warrant higher penalties than other offences in the Privacy Act 1988 due to the significant consequences of the commission of such an offence.
2.118 The committee further notes the Attorney-General's advice that the prosecutor and relevant court have discretion over penalties dependent on the severity of the offence, and that discretionary civil penalties may be imposed by the Information Commissioner if conduct is investigated on privacy as opposed to criminal grounds.
2.119 Finally, the committee notes the Attorney-General's advice that the penalties imposed by the bill are in line with the penalties imposed under the Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) (Emergency Requirements – Public Health Contact Information) Determination 2020 to ensure consistency across legislation.
2.120 The Guide to Framing Commonwealth Offences, Infringement Notices and Enforcement Powers explains that a higher maximum penalty for specified offence(s) within a legislative scheme may be justified if:
• there are strong incentives to commit the offence; or
• the consequences of the commission of the offence are particularly dangerous or damaging.[41]
2.121 The Attorney-General has advised that higher penalties are justified due to the serious consequences of commission of the offences set out in the bill. However, from a scrutiny perspective, the committee is of the view that the Attorney-General has insufficiently specified the consequences of commission of the offences or explained how they are particularly dangerous or damaging. The explanation that strong data protection laws are required to instil public confidence in the COVIDSafe app, and encourage its use, does not directly address what the particularly dangerous or damaging consequences of the commission of an offence may be.
2.122 From a scrutiny perspective, the committee considers that the high maximum penalties in the bill have not been adequately justified. However, in light of the fact that the bill has received the Royal Assent the committee makes no further comment on this matter.
2.123 In Scrutiny Digest 8 of 2020 the committee requested the minister's advice as to:
• the scope of the information that is collected or generated through the COVIDSafe app, including whether 'COVID app data' includes:
• decrypted records of a user's contacts over the previous 21 days, in circumstances where the user has tested positive for COVID-19; or
• data transformed or derived from COVID app data by state or territory health officials; and
• when the COVIDSafe app will make a record of a 'digital handshake' between users of the app, and upload that record to the National COVIDSafe Data Store, including:
• how close users must be to each other in order for the app to record a 'digital handshake'; and
• how long users must be in proximity to each other for the app to record a 'digital handshake'.
2.124 The committee also requested the minister's advice as to how COVID app data will be de-identified, and how the de-identification process will protect the privacy of individuals.[43]
Minister's response
2.125 The minister advised:
The following encrypted data is collected or generated through the operation of the COVIDSafe app:
Registration data: this is data collected from a COVIDSafe user when they register for the app, and includes their mobile phone number, name (which can include a partial name or pseudonym), age range and postcode. Based on this information, COVIDSafe generates an encrypted reference code for the app on that device, which is refreshed every 7.5 minutes, enhancing the security of the phone to help protect the privacy of the user.
Data collected during a digital handshake: the COVIDSafe app uses Bluetooth to look for other devices that have the app installed. The details of the contact are securely exchanged between phones through end-to-end encryption. This contact or 'digital handshake' securely logs the other user's encrypted reference code, the date and time of contact, the Bluetooth signal strength of the other COVIDSafe user and the other user's device model. This information is stored locally on the user's device for 21 days before it is deleted.
This period allows for the maximum 14-day incubation period of the coronavirus, and time allowed to confirm a positive test result.
If a user tests positive for COVID-19, they are contacted by a public health official and asked if they consent to upload their encrypted information from their device to the National COVIDSafe Data Store. If the user consents, a public health official sends a unique PIN to the user's app which the user is required to enter on their device to allow the upload to occur. The scope of COVID app data includes decrypted records of a user's contact over the previous 21 days, in circumstances where the user has tested positive for COVID- 19, and has consented to upload information to the National COVIDSafe Data Store. Data is only decrypted after it is uploaded to the Data Store.
COVID app data does not include information obtained by state or territory health officials during contact tracing from a source other than directly from the National COVIDSafe Data Store. Any additional information that is collected during the manual contact tracing process will not be COVID app data, even if this information is identical to the COVID app data or is a more complete version of the COVID app data (for example, if a user registered for COVIDSafe with a pseudonym but provided their full name to a state or territory health authority).
The COVIDSafe app collects 'digital handshake' data that is exchanged between users of the app at regular intervals. This contact information is stored on the user's device. Contact information older than 21 days on the device is automatically deleted. It is not technologically feasible to ignore other users' Bluetooth signals beyond 1.5 metres or to limit the collection of Bluetooth signals to 15 minutes contact. This is because the nature of Bluetooth technology means signals can be detected within close proximity and the COVIDSafe app detects the strength of Bluetooth signals rather than the distance. The app estimates the distance between users based on the strength of the Bluetooth signal.
The Government has put in place access restrictions to 'digital handshake' data uploaded to the National COVIDSafe Data Store such that, when a state or territory health official accesses the system, they are only presented with the user's close contacts, defined as contact between users for at least 15 minutes at a proximity approximately within 1.5 metres.
De-identification of data
The Act has been designed to allow only very limited de-identification of COVID app data. Specifically, under paragraph 94D(2)(f), the only de-identified information that can be produced from COVID app data is de-identified statistical information about the total number of COVIDSafe registrations, and this can only be produced by the National COVIDSafe Data Store administrator. This minimises any potential risk of flaws in the de-identification process, or the publication of de-identified information that could be later re-identified.
Committee comment
2.126 The committee thanks the Attorney-General for this response. In relation to registration data, the committee notes the Attorney-General's advice that this data is collected from a COVIDSafe user when they register for the app, and includes their mobile phone number, name (which can include a partial name or pseudonym), age range and postcode. Based on this information, COVIDSafe generates an encrypted reference code for the app on that device, which is refreshed every 7.5 minutes, enhancing the security of the phone to help protect the privacy of the user.
2.127 In relation to data collected during a digital handshake, the committee notes the Attorney-General's advice that the COVIDSafe app uses Bluetooth to look for other devices that have the app installed and that the details of the contact are securely exchanged between phones through end-to-end encryption. This 'digital handshake' securely logs the other user's encrypted reference code, the date and time of contact, the Bluetooth signal strength of the other COVIDSafe user and the other user's device model. This information is stored locally on the user's device for 21 days before it is deleted. Data is only decrypted after a user tests positive for COVID-19 and consents to the data being uploaded to the National COVIDSafe Data Store.
2.128 The committee also notes the Attorney-General's advice that in the process of collecting digital handshake data it is not technologically feasible to ignore other users' Bluetooth signals beyond 1.5 metres or to limit the collection of Bluetooth signals to 15 minutes contact. This is because the nature of Bluetooth technology means signals can be detected within close proximity and the COVIDSafe app detects the strength of Bluetooth signals rather than the distance. The app estimates the distance between users based on the strength of the Bluetooth signal.
2.129 In light of this advice, the committee notes that scope of data that an app user carries on their mobile device in relation to other app users appears not to be limited by proximity and duration (that is, it is not limited to a user's close contacts, defined as contact between users for at least 15 minutes at a proximity approximately within 1.5 metres). However, the committee notes the Attorney-General's advice that the government has put in place access restrictions to 'digital handshake' data uploaded to the National COVIDSafe Data Store such that, when a state or territory health official accesses the system, they are only presented with the user's close contacts, defined as contact between users for at least 15 minutes at a proximity approximately within 1.5 metres.
2.130 In relation to publication of de-identified data, the committee notes the Attorney-General's advice that the only de-identified information that can be produced from COVID app data is de-identified statistical information about the total number of COVIDSafe registrations. The Attorney-General advises that this minimises any potential risk of flaws in the de-identification process, or the publication of de-identified information that could be later re-identified.
2.131 The committee welcomes the Attorney-General's clarification of the scope of information that is collected or generated through the COVIDSafe app. The committee notes that the scope of what falls within the definition 'COVID app data' is central to the operation of the provisions of bill which are intended to provide stronger privacy protections for users of the COVIDSafe app and data collected through the app. From a scrutiny perspective, the committee therefore considers that the definition of 'COVID app data' in the bill, and the associated definition of 'registration data', should have included further detail as to what data is intended to fall within the scope of these terms.
2.132 In light of the fact that the bill has received the Royal Assent the committee makes no further comment on this matter.
2.133 In Scrutiny Digest 8 of 2020 the committee requested the minister's advice as to whether the offences in section 94H of the Act would apply to making discounts, payments and other incentives (including placing additional requirements or conditions on individuals who have not downloaded the app) contingent on a person downloading or using the COVIDSafe app, or uploading COVID app data to the National COVIDSafe Data Store.[45]
Minister's response
2.134 The minister advised:
The Explanatory Memorandum to the Act states that subsection 94H(2) requires that a person cannot cause another person disadvantage by virtue of that person not having COVIDSafe installed, not having COVIDSafe operating on the person's communication device, or not consenting to uploading COVID app data from a communication device to the National COVIDSafe Data Store. The offering of discounts or payments only to persons with the COVIDSafe app installed or in use would likely constitute a disadvantage to a person who does not have the app installed or in use. For example, paragraph 94H(2) specifically provides it is an offence to insist on receiving more monetary consideration for a good or service on the grounds that a person has not downloaded or does not have COVIDSafe in operation, or has not consented to uploading their data to the National COVIDSafe Data Store. Specific conditions or requirements imposed on persons who do not have the COVIDSafe app installed or in use would need to be considered on a case-by-case basis to determine if they would constitute a disadvantage.
Committee comment
2.135 The committee thanks the Attorney-General for this response. The committee notes the Attorney-General’s advice that offering discounts or payments only to persons who have the COVIDSafe app installed would likely constitute a disadvantage to persons who have not installed the COVIDSafe app, noting that paragraph 94H(2)(f) provides that it is an offence to insist on receiving more monetary consideration for a good or service on the ground that a person has not installed the COVIDSafe app.
2.136 The committee also notes the Attorney-General’s advice that specific conditions or requirements imposed on persons who do not have the COVIDSafe app installed or in use would need to be considered on a case-by-case basis to determine if they would constitute a disadvantage. It therefore appears unclear whether, for example, a person would commit an offence under subsection 94H(2) if the person sought to enforce a requirement that patrons of a restaurant who have not downloaded the COVIDSafe app must provide their contact details to the restaurant.
2.137 The committee notes that the offence in subsection 94H(2) is intended to ensure that those persons who do not wish to download the COVIDSafe app will not suffer any disadvantage as a result. From a scrutiny perspective, the committee therefore considers that the offence in subsection 94H(2) should have been drafted to provide more clarity as to whether a person would commit an offence if the person sought to impose specific conditions or requirements on persons who do not have the COVIDSafe app installed or in use.
2.138 In light of the fact that the bill has received the Royal Assent the committee makes no further comment on this matter.
2.139 In Scrutiny Digest 8 of 2020 the committee noted that there may be impacts on parliamentary scrutiny where reports associated with the operation of regulatory schemes are not available to the Parliament or published online, and requested the minister's advice as to why the bill does not require reports prepared by the Health Minister under proposed section 94ZA to be published online, and why the bill does not require reports prepared by the Information Commissioner under proposed section 94ZB to be tabled in Parliament.[47]
Minister's response[48]
2.140 The minister advised:
The Act includes a requirement that the Minister for Health provide a report to Parliament as soon as practicable after each six-month period on the operation and effectiveness of the COVIDSafe app. After these reports are tabled in Parliament they will be publicly accessible online via the Parliament of Australia website. The Information Commissioner is required to publish reports on the Commissioner's performance of functions and exercise of powers under the Act. The Government expects that the Commissioner's report would be similar to the periodic reports the Commissioner publishes on the Commissioner's website about the operation of the Notifiable Data Breaches scheme in Part IIIC of the Privacy Act.
These reporting requirements underscore the Government's commitment to transparency about the operation and effectiveness of COVIDSafe and the unprecedented privacy and security protections built around the app's data handling. Ensuring the reports prepared by the Minister for Health and the Information Commissioner will be publicly available will also support Parliamentary scrutiny processes.
Committee comment
2.141 The committee thanks the Attorney-General for this response. The committee notes the Attorney-General’s confirmation that reports prepared by the Health Minister under proposed section 94ZA will be tabled in Parliament and publicly accessible online via the Parliament of Australia website. In relation to reports prepared by the Information Commissioner under proposed section 94ZB, the committee notes that the Attorney-General’s advice has not directly addressed why the bill does not require these reports to be tabled in Parliament.
2.142 The committee considers that tabling documents in Parliament is important to parliamentary scrutiny, as it alerts parliamentarians to the existence of documents and provides opportunities for debate that are not available where documents are only published online. In addition, making documents related to the performance of Commonwealth entities and programs available online promotes transparency and accountability.
2.143 From a scrutiny perspective, the committee therefore considers that the bill should have included a requirement that reports prepared by the Health Minister relating to the operation and effectiveness of COVIDSafe be published on the department's website to ensure ease of access and increased transparency, rather than leaving the reports to be published only by the Parliament. In addition, the committee considers that the bill should also have included a requirement that reports prepared by the Information Commissioner on the performance of the Commissioner's COVIDSafe functions be tabled in Parliament.
2.144 In light of the fact that the bill has received the Royal Assent the committee makes no further comment on this matter.
[38] Schedule 1, item 2, proposed sections 94D, 94E, 94F, 94G and 94H. The committee draws senators’ attention to these provisions pursuant to Senate Standing Order 24(1)(a)(i).
[39] Senate Scrutiny of Bills Committee, Scrutiny Digest 8 of 2020, pp. 10-12.
[40] The minister responded to the committee's comments in a letter dated 2 July 2020. A copy of the letter is available on the committee's website: see correspondence relating to Scrutiny Digest 9 of 2020 available at: www.aph.gov.au/senate_scrutiny_digest
[41] Attorney-General's Department, A Guide to Framing Commonwealth Offences, Infringement Notices and Enforcement Powers, September 2011, p. 38.
[42] Schedule 1, item 2 proposed subsections 94D(5) and (6), definition of 'COVID app data' and 'contact tracing'. The committee draws senators’ attention to these provision pursuant to Senate Standing Order 24(1)(a)(i).
[43] Senate Scrutiny of Bills Committee, Scrutiny Digest 8 of 2020, pp. 14-16.
[44] Schedule 1, item 2, section 94H. The committee draws senators’ attention to this provision pursuant to Senate Standing Order 24(1)(a)(i).
[45] Senate Scrutiny of Bills Committee, Scrutiny Digest 8 of 2020, pp. 16-17.
[46] Schedule 1, item 2, sections 94ZA and 94ZB. The committee draws senators’ attention to these provisions pursuant to Senate Standing Order 24(1)(a)(v).
[47] Senate Scrutiny of Bills Committee, Scrutiny Digest 8 of 2020, pp. 18-19.
[48] The minister responded to the committee's comments in a letter dated 2 July 2020. A copy of the letter is available on the committee's website: see correspondence relating to Scrutiny Digest 9 of 2020 available at: www.aph.gov.au/senate_scrutiny_digest
AustLII:
Copyright Policy
|
Disclaimers
|
Privacy Policy
|
Feedback
URL: http://www.austlii.edu.au/au/other/AUSStaCSBSD/2020/125.html