Home | Databases | WorldLII | Search | Feedback Australian Parliamentary Joint Committee on Human Rights

You are here: 

Privacy Amendment (Public Health Contact Information) Bill 2020 [2020] AUPJCHR 107 (1 July 2020)

Privacy Amendment (Public Health Contact Information) Bill 2020^[1]

1.43 The committee requested a response from the minister in relation to the bill in Report 6 of 2020.^[2]

COVIDSafe application

1.44 The COVIDSafe application (COVIDSafe app), which can be voluntarily downloaded and operated on Android and iOS personal devices, has been developed by the Commonwealth Government in response to the COVID-19 pandemic. The COVIDSafe app is designed to help find close contacts of persons who have tested positive for COVID-19.^[3]

1.45 The Privacy Amendment (Public Health Contact Information) Bill 2020 (the bill), which received Royal Assent on 15 May 2020, amends the Privacy Act 1988 (Privacy Act) to establish a series of offences for misuse of data from the COVIDSafe app, or coercion relating to the use of the COVIDSafe app; sets out specific requirements regarding COVIDSafe app data and COVIDSafe; and includes the application of general privacy measures. All offences are punishable by imprisonment for 5 years, or 300 penalty units, or both. Extended geographical jurisdiction applies to all offences,^[4] which has the effect that persons may be prosecuted for an offence even where the relevant conduct took place outside Australia.^[5]

Summary of initial assessment

Preliminary international human rights legal advice

Rights to health and privacy

1.46 The initial analysis noted that this legislation does not authorise or require the use of the COVIDSafe app, rather it seeks to protect the privacy interests associated with the voluntary use of the COVIDSafe app. As such, in assessing the bill for compatibility with human rights, this analysis does not focus on any privacy implications that may emanate from the COVIDSafe app itself; the efficacy of such technology in achieving the goal of contact tracing; or the policy merits of the COVIDSafe app. Rather, its focus is on whether the legislation under consideration may promote or limit human rights.

1.47 As this is a measure designed to help prevent the establishment and spread of COVID-19, which has the ability to cause high levels of morbidity and mortality, it would appear that it may promote the right to health. The right to health is the right to enjoy the highest attainable standard of physical and mental health.^[6] Article 12(2) of the International Covenant on Economic, Social and Cultural Rights requires that State parties shall take steps to prevent, treat and control epidemic diseases.^[7] The United Nations Committee on Economic, Social and Cultural Rights has stated that the control of diseases refers to efforts to:

make available relevant technologies, using and improving epidemiological surveillance and data collection on a disaggregated basis, the implementation or enhancement of immunization programmes and other strategies of infectious disease control.^[8]

1.48 Prohibiting unauthorised collection, use and disclosure of COVIDSafe app data is also likely to promote the right to privacy. As noted in the statement of compatibility, the bill provides stronger provisions than existing protections for personal information collected by the COVIDSafe app, thereby promoting the right to privacy.^[9] However, regulating the collection, use and disclosure of such data is also likely to limit the right to privacy, as such data contains personal information about the user of the COVIDSafe app. The right to privacy includes respect for informational privacy, including the right to respect for private and confidential information, particularly the storing, use and sharing of such information.^[10] It also includes the right to control the dissemination of information about one's private life. The right to privacy may be subject to permissible limitations which are provided by law and are not arbitrary. Limitations on the right to privacy will be permissible where the limitation pursues a legitimate objective, is rationally connected to that objective and is a proportionate means of achieving that objective.

1.49 The initial analysis considered that in order to fully assess the proportionality of this proposed measure, further information was required as to:

(a) what is the nature and type of data that is collected or generated through the operation of the COVIDSafe app, what information falls under the definition of 'COVIDSafe app data', and why does the bill not specify such matters;

(b) whether the COVIDSafe app data uploaded to the National COVIDSafe Data Store will include all 'digital handshakes' between two users, regardless of the length of time the users are in proximity and what 'proximity' means in this context; and if so, why is it necessary to include all such data in the National COVIDSafe Data Store;

(c) whether the de-identification process will sufficiently protect the privacy of personal information;

(d) why is it necessary to retain data uploaded to the National COVIDSafe Data Store for the duration of the COVIDSafe data period, rather than requiring data to be deleted once it has been transferred to state and territory health authorities for the purposes of contact tracing; and

(e) how long will state and territory health authorities be empowered to retain the data transferred to them by the data store administrator.

1.50 The full initial legal analysis is set out in Report 6 of 2020.

Committee's initial view

1.51 The committee considered that the bill, which is designed to encourage more people to download the COVIDSafe app in order to enable faster and more effective contact tracing of anyone who may have been exposed to COVID-19, is likely to promote and protect the right to health, noting that the right to health requires Australia to take steps to prevent, treat and control epidemic diseases. The committee also considers that as the bill provides stronger privacy protections for personal information collected by the COVIDSafe app, it is likely to promote the right to privacy.

1.52 However, regulating the collection, use and disclosure of such data is also likely to engage the right to privacy, as such data contains personal information about the user of the COVIDSafe app. The right to privacy may be subject to permissible limitations if it is shown to be reasonable, necessary and proportionate. In order to fully assess the compatibility of these measures with the right to privacy, the committee sought the minister's advice as to the matters set out at paragraph [1.49].

Attorney-General's response^[11]

1.53 The Attorney-General advised:

(a) What is the nature and type of data that is collected or generated through the operation of the COVIDSafe app, what information falls under the definition of 'COVIDSafe app data', and why does the bill not specify such matters?
The following data is collected or generated through the operation of the COVIDSafe app:

• Registration data: this is data collected from a COVIDSafe user when they register for the app, and includes their mobile phone number, name (which can include a partial name or pseudonym), age range and postcode. Based on this information an encrypted reference code is then generated for the app on that device.

• Data generated through use of COVIDSafe: this is data generated through an individual's use of COVIDSafe when they come into contact with another COVIDSafe user, and includes the other user's encrypted reference code, the date and time of contact, the Bluetooth signal strength of the other COVIDSafe user and the other user's device model. This information is securely encrypted and stored locally on the user's device.

The definition of 'COVID app data' in subsection 94D(5) is intended to capture all of the above data, by referring to data relating to a person that has been collected or generated (including before the commencement of the Act).
Importantly, the effect of paragraph 94D(2)(b) of the Act is that the National COVIDSafe Data Store administrator is only allowed to collect, use or disclose information through the COVIDSafe App to the extent required to enable State and Territory contact tracing, or to maintain COVIDSafe and the National COVIDSafe Data Store.
(b) Whether the COVIDSafe app data uploaded to the National COVIDSafe Data Store will include all 'digital handshakes' between two users, regardless of the length of time the users are in proximity and what 'proximity' means in this context; and if so, why is it necessary to include all such data in the National COVIDSafe Data Store.
The COVIDSafe app collects 'digital handshake' data that is exchanged between users of the app at regular intervals. This contact information is stored on the user's phone/device. Contact information older than 21 days on the phone/device is automatically deleted. It is not technologically feasible to ignore other users' Bluetooth signals beyond 1.5 metres or to limit the collection of Bluetooth signals to 15 minutes contact. This is because the nature of Bluetooth technology means signals can be detected within about 10 metres and the COVIDSafe app detects the strength of Bluetooth signals not the distance.
When a user is diagnosed with COVID-19 and consents to their data being uploaded, contact information on the phone is stored in the National COVIDSafe Data Store. This includes the unique identifier of the contact, date/time the contact occurred and the proximity based on what has been detected via Bluetooth. However, the Government has put in place access restrictions to 'digital handshake' data uploaded to the National COVIDSafe Data Store such that, when a state or territory health official accesses the system, they are only presented with the user's close contacts, defined as contact between users for at least 15 minutes at a proximity approximately within 1.5 metres.
(c) Whether the de-identification process will sufficiently protect the privacy of personal information.
The Act has been designed to allow only very limited de-identification of COVID app data. Specifically, under paragraph 94D(2)(f), the only
de-identified information that can be produced from COVID app data is
de-identified statistical information about the total number of COVIDSafe registrations, and this can only be produced by the National COVIDSafe Data Store administrator. This minimises any potential risk of flaws in the de-identification process, or the publication of de-identified information that could be later re-identified.
(d) Why is it necessary to retain data uploaded to the National COVIDSafe Data Store for the duration of the COVIDSafe data period, rather than requiring data to be deleted once it has been transferred to state and territory health authorities for the purposes of contact tracing?
Data uploaded to the National COVIDSafe Data Store will be accessed by State and Territory health officials to support contact tracing activities. This data is retained for the duration of the COVIDSafe data period to provide a record of any data accessed and by whom through use of the system. This includes investigations where authorised under the Privacy Act 1988 (the Privacy Act).
Retaining data in the National COVIDSafe Data Store for the duration of the COVIDSafe data period will allow the Information Commissioner to effectively perform the oversight role provided for in the Act by enhancing the Commissioner's ability to investigate complaints about breaches of the legislation and undertake assessments of compliance with privacy obligations under the legislation. The retention of COVID app data for this period will also support law enforcement unde1taking investigations into breaches of the legislation.
The National COVIDSafe Data Store administrator will automatically delete all data from the National COVIDSafe Data Store at the conclusion of the COVIDSafe data period. Individuals can also request deletion of their registration data at any time under section 94L of the Act. Once a deletion request is actioned, State and Territory health officials will not be able to contact the user if they are a close contact of another user who is diagnosed with COVID-19.
(e) How long will state and territory health authorities be empowered to retain the data transferred to them by the data store administrator?
One effect of sections 94R and 94X of the Act is that State and Territory health authorities are subject to the Privacy Act when handling COVID app data, and that COVID app data is treated as 'personal information' under the Privacy Act. This in tum means that the existing provisions of the Privacy Act apply to State and Territory health authorities handling COVID app data ( except where those existing provisions are overridden by the stricter protections contained in the Act).
Consequently, Australian Privacy Principle (APP) 11 is expected to apply to COVID app data that State and Territory health authorities hold. This would include APP 11.2, which requires entities to destroy personal information that is no longer required for a legally-permissible purpose (i.e. for contact tracing purposes).

Concluding comments

International human rights legal advice

1.54 The Attorney-General has advised that, where a COVIDSafe app user comes into contact with another user, the app will generate data detailing the date and time of contact, as well as the other user's: encrypted reference code; Bluetooth signal strength; and device model. The Attorney-General has stated that the term 'COVIDSafe app data', which is undefined in the bill, is intended to capture all of this data, in addition to the registration data which a user provides on registering for the COVIDSafe app. This is useful information as to the data that will be potentially uploaded onto the National Data Safe Store, however, it remains unclear why the term 'COVIDSafe app data' is not defined in the bill itself, noting that the data to which it relates appears to be clearly identifiable. Leaving this detail to policy means that what constitutes 'COVIDSafe app data' can change over time.

1.55 Further information was also sought as to data detailing 'digital handshakes' between two devices with the COVIDSafe app installed. The Attorney-General has advised that all digital handshakes of any length of time will be uploaded to the National COVIDSafe Data Store. However, the government has put in place restrictions to restrict access by state and territory health authorities to only those handshakes that identify contact between two users for at least 15 minutes and at a proximity within approximately 1.5 metres. The Attorney-General advises that this is because it is not technologically feasible to ignore other users' Bluetooth signals where a device is picking up the signal and registering the contact. The

Attorney-General notes that, depending on the strength of a signal, a Bluetooth signal may be detected within a 10 metre range. The restriction on the ability of state and territory health authorities to access all information in the National COVIDSafe Data Store is significant, and assists with the proportionality of the limitation on the users' rights to privacy. However, noting that only digital handshake data which indicates a contact between two users of 15 minutes at a proximity of approximately 1.5 metres is useful for contact tracing purposes, it is not clear why all other data should not be deleted from the National COVIDSafe Data Store once uploaded, as it has no further utility with respect to facilitating contact tracing. It is also not clear why this restriction is not set out in the legislation itself. Where a measure limits a human right, discretionary or administrative safeguards alone may not be sufficient for the purpose of a permissible limitation under international human rights law.^[12] This is because administrative and discretionary safeguards are less stringent than the protection of statutory processes and can be amended or removed at any time.

1.56 Clarification was also sought as to why it is necessary to retain data uploaded to the National COVIDSafe Data Store for the duration of the COVIDSafe data period, rather than requiring that data be deleted once it has been transferred to state and territory health authorities for the purposes of contact tracing. The Attorney-General advised that retaining such data for the duration of the COVIDSafe data period will provide a record of any data accessed through the use of the system. This will enable the Information Commissioner to effectively perform their oversight functions, and support both the Information Commissioner and law enforcement undertaking investigations into breaches of legislation. This assists with understanding the necessity of retaining this data during this period. However, it is noted that as soon as reasonably practicable after the COVIDSafe data period ends, the data store administrator is required to delete all COVIDSafe app data from the Data Store. If this is the case then it is unclear how the Information Commissioner and law enforcement can effectively perform their role in investigating any breaches that occur close to this end period, if it is necessary to retain this information for that purpose. It is relevant to the proportionality of the measure that a COVIDSafe app user can request the deletion of their data from the Data Store at any time.

1.57 Further information was also sought as to how long state and territory health authorities who have received COVIDSafe app data transferred to them by the data store administrator could retain that data. The Attorney-General advised that the Privacy Act 1988 applies in relation to the data, and it is expected that Australian Privacy Principle 11 will apply to such data, requiring the states and territories to destroy personal information that is no longer required for a legally-permissible purpose (in this instance, for contact tracing purposes). However, it is noted that these obligations would be clearer if the Act specifically specified that states and territories must delete any COVIDSafe app data after any contact tracing has taken place.

1.58 In conclusion, as set out in the initial analysis, the bill contains a number of measures that are designed to provide privacy protections relating to COVIDSafe app data and the COVIDSafe app.^[13] The Attorney-General has provided further information with respect to several safeguards which assist in an assessment of the proportionality of these measures with respect to the right to privacy. It is useful that states and territories have restricted access to the data which is uploaded to the National COVIDSafe Data Store, and that the de-identification of data only applies to statistical information regarding the total number of COVIDSafe app registrations. Given the extensive safeguards contained in the bill itself, the measure may constitute a permissible limitation on the right to privacy. However, the proportionality of this measure would be further assisted if the Act:

(a) defined the term 'COVIDSafe app data' as being the data which the minister has outlined in this response;

(b) provided that only data indicating a 'digital handshake' between two devices of at least 15 minutes duration within a proximity of approximately 1.5 metres may be retained on the National COVIDSafe Data Store, noting the advice that only this data is used for contact tracing purposes; and

(c) specifically provided that state and territory health authorities which have received COVIDSafe app data must delete that data as soon as reasonably practicable once the data is no longer required for contact tracing purposes.

Committee view

1.59 The committee thanks the Attorney-General for this response. The committee notes that this Act is designed to encourage more people to download the COVIDSafe app in order to enable faster and more effective contact tracing of anyone who may have been exposed to COVID-19, and provides stronger privacy protections for data collected through the COVIDSafe contact tracing application than would otherwise apply in the Privacy Act 1988. In this respect, the committee considers that the Act is likely to promote the rights to health and privacy.

1.60 The committee also notes that the Attorney-General has outlined several measures which limit access to COVIDSafe app data, and require its deletion where it is no longer required for a legally permissible purpose. The committee considers that given the extensive safeguards contained in the bill itself, the measure constitutes a permissible limitation on the right to privacy.

1.61 The committee considers that the stringent privacy protections in this Act could be further strengthened if the Act:

(a) defined the term 'COVIDSafe app data' as being the data which the minister has outlined in this response;

(b) provided that only data indicating a 'digital handshake' between two devices of at least 15 minutes duration within a proximity of approximately 1.5 metres may be retained on the National COVIDSafe Data Store, noting the advice that only this data is used for contact tracing purposes; and

(c) specifically provided that state and territory health authorities which have received COVIDSafe app data must delete that data as soon as reasonably practicable once the data is no longer required for contact tracing purposes.

[1] This entry can be cited as: Parliamentary Joint Committee on Human rights, Privacy Amendment (Public Health Contact Information) Bill 2020, Report 8 of 2020; [2020] AUPJCHR 107.

[2] Parliamentary Joint Committee on Human Rights, Report 6 of 2020 (20 May 2020), pp. 5-15.

[3] Explanatory memorandum, p. 2.

[4] Privacy Amendment (Public Health Contact Information) Bill 2020, section 94J.

[5] Criminal Code Act 1995, section 15.1.

[6] International Covenant on Economic, Social and Cultural Rights, article 12(1).

[7] International Covenant on Economic, Social and Cultural Rights, article 12(2)(c).

[8] United Nations Committee on Economic, Social and Cultural Rights, General Comment No. 14: The Right to the Highest Attainable Standard of Health (Art. 12) (2000), [16].

[9] Statement of compatibility, p. 5.

[10] International Covenant on Civil and Political Rights, article 17.

[11] The minister's response to the committee's inquiries was received on 10 June 2020. This is an extract of the response. The response is available in full on the committee's website at: https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Human_Rights/Scrutiny_reports.

[12] See, for example, Human Rights Committee, General Comment 27, Freedom of movement (Art.12) (1999).

[13] Parliamentary Joint Committee on Human Rights, Report 6 of 2020 (20 May 2020), pp. 5-15.