Christian Porter (Pearce, Liberal Party, Attorney-General) Share this | Link to this | Hansard source

I move:

That this bill be now read a second time.

The Privacy Amendment (Public Health Contact Information) Bill 2020 will ensure that there are strong ongoing privacy protections to support the download, use and eventual decommission of the Australian government's COVIDSafe app.

At release, COVIDSafe was supported by interim privacy protections contained in the Minister for Health's determination under the Biosecurity Act 2015. Building on this, the purpose of this bill is to enshrine the privacy protections in the determination into primary legislation by inserting a new part into the Privacy Act 1988, give the Australian Information Commissioner oversight of COVIDSafe app data and introduce additional provisions that clarify protections in the determination.

The bill guarantees that the Australian public can have confidence that their privacy will be protected if they download and use COVIDSafe. An increase in the uptake of COVIDSafe will help states and territories trace outbreaks and combat the spread of COVID-19.

Background

To understand the bill's privacy protections, it is first crucial to understand how COVIDSafe operates and handles personal information. You will see that strong privacy protections have been built into the design of COVIDSafe as it requires users to provide the minimum amount of information required to contact trace which is encrypted until it is required by health officials.

COVIDSafe is a voluntary app developed by the Australian government that was launched on 26 April 2020. COVIDSafe can be installed on Android and iOS personal devices to collect information to assist state and territory health officials when they conduct contact tracing to combat the spread of COVID-19.

When a person downloads COVIDSafe, they are asked to register by entering a limited amount of personal information: a name or pseudonym, an age range, a mobile phone number and a postcode. Once verified by text message, this information is then uploaded in an encrypted form to the National COVIDSafe Data Store.

Once a user has registered, COVIDSafe works by using bluetooth signals to record encrypted data about close contacts with other users and stores this locally on their device. If this data is not uploaded to the National COVIDSafe Data Store, it is deleted on a rolling 21-day basis. Unlike manual contact tracing, COVIDSafe can record close contacts who are not known to the user—for example, people who sit near another user on the bus, at an event or in line at the supermarket. When a COVIDSafe user tests positive for COVID-19, they will be contacted by a health official in their state or territory as part of the usual contact tracing process. When making contact, the health official will then ask the person if they use COVIDSafe. If they do, the health official will send them a code by text message to enter in the app. If the code is entered, the user consents to uploading the encrypted data about their close contacts to the National COVIDSafe Data Store.

Once information about close contacts is uploaded, state and territory contact tracers can access this information to notify the positive user's close contacts that they may have been exposed to the coronavirus. From this point, contact tracers will inform people at risk of COVID-19 that they have been exposed without identifying the infected app user. Contact tracers will step people at risk through what to do next, such as getting tested or self-isolating.

COVIDSafe, therefore, has the potential to significantly speed up existing manual contact-tracing processes, and in turn could accelerate the pace at which governments can ease restrictions while still keeping Australians safe.

Biosecurity declaration

The Australian public must have confidence that COVIDSafe protects their privacy for it to be used and highly effective in combating the spread of COVID-19. To this end, the Minister for Health, the Hon. Greg Hunt, made a determination under the Biosecurity Act on 25 April 2020—before the COVIDSafe launch. This determination provided strong interim privacy protections for data collected through COVIDSafe prior to the passage of this bill.

The determination contains provisions that:

Finally, the determination created criminal offences for the breach of the above requirements, with a maximum penalty of five years imprisonment.

Enshrining the determination

The Australian government has now developed this bill to enshrine the COVIDSafe privacy protections in the determination in primary legislation.

The protections in the bill will apply to all COVIDSafe data from the point at which the bill commences, even if that data was created before the bill commenced. Until the bill is passed, the determination will continue to apply to the handling of COVIDSafe app data.

The bill will also override the effect of any previously enacted laws under section 94ZD. This means that the bill will apply in place of any other laws that may apply, including the determination, once it passes into law. At that point, those handling COVIDSafe app data will have a single legislative reference, being the Commonwealth Privacy Act.

Criminal offences under the bill

While I do not plan to address those areas of the bill which directly replicate the determination, I will note that key criminal offences from the determination continue to apply, and remain subject to the same penalties, being imprisonment for five years, a fine of 300 penalty units ($63,000), or both. These are, of course, the maximum penalties that could be applied and are reserved for the most serious types of offending. The offences to which they would relate include:

Committing criminal offences will breach the Privacy Act

The bill ensures oversight of COVIDSafe app data by the Australian Information Commissioner. The offences under the bill will also be breaches of the Privacy Act in certain circumstances. Therefore, (under section 94R) if a person commits an offence under the bill and that person is either already required to comply with the Privacy Act or is a state or territory health authority handling COVIDSafe app data, then the person's conduct will also breach the Privacy Act.

This gives individuals affected by the breach more options for enforcement because they will have the option to make a complaint to the commissioner in addition to being able to report the matter to law enforcement.

Broader application of the Privacy Act

The bill will go further than the determination by ensuring that COVIDSafe app data must also be treated as 'personal information' under the Privacy Act, by virtue of section 94Q. This automatically applies a range of existing Privacy Act protections to COVIDSafe app data, including privacy policy, notification, and security obligations. The commissioner will be able to undertake a formal assessment of whether an entity subject to the Privacy Act, or a state or territory health authority handling COVIDSafe app data, is complying with the requirements in this bill.

The commissioner will also have discretion to refer matters that may constitute a breach of a state or territory privacy law to the responsible state or territory privacy regulator.

There is also an additional requirement that the commissioner provide regular public reports on the performance and exercise of her new powers and functions under part VIIIA.

Application of Notifiable Data Breaches Scheme

The bill applies the existing Notifiable Data Breaches Scheme to COVIDSafe app data under section 94S. The bill requires the administrator of the National COVIDSafe Data Store, or a state or territory health authority handling COVIDSafe app data, to notify the commissioner of any data breach involving COVIDSafe app data. The commissioner will then have the power to require the breach to be notified to affected individuals.

The notification requirement would be automatic in the event of a data breach, which is much stronger than the protection in the Privacy Act's existing data breach notification requirements.

Summary of further differences between the bill and determination

It should be noted that the bill also includes new clauses which:

I will now outline why these changes have been made.

Requiring the use of COVIDSafe

The prohibition on requiring a person to use the COVIDSafe app has been clarified under section 94H. A person will not be liable for this offence if they require a person to use COVIDSafe before entering their private residence, reflecting the normal expectation that a person is generally free to deny another person access to their home for any reason. However, this exemption is limited and would not apply to other situations covered by the offence involving a commercial relationship, such as a landlord-tenant relationship, a share house relationship or an employment relationship.

Protections for former COVIDSafe users

Section 94N is a new provision that guarantees that COVIDSafe will not be used to collect any further data from people who have chosen to delete the app. Section 94N provides that, if a user re-registers for the app, data collection can resume. This protection provides further assurance that a user's consent is central to COVIDSafe data collection.

Administration of the National COVIDSafe Data Store

With regard to administration of the National COVIDSafe Data Store, the bill designates the Australian Department of Health as the administrator of the National COVIDSafe Data Store and allows it to delegate some or all of these functions to certain Commonwealth government agencies under the proposed section 94Z. The Department of Health must make that delegation via a 'notifiable instrument', meaning the delegation will always be announced publicly. Importantly, an enforcement body or intelligence agency cannot be designated as the data store administrator.

Currently, the Digital Transformation Agency (DTA) is responsible for technical administration of COVIDSafe and the National COVIDSafe Data Store, in consultation with the Department of Health. When the bill comes into law, the Department of Health will formally delegate some of its administrator functions to the DTA to reflect this arrangement. If the Department of Health later delegates these functions to another agency, Health will need to publicly announce that fact via notifiable instrument.

Deleting the National COVIDSafe Data Store

Regarding deletion of the National COVIDSafe Data Store, the bill finally also includes a more specific process for deletion of the National COVIDSafe Data Store once the pandemic is over, compared to the determination. This includes a process for the minister to determine the end of the COVIDSafe data period under section 94Y and by outlining the actions that then need to be taken by section 94P.

Reporting requirements

Regarding reporting requirements, the bill includes a requirement that the Minister for Health report to the parliament as soon as practicable after each six-month period on the operation and effectiveness of the COVIDSafe app. This underscores the government's commitment to transparency about the operation and effectiveness of COVIDSafe and the unprecedented privacy and security protections built around the app's data handling.

Repeal of the b ill

Regarding repeal of the bill, schedule 2 of the bill will result in the legislation being automatically repealed 90 days after the Minister for Health issues a determination that COVIDSafe app is no longer required under section 94Y. The Acts Interpretation Act will apply to preserve the effect of the repealed law so that an investigation into a possible breach of a repealed law can continue or can be commenced after repeal.

Conclusion

By way of conclusion, this bill will guarantee that Australians' privacy is protected when they choose to download and use COVIDSafe. By enshrining the biosecurity determination into primary legislation, and ensuring the Information Commissioner has the power to hear complaints about the mishandling of COVIDSafe app data under the Privacy Act, the public can be assured that the government is doing all we can to keep their data as secure as possible. With the passage of this bill, we sincerely hope that the Australian public will take note of the unprecedented strength of these privacy protections, choose to download the app and help their fellow Australians combat the spread of COVID-19. I commend the bill to the House.

Leave granted for second reading debate to continue immediately.

Mark Dreyfus (Isaacs, Australian Labor Party, Shadow Attorney General) Share this | Link to this | Hansard source

Since the beginning of this public health crisis, Labor's focus has been on saving lives and saving jobs. As the Leader of the Opposition has said on many occasions, Labor is looking for outcomes, not arguments. That is the spirit in which we have approached the Privacy Amendment (Public Health Contact Information) Bill 2020 and the government's contact tracing app more generally.

My colleagues and I believe that a contact tracing app can be a valuable tool for protecting Australians from coronavirus. But, to be a valuable tool, the app has to work and Australians must have complete confidence that their privacy is protected and that the data collected by the app will never be used for any purpose other than contact tracing during the current health crisis. Without that confidence, millions of Australians will not download the app and its value as a public health tool will be severely compromised, even if it works effectively in a technical sense.

At the outset, the Prime Minister said that at least 40 per cent of the Australian population needed to download the app for it to be an effective tool—that means about 10 million Australians. The government is well short of that figure at the moment. I understand that about 5.5 million Australians have downloaded the COVIDSafe app so far, but my colleagues and I hope that this bill and Labor's support for it will help to build the public confidence that is needed to persuade many millions more to download it.

One of the reasons why I support the passage of this bill is the very positive engagement that I have had with the Attorney-General over the last week. Following the release of the draft legislation, last Monday evening I approached the Attorney-General with a number of suggestions for improving the bill and boosting public confidence. To his credit, the Attorney-General considered, in good faith, all of the concerns I raised with him, and he has sought to address most of them in the version of the bill that is now before the House. Those amendments have improved the bill in a variety of ways. For example, there is now greater clarity about what data is protected by the strict privacy safeguards contained in the bill.

The bill now provides for greater oversight of the COVIDSafe app and the handling of COVIDSafe data by the Office of the Australian Information Commissioner. The bill now makes it clear that no intelligence agency or law enforcement agency can be given a role in administering the COVIDSafe data store. Where it is unlikely to prejudice a law enforcement investigation, the bill now allows the Office of the Australian Information Commissioner to continue an investigation even where the investigation overlaps with an investigation by law enforcement. And the bill now includes a number of public reporting requirements so that the Australian people can be kept informed about the operation and effectiveness of the app and the level of compliance with the privacy safeguards contained in the bill. This is now a stronger and better piece of legislation as a result of constructive engagement between Labor and the government. For that, I would like to give particular credit and extend my thanks to the Attorney-General and his office.

I understand that a number of my colleagues will speak about some of the suggestions from Labor that were not adopted by the government. While each of those concerns is important, they must be kept in perspective, particularly when it comes to the issue of privacy. To be clear: this bill will introduce the strongest privacy safeguards that have ever been put in place by any Australian parliament. That is despite the fact that the COVIDSafe app is voluntary and the data that it collects is, compared to other personal information that's routinely collected by governments and corporations, relatively innocuous. This bill takes privacy seriously.

I would also like to assure Australians that this is not a case of set and forget. Labor will keep an eye on how the measures in the bill are being implemented to ensure that they are effective and working as intended. I expect the Attorney-General will be doing the same. Necessarily, this bill had to be drafted quickly and it has not gone through the usual parliamentary committee processes of review. As such, it has not received the same degree of scrutiny that a bill would typically be subject to. For that reason, I welcome last Friday's announcement by the Senate Select Committee on COVID-19 that it intends to oversee the COVIDSafe app and this legislation by reviewing the rollout of the appropriate—

Llew O'Brien (Wide Bay, National Party) Share this | Link to this | Hansard source

The debate is interrupted in accordance with standing order 43. The debate may be resumed at a later hour.