Anne Ruston (SA, Liberal Party, Minister for Families and Social Services) Share this | Hansard source

I move:

That this bill be now read a second time.

I seek leave to have the second reading speech incorporated in Hansard.

Leave granted.

The speech read as follows—

The Privacy Amendment (Public Health Contact Information) Bill 2020 will ensure that there are strong ongoing privacy protections to support the download, use and eventual decommissioning of the Australian Government's COVIDSafe app.

At release, COVIDSafe was supported by interim privacy protections contained in the Minister for Health's Determination under the Biosecurity Act 2015. Building on this, the purpose of this Bill is to:

1. Enshrine the privacy protections in the Determination into primary legislation by inserting a new Part into the Privacy Act 1988

2. Give the Australian Information Commissioner oversight of COVIDSafe app data, and

3. Introduce additional provisions that clarify protections in the Determination.

The Bill guarantees that the Australian public can have confidence that their privacy will be protected if they download and use COVIDSafe. An increase in the uptake of COVIDSafe will help States and Territories to trace outbreaks and combat the spread of COVID-19.

Background

To understand the Bill's privacy protections, it is first crucial to understand how COVIDSafe operates and handles personal information. You will also see that strong privacy protections have been built into the design of COVIDSafe, as it requires users to provide the minimal amount of information required for contact tracing, which is encrypted until it is required by Health officials.

COVIDSafe is a voluntary app developed by the Australian Government that was launched on 26 April 2020. COVIDSafe can be installed on Android and iOS personal devices to collect information to assist State and Territory health officials when they conduct contact tracing to combat the spread of COVID-19.

When a person downloads COVIDSafe, they are asked to register by entering a limited amount of personal information: a name or pseudonym, an age range, a mobile phone number and a postcode. Once verified by text message, this information is then uploaded in an encrypted form to the National COVIDSafe Data Store.

Once a user has registered, COVIDSafe works by using Bluetooth signals to record encrypted data about close contacts with other users and stores this locally on their device. If this data is not uploaded to the National COVIDSafe Data Store, it is deleted on a rolling 21-day basis. Unlike manual contact tracing, COVIDSafe can record close contacts who are not known to the user – for example, people who sit near a user on the bus, at an event, or in line at the supermarket. When a COVIDSafe user tests positive for COVID-19, they will be contacted by a health official in their state or territory as part of the usual contact tracing process. When making contact, the health official will ask the person if they use COVIDSafe. If they do, the health official will send them a code by text message to enter in the app. If the code is entered, the user consents to uploading the encrypted data about their close contacts to the National COVIDSafe Data Store.

Once information about close contacts is uploaded, state and territory contact tracers can access this information to notify the positive user's close contacts that they may have been exposed to the coronavirus. From this point, contact tracers will inform people at risk of COVID-19 that they have been exposed, without identifying the infected app user. Contact tracers will step people at risk through what to do next, such as getting tested or self-isolating.

COVIDSafe has the potential to significantly speed up existing manual contact tracing processes, and in turn could accelerate the pace at which governments can ease restrictions while still keeping Australians safe.

Biosecurity declaration

The Australian public must have confidence that COVIDSafe protects their privacy for it to be used and highly effective in combating the spread of COVID-19. To this end, the Minister for Health, the Hon Greg Hunt MP, made a determination under the Biosecurity Act on 25 April 2020—before COVIDSafe's launch. This Determination provided strong interim privacy protections for data collected through COVIDSafe, prior to the passage of this Bill.

The Determination contains provisions that:

Finally, the Determination created criminal offences for the breach of the above requirements, with a maximum penalty of five years' imprisonment.

Enshrining the Determination

The Australian Government has now developed this Bill to enshrine the COVIDSafe privacy protections in the Determination in primary legislation.

The protections in the Bill will apply to all COVIDSafe data from the point at which the Bill commences, even if that data was created before the Bill commenced. Until the Bill is passed, the Determination will continue to apply to the handling of COVIDSafe app data.

The Bill will also override the effect of any previously-enacted laws under section 94ZD. This means that the Bill will apply in place of any other laws that may apply, including the Determination, once it passes into law. At that point, those handling the COVIDSafe app data will have a single legislative reference – the Commonwealth Privacy Act.

Criminal offences under the Bill

While I do not plan to address those areas of the Bill which directly replicate the Determination, I note that key criminal offences from the Determination continue to apply, and remain subject to the same penalties. These penalties are imprisonment for five years, a fine of 300 penalty units ($63,000), or both. The offences include:

Committing criminal offences will breach the Privacy Act

The Bill ensures oversight of COVIDSafe app data by the Australian Information Commissioner (the Commissioner). The offences under the Bill will also be breaches of the Privacy Act in certain circumstances. Therefore, (under section 94R) if a person commits an offence under the Bill and that person is either:

then the person's conduct will also breach the Privacy Act.

This gives individuals affected by the breach more options for enforcement because they will have the option to make a complaint to the Commissioner in addition to being able to report the matter to law enforcement.

Broader application of the Privacy Act

The Bill will go further than the Determination by ensuring that COVIDSafe app data must also be treated as 'personal information' under the Privacy Act (section 94Q). This automatically applies a range of existing Privacy Act protections to COVIDSafe app data, including privacy policy, notification, and security obligations. The Commissioner will be able to undertake a formal assessment of whether an entity subject to the Privacy Act, or a State or Territory health authority handling COVIDSafe app data, is complying with the requirements in the Bill.

The Commissioner will also have discretion to refer matters that may constitute a breach of a State or Territory privacy law to the responsible State or Territory privacy regulator.

There is an additional requirement that the Commissioner provide regular public reports on the performance and exercise of her new powers and functions under Part VIIIA.

Application of Notifiable Data Breaches scheme

The Bill applies the existing Notifiable Data Beaches Scheme to COVIDSafe app data under section 94S. The Bill requires the administrator of the National COVIDSafe data store, or a State or Territory health authority handling COVIDSafe app data to notify the Commissioner of any data breach involving COVIDSafe app data. The Commissioner will then have the power to require that breach to be notified to affected individuals.

The notification requirement would be automatic in the event of a data breach (much stronger than the Privacy Act's existing data breach notification requirements).

Summary of further differences between the Bill and Determination

The Bill also includes new clauses which:

I will now outline why these changes have been made.

Requiring the use of COVIDSafe

The prohibition on requiring a person to use the COVIDSafe app has been clarified under section 94H. A person will not be liable for this offence if they require a person to use COVIDSafe before entering their private residence, reflecting the normal expectation that a person is generally free to deny another person access to their home for any reason. However, this exemption is limited—it would not apply to other situations covered by the offence involving a commercial relationship, such as a landlord/tenant relationship, a share house relationship or an employment relationship.

Protections for former COVIDSafe users

Section 94N is a new provision that guarantees that COVIDSafe will not be used to collect any further data from people who have chosen to delete the app. Section 94N provides that if a user re-registers for the app, data collection can resume. This protection provides further assurance that a user's consent is central to COVIDSafe data collection.

Administration of the National COVIDSafe Data Store

The Bill designates the Australian Department of Health as the administrator of the National COVIDSafe Data Store, and allows it to delegate some or all of these functions to certain Commonwealth Government agencies under the proposed section 94Z. The Department of Health must make that delegation via a 'notifiable instrument', meaning the delegation will always be announced publicly. Importantly, an enforcement body or intelligence agency cannot be designated as the Data Store administrator.

Currently, the Digital Transformation Agency (DTA) is responsible for technical administration of COVIDSafe and the National COVIDSafe Data Store, in consultation with the Department of Health. When the Bill comes into law, the Department of Health would formally delegate some of its administrator functions to the DTA to reflect this arrangement. If the Department of Health later delegates these functions to another agency, Health will need to publicly announce that fact via notifiable instrument.

Deleting the National COVIDSafe Data Store

Finally, the Bill also includes a more specific process for deletion of the National COVIDSafe Data Store once the pandemic is over, compared to the Determination. This includes a process for the Minister for Health to determine the end of the COVIDSafe Data Period under section 94Y and by outlining the actions that then need to be taken by section 94P.

Reporting requirements

The Bill includes a requirement that the Minister for Health report to the Parliament as soon as practicable after each 6 month period on the operation and effectiveness of the COVIDSafe app. This underscores the Government's commitment to transparency about the operation and effectiveness of COVIDSafe and the unprecedented privacy and security protections built around the app's data handling.

Repeal of the Bill

Schedule 2 of the Bill will result in the legislation being automatically repealed 90 days after the Minister for Health issues a determination that the COVIDSafe app is no longer required under section 94Y. The Acts Interpretation Act 1901 will apply to preserve the effect of the repealed law so that an investigation into a possible breach of a repealed law can continue or can be commenced after repeal.

Conclusion

This Bill will guarantee that Australians' privacy is protected when they choose to download and use COVIDSafe. By enshrining the Biosecurity Determination into primary legislation, and ensuring the Information Commissioner has the power to hear complaints about the mishandling of COVIDSafe app data under the Privacy Act, the public can be assured that the Government is doing all it can to keep their data as secure as possible. With the passage of this Bill, we sincerely hope that the Australian public will take note of the unprecedented strength of these privacy protections, choose to download the app, and help their fellow Australians combat the spread of COVID-19.