Wednesday, 13 May 2020
Privacy Amendment (Public Health Contact Information) Bill 2020; In Committee
Through you, Madam Chair, I thank Minister Payne for her responses to issues that were raised during the second reading contributions of many senators, including Australian Greens senators. I'm very pleased to hear that states and territories have been asked whether they would be happy with the data management protocols being released publicly. I understand there may need to be some revisions to those agreements or protocols as a result of this legislation being passed, but I genuinely hope that we and the Australian people are able to understand what particular safeguards are in those agreements or protocols. When the relevant data goes to state and territory health authorities, that does constitute one of the major vulnerabilities of the data that will be collected by the app.
Minister Payne also responded to questions that had been raised by a number of senators in regard to the operation of the US CLOUD Act by reminding us of something that we already knew—that this legislation does criminalise the provision of data overseas. Given the way the US CLOUD Act operates, Minister, I just need to place on the record that there is no way that you or anyone else can give the Senate, and therefore the Australian people, a 100 per cent guarantee that the data collected by this app will not end up in the hands of US law enforcement and security agencies. That is because under the US CLOUD Act, which specifically relates to data stored overseas from the US—and obviously that would include data stored in Australia—data is available and may be accessed under warrants issued by a US court. I asked the Attorney-General's Department about this in the Senate select committee last week, and it became clear that that 100 per cent guarantee could not be given. Even though I acknowledge the government has done its best by legislating here in Australia, the simple fact remains that the head of AWS in the US is likely to be far more concerned about the operation of US law than about the operation of Australian law. So, Minister, if you're able to give that 100 per cent guarantee, please feel free to do that. I don't think you'll be able to, and that constitutes another potential vulnerability for the data under this act.
Minister, I acknowledge that you weren't in the chamber during my contribution. That's obviously no criticism of you. Minister Cash, from memory, was the duty minister. But I did raise an issue, and I'd be appreciative if you'd be able to seek some advice on it and respond to me in the committee stage. That is around the data collected by this app not being limited to a 15-minute duration or to data being collected within a certain bluetooth range. So could you please confirm that this app actually collects data of a close contact, no matter what the duration of that contact is—in other words, a contact does not have to be for 15 minutes or more for this app to collect the data—and that the filtering of that data, if you like, will actually be done by state and territory health agencies after they receive the data. They will then filter it and only take action in regard to contacts of more than 15 minutes duration. If you're able to address that, Minister, I'd appreciate that.
Thank you, Senator McKim, for that question. Let me, to the extent I am able, provide some information. The last point that you made about the filtering process only using the data which is relevant is definitely correct. I am advised that it isn't technologically feasible to ignore the bluetooth signals of other users beyond 1.5 metres because of the nature of bluetooth technology, which means that signals can be detected within about 10 metres. The COVIDSafe app detects the strength of bluetooth signals, not the distance. The app uses the detected strength of bluetooth signals to estimate the distance between users. So the government has put in place access restrictions to digital handshakes uploaded to the national COVIDSafe data store, and personnel in state and territory health authorities can only access digital handshakes which meet the risk parameters set on the basis of the medical advice about the risks of exposure to COVID-19. That ensures that the minimum amount of information required for contact tracing is what is collected from users.
Thanks very much, Minister. That addresses the issue of the range. I wonder if you'd be able to give a response on the issue of duration in the same context. It is my understanding that the app will record contacts of any duration between two people who've downloaded the app, and then the same filtering process will occur at state and territory health agencies. I'd be appreciative if you could respond to that issue specifically.
Minister, just on the point about Amazon Web Services, I think you said that the reason, or one of the reasons, that the contract was awarded to Amazon was that Australian providers were not able to provide the full range of services that were required, or words to that effect. Could you please let us know which services are required and cannot be provided by local providers?
Thank you, Senator Watt. What I said was that there are several Australian cloud providers that could provide elements of the services. What AWS brings together is a combination of hosting, development and operational services, plus the ability to scale that very quickly and provide a broader range of services. If there's any further information I can provide on that, I'll come back to you.
That would be appreciated. There's obviously a lot of interest in this aspect, so I think some further detail about exactly what was required that could not be sourced locally would be of great interest to people.
Just following up from that conversation, are you able to tell us, Minister—noting that this has raised an issue, albeit perhaps incidental, in respect of the operation of the CLOUD Act—how long the contract for AWS is currently for? Is the intention when that contract expires to look at perhaps an alternative supplier, an Australian supplier, to remove all of that risk?
Thank you. By the way, Minister, I was very impressed with your technical versatility there. As someone with an engineering background, I can say that was quite impressive. But have you engaged at all with anyone in the US in respect of concerns that have been raised about the CLOUD Act and its intersection with the COVIDSafe app here in Australia?
Senator Patrick asked a very similar question to the one I was going to ask. Minister, because you are the foreign minister—and a captive audience at the moment, I might add—it gives me the opportunity to urge you to engage with your counterparts in the US and seek a diplomatic assurance from the US government that there will be no attempts to access the COVIDSafe data under the US CLOUD Act. I will simply leave that with you. I'm not able to do that. You are, and I think that would be helpful if those diplomatic assurances could be sought.
You gave a number of answers—which were appreciated—in your previous contributions. Just to follow up on the data management protocols that we were discussing earlier, why was it decided that this legislation would not create an offence in regard to state and territory health authorities accessing data outside the parameters that you discussed earlier? There is no doubt—and I acknowledged this in my speech on the second reading—that the privacy parameters around this data enshrined in this act are significantly more robust than those associated with other information on citizens that the government and corporations collect. But it does seem to me that you're relying on agreements between the Commonwealth and state and territory authorities rather than legislating to make sure that state and Commonwealth authorities treat this data with respect.
First I would say that the state and territory authorities are subject to the provisions of the act. If they breach the act in their use or application of the data, they would be subject to the penalties contained therein. They are, of course, subject to the operation of the Privacy Act 1988 in all of their work as well. I'm not sure if there is a specific issue you are seeking to clarify, but in the general I expect and the government expects that, by the passing of this bill, state and territory authorities who are dealing with the data are subject to its provisions and would be caught within that.
I didn't quite catch the full exchange regarding diplomatic assurances. Were you advising that you have made those?
Senator Payne interjecting—
Okay. Is there a reason that you haven't made those diplomatic assurances at this stage or sought those?
As I would expect, the bill before the chamber has been dealt with by the responsible portfolio areas, which are the Attorney General's Department and the Department of Home Affairs, and so engagements are bound to be undertaken by them.
But obviously it's not their role to seek diplomatic assurances from another government. That would surely be your role as foreign minister. I'm asking why within government there hasn't been a decision for you to seek those assurances.
Firstly, can I ask whether any Australian intelligence agencies have made any requests to the developers of the COVIDSafe app to create a back door into the app under powers granted by the Telecommunications and Other Legislation Amendment (Assistance and Access) Act 2018?
Thank you, and I'm very happy to hear that. Can I ask whether any contracts are in place with either Apple or Google relating to the COVIDSafe act? If so, do they have any access to any of the COVIDSafe data as part of these contracts?
Thank you, Minister. I appreciate your response. I think I'll now move to some of the amendments that have been circulated in the chamber.
Senator Watt interjecting—
Sorry, you can do it afterwards, Murray, but I'm happy for you to do it now.
I was going to say I don't mind either way, but point of order: I was going to make the point that I have a few more general questions that don't relate to specific amendments. If it is more convenient to do those now, is that okay?
Minister, there has been a lot of discussion about the targets that the Prime Minister and other ministers set for the uptake of this app, and I think there's still a great degree of confusion out there about this. I think the reason that it matters so much is that, again, the Prime Minister and other ministers have repeatedly made clear that the easing of restrictions is linked to the uptake of the app—and I say this as someone who downloaded the app on the first night. You did as well, Minister Payne. I think many of us did. I'm very supportive of the downloading. I've been trying to get others to do so as well. I certainly did that on the basis that the Prime Minister and others had made clear that the easing of restrictions was linked to people downloading it. Just to start with, is the easing of restrictions linked to the percentage of the population that downloads the app?
As I think was canvassed in the debate earlier, and I wasn't here for all of it, I acknowledge, the desire in relation to the app is to have as many people be like you and me—to download the app to assist in the process, particularly around contact tracing—and the ambition is for this to be as many Australians as possible. But the approach to easing of restrictions, as you will have seen through the national cabinet process, is based on the health advice that's received through the AHPPC, where it's possible for Australia and Australians to do. And the states and territories—your state, my state; quite different in their approaches—are using that as the premise, not based on the number of people who have downloaded the app.
That leaves me a little confused. There were many statements by the Prime Minister and other ministers, in the lead-up to that national cabinet meeting, that said the reason we had to download the app was so that we would have the restrictions eased. Is that not correct?
I think, self-evidently, the endeavour to put in place an app of this nature and to encourage Australians to take up using the app, to download it, is an important part of the pathway out of the most onerous aspects of the COVID-19 restrictions that have been put in place.
We do encourage as many Australians as possible to download the app, because that will help—absolutely that will help—with all of these processes, including contact tracing. We know, and you would be aware, that the contact tracing process is extraordinarily intensive for health authorities. Any mechanism which assists with that process is invaluable in delivering the outcomes we need, to make sure that if there is an issue, if there is an outbreak, all of the contingencies that we need to be planning for, across states and territories and through the national cabinet and the Commonwealth government—if there is a need to do that major contact tracing, we have a better facilitated process for that. The app will provide that, but the number of downloads is not conditional, in terms of the lifting of restrictions.
The lifting of restrictions is a complex process. It's being addressed, step by step, in a very deliberate way through the national cabinet and, as I said, states and territories will make their own decisions in relation to that. The advice and process the national cabinet has followed has been made very clear publicly.
I certainly appreciate that the more people who download the app the more effective it will be, and I appreciate the purpose of the app. I'm left wondering why it was that the Prime Minister and other ministers, in the lead-up to that national cabinet meeting, repeatedly told people that downloading the app was the key to having restrictions eased, if what I understand you're saying is that there is no link.
A greater ability to determine where there are infections and the contacts that have been experienced around those infections is going to assist in this entire process. I think that's quite compellingly logical. That's one of the reasons the app is so important. It contributes to an ability to change the way we have had to do business in recent months, change the way we have had to live, and to what we've asked Australians to do in recent months—and which they have done, overwhelmingly, with great willingness and great support for this significant national undertaking—to address the spread of coronavirus in this country.
The downloading of the app facilitates, makes easier—whatever words you would want to use—a lot of those processes, in terms of contact tracing, in terms of being able to understand people's engagement if there are outbreaks or issues that need to be considered. I think what the Prime Minister and other ministers have been very clear about is how important that is to the progress and process of moving out of the most extreme of the restrictions that we have had to deal with.
Supplementary to that, downloading the app itself doesn't do anything. You have to turn it on and it has to work to achieve something. My question goes to that area. The COVID committee has heard evidence from the DTA and Department of Health that there are, currently, degradations in the application's performance, particularly in relation to when the application is running in the background, or if the phone is locked. That creates a situation where you could have 100 per cent of the people downloading the application, and if it doesn't work it doesn't help at all. I'm not suggesting that's the case.
Are you in a position of give some better guidance as to, overall, how you feel the application is working through the iterative process? Minister, this is not a criticism. I understand you took on this as something you could throw at the problem . From an engineering background, I know there are always issues with an application as it comes online. I'm trying to understand what the status of it is right now and how you will inform the public as iterations of the software and some of the fixes are made, so you're being open and honest with the people who have downloaded it or that it may encourage others to download it.
We might be going to challenge my technical capacity, but I appreciate your engineering experience being gentle with me, if you don't mind. The update process will operate, and does, in the way you would expect any app update to work: through messages on phones and through the government's messaging, and the states' and territories' messaging, about that.
Let me go through some of the points I have here, and we will see if they address the concerns that you have. Most definitely, let me be very clear in saying that the COVIDSafe app works. From its launch, the app has been collecting data about users' close contacts after they download and register in the app. So if a user is diagnosed with COVID-19 they may upload close-contact data to assist state and territory contact-tracing efforts.
There has been, as you have observed, some public discussion about whether COVIDSafe works on iOS devices. The government is assured that the app operates on these devices as intended. We are aware of the variability in the quality of bluetooth signals—