Thursday, 14 May 2020
Privacy Amendment (Public Health Contact Information) Bill 2020; In Committee
Sorry, Senator Patrick; I was speaking with the minister for trade. I think I heard you ask if I have any response in relation to the matter on contracts. I don't have it in front of me, Senator, but let me just seek some advice from my virtual advisers and come back to the chamber when I'm able.
Perhaps they're COVID-safe advisers, Minister! On top of that, I really would like to understand, when that contract comes around to being renewed, whether it would be opened up to Australian companies. There are, of course, provisions in the Commonwealth Procurement Rules to simply stick with the limited tender on the basis that you're already in contract.
Certainly there is information in relation to the number of downloads of the app, which gives us the number of users per se. As of yesterday, I understand, it was 5.63 million. I did say to the chamber yesterday 5.83; that was a verbal typo. It's 5.63 million users.
Just how many data files does the government expect to get? With less than 10 Australians getting COVID each day and the install rate at 20 per cent of the population, that suggests two data files a day.
I think at this point in time—and, in fact, in general in relation to this matter—we would not be engaging in speculation on that. The most important thing that we are focused on is encouraging Australians to download the app and use it.
Has your government done any modelling on the success rate from tracing COVID affected contacts from using the app as against the current personal tracing system involving calls to infected people?
I'll seek some advice from the Minister for Health on that, Senator. As we were discussing yesterday in the chamber, the process of contact tracing is a very intensive and time-consuming process. The officers who are engaged in that now are doing an excellent job, but this will most certainly enhance the ability for Australia to engage in that contact-tracing process.
As we discussed in the chamber yesterday, in the brief period we had in committee, we are continually working on and with the app. If there are issues in relation to access for disabled users, then of course that would be a matter of action for the government. If you wish to raise specific issues—and I'm not familiar with the code name that you used at the end of your question there—then I'll certainly raise that with the appropriate ministers.
by leave—I move the Australian Greens amendments on sheet 8954 together:
(1) Schedule 1, item 1, page 4 (line 6), at the end of the definition of registration data , add ", and includes the person’s phone number".
(2) Schedule 1 , item 2 , page 11 (line 3) , before " A person ", insert " (1) ".
(3) (2) A person commits an offence if:
(a) the person decrypts encrypted data; and
(c) the decrypting of the data is not for the purpose of, and only to the extent required for the purpose of, undertaking contact tracing.
Penalty: Imprisonment for 5 years or 300 penalty units, or both.
(4) (ba) show whether or not the other person has COVIDSafe downloaded or in operation on a communication device; or
(5) (1A) An act or practice in breach of a requirement of the Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) (Emergency Requirements—Public Health Contact Information) Determination2020 in relation to an individual, which occurs before the commencement of this Part, constitutes an act or practice involving an interference with the privacy of the individual for the purposes of section 13.
Note: The act or practice may be the subject of a complaint under section 36.
(6) Schedule 1 , item 2 , page 15 (line 15) , after " subsection (1) ", insert " or (1A) ".
(7) Schedule 1, item 2, page 15 (line 18), at the end of subsection 94R(2), add "or the determination referred to in subsection (1A)".
I'll just briefly explain these amendments. As I said in my contribution on the second reading, we do acknowledge that there are significant protections on privacy contained in this legislation. In fact, it ought to set a minimum standard for government in terms of protecting people's personal information and private data. It's quite shameful that a number of other sets of data collected by the Commonwealth government are not protected to the extent that data collected by this app will be. However, as ought to be obvious by our amendments, we still believe that this bill could be strengthened and more robust protections placed around the data collected by the app, and that is what our amendments seek to do.
The first amendment relates to the definition of COVID app data. I acknowledge the improvements that the government has made in the legislation that we're considering compared to the exposure draft which was originally released publicly. As a result of those amendments, the bill now covers registration data and has narrowed significantly what de-identified information is carved out from the definition. But the bill doesn't seem, on our view, to cover phone numbers, and it really should, because mobile phone numbers are in themselves personal information, because of the separate requirement under telecommunication laws for proof of identity when someone becomes a mobile phone subscriber. So our first amendment on sheet 8954 adds the person's phone number into the bill's definition of registration data.
Our second amendment, around decrypting the data store, will also extend prohibitions in the bill on decrypting data on communications devices to include all data that is stored in the national COVIDSafe data store and is not required for the purpose of tracing contacts of verified COVID-19 carriers.
The next amendment is the creation of an additional COVIDSafe offence. Proposed section 94H makes it an offence to require someone to download the app, have the app operating or consent to uploading data from their communication device to the national COVIDSafe data store. This amendment will make it an offence to require someone to show you whether they have downloaded the app onto their communications device or not. This will further reduce the potential for this app to be used for discriminatory purposes.
The next amendment is in regard to a breach of the biosecurity determination. This amendment would ensure that the protections from interference with privacy that will be provided by part VIIIA of the Privacy Act after royal assent to this bill will also be provided from the commencement of the determination. That will allow the Information and Privacy Commissioner to investigate and report on all data collected and stored by COVIDSafe.
Finally on this sheet are consequential amendments to remove limitations. This includes removing exemptions for the disclosure of personal information to ASIO, ASIS, the Australian Signals Directorate and the Office of National Intelligence and provides that these exemptions do not apply, so a disclosure in breach of the new COVIDSafe app privacy requirements to one of those agencies would still constitute an interference with privacy.
I commend these amendments to the chamber.
There is strong public interest in putting these privacy protections in place as soon as possible, so Labor will not be supporting any amendments that will further delay the passage of this bill. Prior to its introduction into the parliament, as I indicated yesterday in my speech on the second reading, Labor worked constructively with the government to improve the bill, and many of our suggestions to improve privacy protections have been incorporated into the version of the bill before us today.
It is not Labor's position that this bill is perfect. Understandably, this bill was drafted quickly and it has not gone through the usual parliamentary committee processes of review. That is why Labor welcomes the announcement by the Senate Select Committee on COVID-19 that it intends to oversee COVIDSafe, including the effectiveness of the privacy protections set out in this bill and whether they can be further improved.
As I say, we do welcome the fact that the government took up a number of our suggestions to improve this bill and improve the privacy protections. We are confident that the Senate select committee will provide an avenue to make further improvements should they be needed, but we won't be supporting any further amendments, because we don't want to see this bill delayed any further.
I indicate that Centre Alliance will be supporting the bill, but I will call out the logic of Senator Watt, in that there is no delay if you simply indicate support. You don't have to wait to make something perfect if something is made better by the movement of an amendment. We have also agreed amendments and worked constructively with the government in relation to this bill. But that shouldn't fetter this chamber trying to go a little bit further to make it a little bit more perfect.
The CHAIR: The question is that amendments (1) to (7) on sheet 8954, as moved by Senator McKim, be agreed to.
by leave—In lieu of calling a division, which we would usually do, I would simply ask that our obvious support for our own amendments and, I believe, Senator Patrick's and Senator Ryan's support be recorded.
The CHAIR: We will record that the Greens and Centre Alliance were in favour of these amendments.
by leave—I move amendments (1) to (4) on sheet 8956 together:
(1) Schedule 1, item 2, page 11 (after line 1), at the end of section 94F, add:
(3) A person commits an offence if:
(a) the person copies data from the National COVIDSafe Data Store; and
(b) the copied data is transferred to a database outside Australia or to another person who is outside Australia.
Penalty: Imprisonment for 5 years or 300 penalty units, or both.
(2) Schedule 1, item 2, page 17 (line 24), omit "to cease if", substitute "where".
(3) Schedule 1, item 2, page 18 (line 6), omit "subsection (5)", substitute "subsections (4) and (7)".
(4) Schedule 1, item 2, page 18 (lines 10 to 32), omit subsections 94U(3) to (5), substitute:
(a) has been informed of the Commissioner's opinion under paragraph (2)(a); and
(b) is satisfied that an investigation relating to the matter, or proceedings for an offence relating to the matter, will be jeopardised, or otherwise affected, by continuation of the Commissioner's investigation;
the Commissioner of Police or the Director of Public Prosecutions, as the case requires, must give a written notice to that effect to the Commissioner.
(4) If the Commissioner has not received a notice under subsection (3) within 14 days of informing the Commissioner of Police or the Director of Public Prosecutions of the Commissioner's opinion under paragraph (2)(a), the Commissioner may continue the investigation discontinued under paragraph (2)(c).
(5) However, if the Commissioner receives a notice under subsection (3) after that 14 day period, the Commissioner must discontinue the investigation upon receiving the notice.
(6) If the Commissioner of Police or the Director of Public Prosecutions:
(a) has given a notice under subsection (3); and
(b) is satisfied that an investigation relating to the matter, or proceedings for an offence relating to the matter, will no longer be jeopardised, or otherwise affected, by continuation of the Commissioner's investigation;
the Commissioner of Police or the Director of Public Prosecutions, as the case requires, must give a written notice to that effect to the Commissioner.
(7) Upon receiving a notice under subsection (6), the Commissioner may continue the investigation discontinued under paragraph (2)(c) or subsection (5).
These amendments, moved by Centre Alliance, will make sure that the COVID app data cannot be copied and used overseas. Currently the bill prohibits retaining data outside Australia; however, these amendments make it explicit that it's an offence if persons copy the app data and transfer it outside of Australia.
The amendments will also ensures that the Privacy Commissioner does not lose the opportunity to investigate a breach while waiting to know if the Director of Public Prosecutions or the Commissioner of Police intends to pursue the matter. The bill currently only lets the Privacy Commissioner pursue a breach when the Director of Public Prosecutions or the Commissioner of Police are satisfied that an investigation will not jeopardise their investigation. However, if the DPP or Commissioner of Police are not timely with giving the Privacy Commissioner the okay, the opportunity to pursue the matter may be lost due to the short duration of the bill's time frame. These amendments will enable the Privacy Commissioner to continue an investigation until the Director of Public Prosecutions or the Commissioner of Police issues a notice that the Privacy Commissioner's intentions will jeopardise their investigation. Basically, this puts a positive obligation on both the DPP and the Commissioner of Police to make a timely assessment so that the Privacy Commissioner is not left waiting for a long period of time.
We are not supporting these amendments by Senator Patrick. But let me refer briefly to the second one, because that has been a genuine concern raised by Senator Patrick and others. I can advise that, since the release of the exposure draft, the government has in fact made amendments which we believe deal with this issue and achieve that balance between privacy and law enforcement investigations. The recent inclusion of clause 94U (4) allows that, where the police commissioner or the DPP is satisfied that a privacy investigation will not jeopardise or otherwise affect a criminal investigation or proceeding the Privacy Commissioner may continue their own investigation. Those amendments were developed in consultation with the office of the Australian Information Commissioner, and we believe that they do strike the right balance.
I note there's also a time period proposed in the amendment—a 14-day time period. In our view it's not appropriate to place time restrictions on the DPP or a police commissioner to determine whether a separate investigation would have a prejudicial impact on a criminal investigation or proceeding.
I appreciate the issues that Senator Patrick has brought forward, but we do believe we have been able to address those.
Just in response to the minister, I know we are in some sense playing at the margins. Really, what we're trying to do is put a positive obligation on the police to come back early to the Privacy Commissioner—sorry, put a positive obligation on them to stop. I think we are playing at the fringes but we think our amendment is slightly better. I acknowledge that we had talked to the Attorney-General about this and they had certainly talked to us about the amendments that you have described.
As I indicated previously, Labor will be opposing these amendments and further amendments. I refer to the comments I made in respect of the previous amendments. Labor believes that there is a strong public interest in putting these privacy protections in place as soon as possible. So Labor will not be supporting any amendments that will delay the passage of this bill, including these amendments.
The CHAIR: The question is that amendments (1) to (4) on sheet 8956, move together by leave by Senator Patrick, be agreed to. Those of that opinion say aye and against say no. I believe the noes have it. Senator McKim, I'm assuming you want the Greens support for these amendments noted, and I'm assuming that's for Senator Patrick as well. So we will do that.
by leave—I move Australian Greens/Centre Alliance amendments (1) to (13) on sheet 8960:
(1) Schedule 1, item 2, page 12 (after line 16), at the end of section 94H, add:
(4) A person commits an offence if the person engages in conduct that is intended to coerce another person (including by physical intimidation or imposing a financial disadvantage) into doing any or all of the following:
(i) downloading COVIDSafe to a communication device;
(ii) having COVIDSafe in operation on a communication device;
(iii) consenting to uploading COVID app data from a communication device to the National COVIDSafe Data Store.
Penalty: Imprisonment for 5 years or 300 penalty unit s, or both.
(2) Schedule 1, item 2, page 15 (after line 3), at the end of section 94P, add:
Commissioner to assess compliance with deletion obligations
(4) The Commissioner must:
(a) conduct an assessment of the data store administrator's compliance with the obligations in this section, to verify that all COVID app data from the National COVIDSafe Data Store has been deleted; and
(b) as soon as practicable after completing the assessment, prepare and give to the Health Minister a written report of the assessment.
(5) The Health Minister must table a copy of the report in each House of Parliament within 15 sitting days after the Commissioner gives a copy of the report to the Minister.
(6) The data store administrator must provide the Commissioner with any assistance reasonably required to conduct the assessment. This section does not limit the Commissioner's other powers under this Act.
(3) Schedule 1 , item 2 , page 20 (line 27) , omit " subsection (2) ", substitute " subsections (2) and (4) ".
(4) Schedule 1 , item 2 , page 2 1 (after line 11) , at the end of section 94Y , add:
COVIDSafe data period ends if human biosecurity emergency ceases
(4) Despite subsections (1) and (2), if:
(a) the Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) Declaration 2020 ceases to be in force on a day (the emergency declaration expiry day ); and
(b) the Health Minister:
(i) has not already determined a day under subsection (1); or
(ii) has determined a day under subsection (1) that is later than the emergency declaration expiry day;
the Health Minister is taken to have determined the emergency declaration expiry day as the day under subsection (1).
Note: The Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) Declaration 2020 is made under section 475 of the Biosecurity Act 2015. The period for which the declaration is in force can be extended under section 476 of that Act.
(5) Schedule 1 , item 2 , page 21 (line 30) , omit " 6 month period ", substitute " 3 month period ".
(6) Schedule 1 , item 2 , page 21 (line 32) , omit " 6 month period ", substitute " 3 month period ".
(7) Schedule 1 , item 2 , page 22 (lines 2 to 3) , omit " 6 month period ", substitute " 3 month period ".
(8) Schedule 1 , item 2 , page 22 (lines 7 to 8) , omit " 6 month period ", substitute " 3 month period ".
(9) Schedule 1 , item 2 , page 22 (line 10) , omit "3 months ", substitute "1 month ".
(10) Schedule 1 , item 2 , page 22 (line 17) , omit " 6 month period ", substitute " 3 month period ".
(11) Schedule 1 , item 2 , page 22 (line 19) , omit " 6 month period ", substitute " 3 month period ".
(12) Schedule 1 , item 2 , page 22 (lines 27 to 28) , omit " 6 month period ", substitute " 3 month period ".
(13) Schedule 1 , item 2 , page 22 (line 30) , omit "3 months", substitute "1 month ".
These amendments range across a number of provisions contained in this legislation. The first of these amendments creates an additional coercion offence. A number of behavioural economists and others have proposed making things like government payments, tax breaks and other financial rewards and financial disincentives dependent on people using the app. The exposure draft bill would not have captured these issues, but the bill, as changed by the government from the exposure draft to the one that we're currently considering, will catch many of those coercion concerns that the Australian Greens and Centre Alliance have.
However, the current provisions on coercion would still fail to capture non-commercial forms of coercion, such as those relating to, for example, family violence and abuse, and our amendment would make it clear that no form of coercion is legal or lawful under the act. This includes discounts, payments or other financial incentives that may be contingent on a person downloading or using the app, and it would also make it clear that people aren't allowed to be asked to show that their mobile device has the app loaded, in order to avoid discriminatory or abusive treatment.
The second of these amendments relates to privacy verification of data deletion. As an independent regulator, the Information and Privacy Commissioner has discretion as to how and what duties they execute under the powers of this bill. This means that the Information and Privacy Commissioner's final report may or may not contain or report on whether they are satisfied that the data store administrator has complied with the legislation regarding compliance and deletion of the COVIDSafe app and its data. So this amendment will include provisions requiring that the Information and Privacy Commissioner inspect and verify that the data deletion obligations at the end of the app's period of operation have been complied with by requiring the data store administrator to confirm and report to the commissioner that the data has been deleted as required by the app. The amendment provisions will also require that the Information and Privacy Commissioner provide a report to the minister on compliance with deletion obligations as soon as is practicable and for this report to be tabled in both houses of parliament by the minister within three sitting days of receiving it.
The next amendment goes to the end of the COVIDSafe data period. This is quite a significant amendment because we do have concerns with the way that the government has approached the sunset provisions of this legislation, which is effectively to leave it in the hands of the health minister in terms of when the operation of COVIDSafe ends and the data is deleted. This amendment will ensure that the act and all activities covered by the act—including, use, communication and storage of COVIDSafe data—sunset as soon as the human biosecurity emergency declaration ends or by the trigger currently in the act, whichever is sooner and also provide that the collection of data for the COVIDSafe app and the state of emergency under the Biosecurity Act all cease at the same time. This is aimed at ensuring the app and the collection of data do not exceed the declared state of emergency under the Biosecurity Act.
I just want to speak to this at a little bit more length because the dataset collected by this app does, I think everyone would acknowledge, contain potentially very sensitive personal information. We're obviously living through a global pandemic, and this bill, I believe, will pass through this chamber with unanimous support. But if the pandemic has eased off to the extent that the declaration of a human biosecurity emergency is over, there is simply no reason for this data to still be maintained. The minister can extend the declaration if he wishes, but if we're through this pandemic to the extent that the declaration ends, I cannot possibly see how the government has an argument to keep this app in operation and to retain the extremely sensitive personal information that is collected by this app. So this amendment is critical, in our view, and it links the sunset of this bill, once it becomes an act, to the end of the declaration.
I'll say again: if the emergency declaration lapses and if we're through the pandemic to the extent that the government does not believe we need to be living under a human biosecurity emergency declaration, the Australian Greens—and I won't speak for Centre Alliance, but they are co-sponsoring this amendment—believe that there is no reason that the data that is collected by this app should remain. We believe that it should be deleted in order to minimise the chances of this information being hacked or the information otherwise being made public or provided to people that it should not be provided to.
The next amendment is around the privacy verification of data deletion, and, again, as an independent regulator, the Information and Privacy Commissioner has discretion as to how and what duties they execute under the powers of this bill. That means that the Information and Privacy Commissioner's final report may or may not report on whether they are satisfied that the data store administrator has complied with the legislation regarding compliance and deletion of the COVIDSafe app and its data. This amendment will include provisions requiring the Information and Privacy Commissioner to inspect and verify that the data deletion obligations at the end of the app's period of operation have been complied with by requiring that the administrator confirm and report to the commissioner that the data has been deleted as required by the app and for the Information and Privacy Commissioner to provide a report to the minister on compliance with deletion obligations as soon as is practicable and for this report to be tabled in both houses of parliament by the minister within three sitting days of receiving it.
The final amendment on this sheet relates to the reporting period. In the version of the bill that we're debating, the government has introduced biannual reporting on the operation and effectiveness of the COVIDSafe app. Given the relatively short lifetime planned for this app—or, we hope it will be a short lifetime—and the understandable concerns people hold regarding the privacy of their data being held in the national data store, we think it appropriate that this data be reported on every three months or within one month of making a determination under section 94Y.
Again I refer to the comments I made in respect of the previous amendments. Labor believes there is a strong public interest in putting these privacy protections in place as soon as possible, and so Labor will not be supporting this or any other amendments that will delay the passage of this bill.
I won't unduly hold up the Senate but I just wanted, as Senator Patrick has done, to respond to Labor's position. I note and pay credit to them that they haven't been disparaging of these amendments in any way. If the Senate was minded to amend this legislation, it could just be put down to the other place today. I think it unlikely in extreme that that would cause any significant or even meaningful delays to the passage of this legislation. I've seen this approach by the Australian Labor Party in regard to other legislative areas in this parliament, specifically around national security issues, where Labor—and fair enough too—does negotiate outcomes with government.
I would urge the Labor Party to not close its mind to further amendments on the floor of the Senate. That's the job that we're chosen to do by the people that vote for us. It is part of our job as legislators to try on the floor of this Senate and of the other place to make improvements to legislation which comes to this parliament. We genuinely believe that if our amendments proposed today were accepted by the Senate it would make this a more robust piece of legislation. It would allow the many people in this country who have concerns about how this app will operate to have an increased level of confidence and may in fact lead to an increased rate of download of this app. We do commend our amendments to the Senate.
A request I made earlier was that, in lieu of a division, our votes and the votes of Centre Alliance can be recorded.
Bill agreed to.
Bill reported without amendments; report adopted.