COVID-19 | COVIDSafe update: legislation and source code

The Commonwealth Parliament has now passed legislation to regulate the collection and use of COVID app data.

In addition, the Commonwealth Digital Transformation Agency has now released the source code for the app, which has allowed independent analysis of how the app operates.

This update discusses the legislation and the commentary in relation to the source code.

Legislation

The Privacy Amendment (Public Health Contact Information) Bill 2020 secured passage through both houses of Parliament on 14 May 2020.  As discussed in our earlier article, the legislation is intended to replace the Determination that had been issued under the Biosecurity Act 2015, which provided temporary protections in relation to the app.

Interaction with the Privacy Act

The legislation:

• clarifies that the COVID app data is “personal information” for the purposes of the Privacy Act;
• provides that a State or Territory health authority is an “organisation” for the purposes of the Privacy Act, to the extent that the authority deals with or its activities relate to COVID app data;
• makes it clear that the Notifiable Data Breach Scheme applies to COVID app data;
• provides the Australian Information Commissioner with an oversight role, and allows the Commissioner to manage complaints about mishandling of data, and to conduct assessments relating to the maintenance and handling of that data;
• ensures that the provisions of the Privacy Act will prevail over other Australian laws in relation to COVID app data; and
• makes certain conduct in relation to COVID app data an offence.

Offence provisions

In relation to the offences, the legislation largely replicates the offences set out in the Determination.  The penalties for offences are fines of up to $63,000, or up to 5 years’ imprisonment, or both.

Under the Act it is an offence to:

• collect, use or disclose COVID app data in a way that is not otherwise permitted;
• upload COVID app data from someone’s phone to the National COVIDSafe Data Store without their consent;
• retain data in the National COVIDSafe Data Store outside of Australia;
• disclose COVID app data from the national data store to a person outside of Australia who is not employed by, or in the service of, a State or Territory health authority;
• decrypt COVID app data;
• require a person to download the app, or to have the app active, or to upload data to the data store;
• discriminate against a person who does not have the app installed or does not have it active. This includes by not entering into an employment contract, not entering into a contract or arrangement, not allowing a person access to a premises that is open to the public or the person otherwise has a right to enter, not allowing a person to participate in an activity, and refusing to provide or receive goods or services.

Reporting requirements

The legislation also requires regular reports to be released about the operation of the app:

• Every six months, the Health Minister must table a report before each house of parliament on the operation and effectiveness of the COVIDSafe app and the National COVIDSafe Data Store.
• The Australian Information Commissioner must publish a report every six months on the performance of the Commissioner’s functions, and the exercise of the Commissioner’s powers, under or in relation Part VIIIA of the Privacy Act.

What happens when the pandemic ends

The legislation provides that the data in the National COVIDSafe Data Store must be deleted when the pandemic is over.  As we discussed in our earlier update, the Determination contained some ambiguity as to when the pandemic is considered to be over.

The legislation provides that the Health Minister must determine by notifiable instrument the end of the COVIDSafe data period, if the Minister is satisfied that the use of the app is no longer required to prevent or control, or is no longer likely to be effective in preventing or controlling, the entry, emergence, establishment or spread of COVID-19 in Australia or in any part of Australia.

Before making such a determination, the Minister must consult with, or consider recommendations from, the Commonwealth Chief Medical Officer or the Australian Health Protection Principal Committee (this is the key decision making committee for health emergencies, which is comprised of all State and Territory Chief Health Officers and is chaired by the Australian Chief Medical Officer).

As soon as reasonably practicable after the Health Minister determines the COVIDSafe data period to be over, the data store administrator must delete the National COVIDSafe Data Store.  After the deletion, the data store administrator is to inform the Health Minister and Information Commissioner that all COVID app data have been deleted and must take all reasonable steps to inform current users of the app of that fact, and the fact that COVID app data can no longer be collected, and that they should delete COVIDSafe from their devices.

As previously indicated we consider it would be prudent for the government to engage an auditor to determine whether or not data has been deleted.

Source code release

On 8 May 2020 the Commonwealth Digital Transformation Authority (DTA) released the source code for the app.

The DTA sought feedback in relation to the app, and has committed to releasing updates to the app to improve its functionality.  The first update to the app was released earlier this week, and deals with a number of reported issues as well as changes to clarify for users the process to upload data if a user tests positive.

The DTA has indicated that it is working with Apple and Google who are developing their own contact tracing protocol.  Given that a number of countries are now working on contact tracing apps of their own, it is likely that further improvements will progressively be implemented.

Commentary in relation to the source code has been fairly muted, in part because the software had previously been decompiled by group of independent security researchers who had released a report as to identified issues.  No code had been found on the app that intentionally tracks the user beyond the scope of contact tracing, nor had code been identified that transmits the user’s encounter history to third parties without the explicit consent of the user. Discussion is continuing about the hosting of the National COVIDSafe Data Store.

Uptake

The most recent figures announced by the government are that the app has been downloaded 5.6 million times out of the roughly 16 million Australians who own a smartphone.

As restrictions around the country begin to be ease and movement increases, the app will be put to the test, and its utility as a contact tracing tool, used in conjunction with significant testing effort, will be revealed.

For details of all our COVID-19 tips and updates, visit the Gadens COVID-19 Hub.

Authored by:

Antoine Pace, Partner
Gabe Abfalter, Associate