The Commonwealth Parliament has now passed legislation to regulate the collection and use of COVID app data.
In addition, the Commonwealth Digital Transformation Agency has now released the source code for the app, which has allowed independent analysis of how the app operates.
This update discusses the legislation and the commentary in relation to the source code.
The Privacy Amendment (Public Health Contact Information) Bill 2020 secured passage through both houses of Parliament on 14 May 2020. As discussed in our earlier article, the legislation is intended to replace the Determination that had been issued under the Biosecurity Act 2015, which provided temporary protections in relation to the app.
Interaction with the Privacy Act
In relation to the offences, the legislation largely replicates the offences set out in the Determination. The penalties for offences are fines of up to $63,000, or up to 5 years’ imprisonment, or both.
Under the Act it is an offence to:
The legislation also requires regular reports to be released about the operation of the app:
What happens when the pandemic ends
The legislation provides that the data in the National COVIDSafe Data Store must be deleted when the pandemic is over. As we discussed in our earlier update, the Determination contained some ambiguity as to when the pandemic is considered to be over.
The legislation provides that the Health Minister must determine by notifiable instrument the end of the COVIDSafe data period, if the Minister is satisfied that the use of the app is no longer required to prevent or control, or is no longer likely to be effective in preventing or controlling, the entry, emergence, establishment or spread of COVID-19 in Australia or in any part of Australia.
Before making such a determination, the Minister must consult with, or consider recommendations from, the Commonwealth Chief Medical Officer or the Australian Health Protection Principal Committee (this is the key decision making committee for health emergencies, which is comprised of all State and Territory Chief Health Officers and is chaired by the Australian Chief Medical Officer).
As soon as reasonably practicable after the Health Minister determines the COVIDSafe data period to be over, the data store administrator must delete the National COVIDSafe Data Store. After the deletion, the data store administrator is to inform the Health Minister and Information Commissioner that all COVID app data have been deleted and must take all reasonable steps to inform current users of the app of that fact, and the fact that COVID app data can no longer be collected, and that they should delete COVIDSafe from their devices.
As previously indicated we consider it would be prudent for the government to engage an auditor to determine whether or not data has been deleted.
On 8 May 2020 the Commonwealth Digital Transformation Authority (DTA) released the source code for the app.
The DTA sought feedback in relation to the app, and has committed to releasing updates to the app to improve its functionality. The first update to the app was released earlier this week, and deals with a number of reported issues as well as changes to clarify for users the process to upload data if a user tests positive.
The DTA has indicated that it is working with Apple and Google who are developing their own contact tracing protocol. Given that a number of countries are now working on contact tracing apps of their own, it is likely that further improvements will progressively be implemented.
Commentary in relation to the source code has been fairly muted, in part because the software had previously been decompiled by group of independent security researchers who had released a report as to identified issues. No code had been found on the app that intentionally tracks the user beyond the scope of contact tracing, nor had code been identified that transmits the user’s encounter history to third parties without the explicit consent of the user. Discussion is continuing about the hosting of the National COVIDSafe Data Store.
The most recent figures announced by the government are that the app has been downloaded 5.6 million times out of the roughly 16 million Australians who own a smartphone.
As restrictions around the country begin to be ease and movement increases, the app will be put to the test, and its utility as a contact tracing tool, used in conjunction with significant testing effort, will be revealed.
For details of all our COVID-19 tips and updates, visit the Gadens COVID-19 Hub.
Antoine Pace, Partner
Gabe Abfalter, Associate