All comments to be attributed to Law Council of Australia President, Ms Pauline Wright.
The public release of the government's exposure draft Bill underpinning the COVIDSafe app is welcomed by the Law Council. The Bill proposes to replace the Determination made under the Biosecurity Act 2015 (Cth) with primary legislation, by inserting a new provision in the Privacy Act 1988 (Cth). This will create greater clarity and certainty in the governing legal framework.
The government has addressed a major concern of the Law Council by conferring a specific oversight role on the Privacy Commissioner. The Bill also confers powers on the Commissioner to refer matters to state and territory privacy and law enforcement authorities where considered appropriate. It also extends the complaints, enforcement regime and remedies available under the Privacy Act to breaches of the specific requirements governing the operation of the COVIDSafe app.
Other amendments impose specific obligations on the data store administrator (who is responsible for the national data store) in relation to the deletion of data and notification and remediation of data breaches. The Bill retains the prohibitions on the secondary use and disclosure of data collected by the app and coercing other persons to use the app. It adds a further prohibition on the non-consensual uploading of data from a mobile device to the national data store if a person tests positive to COVID-19.
However, some of the core design parameters raised in the Law Council's principles, released on 24 April 2020, are not yet fully incorporated. In particular, the Law Council considers that the legislation should prescribe the core parameters or minimum design specifications of the COVIDSafe app and data store themselves, rather than leaving them to be determined from time-to-time. For example, the legislation should provide that the app must operate on a strictly voluntary, opt-in basis at all times, with accessible mechanisms for users to 'opt out'.
The Law Council also supports prohibitions on creating and using 'derivative data' from data that has been collected by the app; and reverse engineering or re-identifying data that has been 'de-identified'. Other matters that the Law Council would like to see addressed in the Bill are:
- Provisions requiring the Privacy Commissioner to inspect and certify that the data deletion obligations at the end of the app's period of operation have been complied with;
- Periodic reporting obligations while the app is operational, with these reports tabled in Parliament; and
- Streamlined arrangements to manage the interaction of investigations by the Privacy Commissioner with law enforcement investigations of offences for breaching the prohibitions on the use of data, under which the Commissioner is not obliged to discontinue investigations.
