Australian Information Commissioner and Privacy Commissioner Angelene Falk has welcomed changes to the Privacy Act 1988 that enshrine strict privacy safeguards for COVIDSafe app data in law.
The Privacy Amendment (Public Health Contact Information) Bill 2020 makes mishandling of COVIDSafe app data an offence and an interference with privacy.
“The new law contains strong privacy measures to give Australians confidence in the protection of their personal information within the COVIDSafe system,” Commissioner Falk said.
The privacy safeguards provide individuals with choice and control over their data. The app is voluntary and users can delete it and request deletion of their registration data.
“COVIDSafe app data can only be used for purposes related to contact tracing and must be stored in Australia and destroyed when the app is no longer required,” Commissioner Falk said.
“My office has provided advice and guidance on the privacy safeguards with the aim of protecting individuals’ personal information while using technology to help address this health crisis.
“The new law is in keeping with our advice on the Privacy Impact Assessment that legislation provides the strongest form of protection to codify the privacy safeguards.”
Unauthorised collection, use or disclosure of COVIDSafe app data or requiring someone to download or use the app is a criminal offence. It is also an interference with privacy and triggers the regulatory powers of the Office of the Australian Information Commissioner (OAIC).
The new law provides an expanded regulatory oversight role for the OAIC to ensure personal information is handled in accordance with the legislation’s requirements. This includes the handling of COVIDSafe app data by State and Territory health authorities as well as by the Commonwealth COVIDSafe app and National COVIDSafe Data Store.
“The oversight of the privacy protections passed today are a top priority for my office,” Commissioner Falk said.
“Any breaches of COVIDSafe app data by those handling the information will need to be notified to my office, whether at federal or state level.
“The OAIC can proactively assess the system to identify any privacy risks and has expanded powers to compel information and documents. Individuals can also make complaints to the OAIC about the handling of their personal information within the COVIDSafe system.”
The OAIC will monitor the handling of personal information in the COVIDSafe system and report in six months on the performance and exercise of the Commissioner’s functions and powers, in accordance with the law passed today.