COVID Safe App and the Law

At one minute to midnight on Anzac Day, Federal Health Minister Greg Hunt exercised his powers under the Biosecurity Act 2015 to enact delegated legislation providing for regulation of the data collected, stored and used by the COVID Safe App.

The Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) (Emergency Requirements— Public Health Contact Information) Determination 2020 applies to data that has been collected or generated by the app for contact tracing. The data may be stored on a mobile, transmitted by the user to the National COVID Data Store and then accessed by State and Territory employees or contractors for the purposes of contact tracing.

The regulations provide that data can only be stored on the device for 21 days and the user must consent to the installation of the app and then if they are found to be COVID-19 positive, there is a second round of consent required before the data is uploaded to the National Data Store.

The regulations require the Commonwealth to delete the data uploaded by users when the pandemic is declared to have ended. There are no specified requirements for when State and Territory agencies, employees or contractors must delete the data. The privacy law and regulations at a State and Territory level are yet to be written and this is critical given the main users of the data will be the State and Territory based contact tracers. 

It is prohibited to coerce another person to download the app or upload the data to the National Data Store.

It is a criminal offence to contravene the regulations with penalties including five (5) years imprisonment and fines.

The regulations permit the data to be uploaded to the National data store and shared with State and Territory health authorities to be used for research. It is permissible for that research to be published if ‘de-identified’. There have been previous issues with the re-identification of de-identified public health data such as MBS-PBS data which raises concerns.

The section of the Biosecurity Act 2015 which the Minister has used to exercise these powers means that this determination is non disallowable. A determination is legislation which has been made by the Minister using the powers delegated to him by Parliament. This Determination has not been tested by Parliament and will not be as the Biosecurity Act specifically states it is non-disallowable. 

Most legislative instruments or Determinations provide for a process whereby a Notice of Motion can be given in either of the Houses of the Commonwealth Parliament within 15 sitting days of the legislative instrument being tabled in the House. There are then a further 15 sitting days within which the Notice of Motion must be dealt with – if the Motion is not negatived or disposed of then it is disallowed. 

This process provides an important check and balance on the exercise of power by the Executive branch of Government. This Determination has been made using powers that specifically do not allow for a disallowance motion. There is still the option for judicial review. 

The explanatory memorandum released with the delegated legislation outlines who the Minister consulted with – it is noteworthy that all those listed are Government bodies.

On 26 April 2020, the same day the app became available for download, the Privacy Impact Assessment and Government response to that assessment was released which had been undertaken by Maddocks. This raised several issues, some of which the Government has attempted to address.

Importantly amongst those recommendations made by Maddocks was that the Government should release the source code. Prime Minister Scott Morrison and Minister for Government Services Stuart Roberts both promised the Australian public that this code would be released. The Government has not yet done this despite Electronic Frontiers Australia, tech and legal experts, and other civil rights groups calling for this to occur to ensure that the code can be scrutinised to ensure adequate privacy protections are in place before the launch.

The Minister has indicated the Attorney-General will be tabling legislation in Parliament in the first sitting week in May. Draft legislation has not yet been published for scrutiny and comment by civil society. It appears the Determination is an attempt to legislate in the interim, due to a rushed deployment of the app to meet an arbitrary deadline before it was fully ready. The reason for rushing to release the app before it was operational is unclear. 

The Federal Government has a woeful track record of tech and data privacy disasters including My Health Record, Census Fail, Robodebt, the Data Retention scheme and My Gov crashing just when Australians needed it most.  There is also the important issue as to whether the data will be accessible by the United States due to the Cloud Act as the data is stored in the cloud on Amazon Web Services who are a US-incorporated business subject to the US Cloud Act. The Cloud Act requires cloud services to produce data held by them regardless of where internationally that data is stored if required to do so by subpoena.

Those at risk of domestic violence also need to be aware that the app causes their device to store/broadcast a device name and identifier which is readable with low/moderate skill level or potentially if the device already has stalkerware installed on it.

Maddocks raised concerns about ‘function creep’ and whether the information and data collected by the app for contact tracing could be used for other purposes. The Determination has attempted to prohibit that but it remains to be seen if that will be effective.

It also remains to be seen whether data matching with other Government held data sets will occur such as the data held by ISPs and the Commonwealth Government collected under the data retention scheme. If that data matching is for the purposes of contact tracing then it appears that may be permissible under the current regulations.

It is a concern that child users will be permitted to identify that their parent or guardian has consented to them downloading and installing the app and/or uploading the data to the National COVID database if they test positive. Young people are notoriously adept at avoiding consent processes. There is a further issue—which Maddocks do not appear to have dealt with—as to how a State or Territory health detective (as Prime Minister Morrison has referred to them) will identify who is the appropriate parent or guardian to contact and notify if they are identified as a user who has come into contact with a positive COVID case as identified in the data. In separated families, this could be a contentious issue and potentially raise risks for those young people and parents at risk of family violence from the other parent/guardian. 

The Chief Justice of the Family Court of Australia and Chief Judge of the Federal Circuit Court of Australia has reported a 40% increase in urgent applications to the Family Court and Federal Circuit Court about COVID related parenting disputes and this app has potential to increase the number of those disputes. What if one parent consents to a child installing it and or uploading the data from the app and the other parent does not? Judges may be asked to determine these issues in the family law jurisdiction in future just as they are now sometimes asked to determine what apps separated parents use for communications about parenting arrangements.

There does not appear to be a process for a user to access a copy of any data held about themselves in the National Health Database for the purposes of ensuring it is correct or to request deletion of that data.

Those contact tracers employed or contracted to State and Territory Health Authorities are being entrusted with sensitive information which is deserving of a very high level of privacy protections. As acknowledged in the explanatory memorandum, due to the extraordinary conditions imposed by the coronavirus known as COVID-19, “there may be persons involved in the contact tracing process who are not technically employees or officers of a State or Territory health authority. Providing that a person may be ‘in the service’ of a State or Territory health authority allows those authorities to rely on the resources available to them to facilitate contact tracing, while retaining a requirement that there be adequate proximity and oversight by the State or Territory health authority.”

Protection of the data is reliant on multiple levels of Government maintaining sufficient oversight of use of that data and any backups made of the data which traditionally we know has been problematic with a lack of adequate protections.

Whilst the Government has stated that the data cannot be accessed by Court orders or subpoena, it is highly likely that this data will be captured in discovery processes in civil proceedings and potentially criminal proceedings down the track. Similar to the promises made by the Federal Government when the data retention scheme was introduced, the assurances given at that time have proven to be flawed and multiple agencies who do not qualify as eligible to access that data are still obtaining it through back door means by way of requests made through eligible agencies.

As well as the privacy and data protection issues outlined above, if the community are reliant on a currently non-operational app to protect them from COVID-19, it only creates greater risks to the community.

Biosecurity (Human Biosecurity Emergency) (Human Coronavirus with Pandemic Potential) (Emergency Requirements— Public Health Contact Information) Determination 2020

COVIDSafe Application Privacy Impact Assessment

COVIDSafe Application Privacy Impact Assessment – Agency Response