Overview – Australian contact tracing app
The launch on 26 April 2020 of the Australian government's contact tracing app, COVIDSafe, has raised some privacy concerns within the community. Some of these may be well-founded, others less so.
Whilst the Privacy Act 1988 (Cth) (the Privacy Act)sets clear parameters for how the government uses personal information which it collects, there are a number of factors which could influence the effectiveness of the Privacy Act in the context of this initiative.
These factors include: (1) how the information will be used; (2) how it will be stored; and (3) how long it will be retained.
The government has for the most part provided adequate reassurances in this regard. The success of the initiative will now turn on the extent to which the public accepts them.
Background – international context and basis for an Australian app
Contact tracing is a well-established epidemic control measure which is used to identify, educate and monitor individuals who have had close contact with someone who is infected with a virus.
Contact tracing is not unique to the current COVID-19 pandemic, but modern location-tracking technology has enhanced the methods by which it can be implemented. South Korea and Taiwan were the earliest adopters in response to COVID-19, followed by China which made a WeChat plugin app available for use on a voluntary basis.
Singapore then introduced its TraceTogether mobile app, using Bluetooth which enables participating devices to exchange proximity information, including the duration of contact. The Singapore app stores information in an encrypted form on a person's phone for 21 days on a rolling basis, with no location data being collected. If a person is infected by COVID-19, authorities can upload a list of anonymised IDs for the past 14 days for contact tracing.
When the Australian government announced its COVID-19 support package on 30 March 2020, it committed $30m to provide people with "practical advice" as to how to contain the virus and stay healthy. In this context, the possible use of a contact tracing app was foreshadowed.
On 16 April 2020, Prime Minister Scott Morrison announced that the Australian Signals Directorate was assessing an app which would be similar to the Singapore TraceTogether App. Mr Morrison initially indicated that use of the app would be on a voluntary basis, but the following day he indicated that he "would not entirely rule out" making it mandatory.
Experts have generally agreed that 40–50% community participation would be necessary for the initiative to be effective. Given that Singapore has reportedly achieved a take-up rate of only 25%, the Australian target for voluntary participation may be optimistic, meaning that mandatory use of the app must be regarded as a realistic possibility.
Any personal tracking app raises privacy concerns, specifically in the context of the collection, security and potential misuse of personal information.
Australians do not, however, have an inalienable right to privacy. Despite much agitation from some quarters over many years, Australia does not have a Bill of Rights which would impede the enactment of legislation perceived as being contrary to privacy or other human rights. Our superior courts have consistently rejected the concept of a common law privacy right.
Privacy is, nevertheless, a fundamental right enshrined in Article 17 of the International Covenant on Civil and Political Rights (ICCPR). Australia signed the ICCPR in 1972 and ratified it in 1980. The Convention has not been adopted directly into Australian law, but it did provide a mechanism for the enactment by the Commonwealth government of the Privacy Act, as the government was able to rely on the external affairs power in section 51(xxix) of the Constitution.
The extent to which "privacy" is recognised under Australian law at national level is, as a consequence, as set out in the Privacy Act. The Act is not, however, all-encompassing. It addresses "data protection" rather than "privacy" in a more generic sense. Like any other Commonwealth Act, it be amended or overridden by other Commonwealth legislation. Moreover, the Privacy Act expressly reserves the right of states and territories to enact their own laws relating to the collection and use of personal information.
The Commonwealth legislative process nevertheless acknowledges the significance of human rights and the importance of ensuring that new legislation strikes the right balance. Since 2012 it has been a legislative requirement that all Commonwealth bills be accompanied by a Statement of Compatibility with Human Rights, containing an assessment of whether the legislation is compatible with rights and freedoms recognised or declared by international treaties which Australia has ratified. This embraces a review of the impact on privacy, if any, of all new legislation.
Ultimately, however, the introduction of a contact tracing app need not be impeded by law – it becomes more a question of whether the use of the app infringes community privacy standards. Circling back, "community standards" tend to be informed by existing privacy (or data protection) legislation which shapes public expectations as to how their personal data will be used.
The essence of privacy and data protection law is that individuals should have the right to control the collection and use of information about themselves, subject to any overriding public interest.
Against this background, the release of a contact tracing app inevitably raises the following questions:
- Where will the information be stored? Concerns have been expressed that the creation of a central database concentrates too much information in one location, thus creating unacceptable security risks. This was the same concern which derailed the introduction of the Australia Card in 1986;
- How will the information be used? The immediate purpose of collecting the personal data is obviously to facilitate contact tracing in the event that a person is diagnosed with COVID-19. Concerns have been expressed, however, about the potential for "scope-creep", with government and law enforcement agencies being unable to resist the temptation to access the data for unanticipated, albeit defensible, purposes;
- How long will the information be retained? The longer that information is retained, the more susceptible it is to unauthorised access or to use in a historical context for purposes unconnected to the original reason for its collection;
- How long will the scheme run? Whilst there may be broad community acceptance of the value of a contact tracing app and perhaps even the need for mandatory use –at least amongst those who possess a smartphone – this acquiescence is likely to abate with the virus itself. Would there be justification for the government utilising the technology on an ongoing basis, whether ostensibly for the purpose of combatting future epidemics or, more insidiously, for other purposes?
Existing legislative protections – the Australian Privacy Principles
Even prior to the legislative amendments foreshadowed by the government on 5 May 2020, the Privacy Act provided an adequate framework within which the scheme can operate.
Provisions of particular relevance are as follows:
- Australian Privacy Principle 3 – personal information must be collected only by lawful and fair means. Given that the function of the app is well understood and is not covert, and particularly whilst the function is activated only on an opt-in basis, this Principle would be satisfied. In the event of mandatory usage, there would be some blurring of what constituted "fair", but overall this Principle should not prove a stumbling block;
- Australian Privacy Principle 5 – at or before the time of collection of their personal data, individuals must be advised, inter alia, as to the legal basis of collection and the purpose of collection. Typically, this requirement is addressed by written information when an app is downloaded;
- Australian Privacy Principle 6 – personal information may only be used in connection with the primary purpose of collection or a reasonably related secondary purpose. Assuming that the "purpose" of collection has been adequately confined by the disclosure under APP 5, APP 6 provides a buffer against the possibility of "function creep";
- Australian Privacy Principle 8 – restrictions are imposed on the ability to disclose personal information to an overseas recipient. In the context of the COVID-19 privacy debate, concerns had been raised by the announcement that Amazon Web Services would host the data, thus potentially providing US law enforcement agencies to access to data stored on US servers;
- Australian Privacy Principle 11.1 – personal information must be protected from misuse, interference and loss, and from unauthorised access, modification and disclosure. The government is well aware that this Principle is the key to public confidence in the contact tracing app. Relevantly, the Australian Cyber Security Centre was engaged to assist in the conduct of a Privacy Impact Assessment of the scheme as a precursor to launch;
- Australian Privacy Principle 11.2 – personal information must not be kept longer than required in connection with the original purpose of collection, unless otherwise provide by law. Compliance with this principle is contingent upon two things: (1) a suitably restrained definition of "purpose"; and (2) a realistic determination of how long the data can be useful for coronavirus contact tracing following collection.
The Determination was made on 25 April 2020 pursuant to an earlier declaration, the Biosecurity (Human Biosecurity Emergency)(Human Coronavirus with Pandemic Potential) Declaration ("Biosecurity Declaration"), which was made on 18 March under section 475 of the Biosecurity Act 2015.
The Biosecurity Declaration created a 3-month "human biosecurity emergency period", during which the Health Minister may determine emergency requirements. It was on this basis that the Determination was issued, with the effect of overriding any inconsistent provisions in other Commonwealth legislation.
On 5 May 2020, the government released draft legislation which it said it intended to enact on 11 May upon resumption of Parliament. The legislation will replace the Determination, and will provide some measure of reassurance to those who felt uneasy about a legislative instrument, in the form of the Determination, which could be changed at the whim of a Minister.
Key features of the COVIDSafe scheme, as reflected initially in the Determination, include:
- The use of the app is "completely voluntary", and section 9 expressly prohibits any coercion (by employers or others) to download the app;
- Pursuant to section 7(3) of the Determination, all registration information will be stored in a cloud-based data storage facility, using infrastructure located in Australia with appropriate security;
- Contact data will be deleted on a rolling 21-day basis;
- Personal information will be used to enable contact tracing by health officials. This will include using a person's mobile number to send an SMS, using encrypted IDs, to identify other COVIDSafe users that a positive COVIDSafe user had contact with them in the past 21 days and providing health officials with access to registration information to enable contact tracing, but not for any other purpose;
The Determination will be enshrined in legislation in the event that the draft legislation is passed by Parliament. The exposure draft, known as the Privacy Amendment (Public Health Contact Information) Bill 2020, amends the Privacy Act by inserting a range of new definitions into section 6, and by introducing a new Part VIIIA (Public Health Contact Information).
New provisions which go beyond the Determination include the following:
- the Office of the Australian Information Commissioner will have oversight of COVIDSafe, including management of complaints about mishandling of COVIDSafe data: s 94T;
- the Privacy Act's Notifiable Data Breaches scheme is extended to apply to COVIDSafe data: s 94S;
- the interaction between the powers and obligations of the OAIC in relation to COVIDSafe data with the powers of state and territory privacy regulators and the Australian Federal Police are clarified: ss 94V, 94W;
- the administrator of the National COVIDSafe Data Store will delete users' registration data upon request: s 94L;
- an individual will be required to delete COVIDSafe data if they receive it in error: s 94M;
- no data can be collected from users who have chosen to delete COVIDSafe: s 94N; and
- COVIDSafe data will be deleted at the end of the COVID-19 pandemic and users will be notified accordingly: s 94P.
Prior to the launch, there had been calls for the scheme to be accompanied by a "sunset clause", meaning that rollout and use of the app would not continue beyond a specified date, at least not without further review of the initiative. Six months had been suggested as an appropriate initial term.
A sunset clause is not included in the Determination or the draft legislation, however, but in one sense it would be superfluous, given that the scheme is said to be of finite duration, terminating "when the COVID-19 pandemic has concluded". The one grey area in this regard is imprecision over what will ultimately constitute the "conclusion" of the pandemic.
Warnings has also been raised about the ability of US law enforcement agencies to access information stored on US servers pursuant to the USA Patriot Act of 2001 and, more recently, the US CLOUD Act. In this regard, the concern arises from the fact that Amazon Web Services will host the data. The fact that the data will be hosted in Australia provides insufficient comfort to some, although the threat is probably more illusory than real – APP 6.2(b) permits the disclosure of personal information under an "Australian law", but does not expressly authorise disclosure pursuant to a foreign law in circumstances where the data storage is otherwise subject to Australian law. In other words, it would be a beach of the Privacy Act to disclose personal data to US authorities pursuant to the Patriot Act or the CLOUDAct.
One other lingering concern relates to the prospect of law enforcement agencies accessing data pursuant to a mandatory industry assistance scheme introduced by amendments to the Telecommunications (Assistance and Access) Act 1979 in December 2018. It is stated in the Explanatory Memorandum to the Determination that the Determination "only allows" for the data to be used by law enforcement agencies for the purpose of prosecuting breaches of s 479 of the Biosecurity Act and, whilst this is correct, the Determination does not otherwise expressly prohibit use by law enforcement agencies in other circumstances. Nevertheless, this loophole appears to have been adequately addressed by the proposed section 94ZB in the exposure draft which "cancels the effect of any Australian law...that, but for this section, would have the effect of permitting ...conduct... that would otherwise be prohibited under this Part".
The question of whether an inadequate take-up of the app might prompt conversion of the scheme to mandatory participation, or at least to "opt-out" status, remains a theoretical one at this stage.
Dr Gordon Hughes AM discusses these issues further in a 20-minute video recorded on 1 May 2020 (which counts towards substantive law CPD requirements for Australian lawyers).
The article was originally published on Monday, 27 April 2020. The content was last updated on Tuesday 5 May 2020.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.