The bill proposes to replace the determination made under the Biosecurity Act 2015 (Cth) with primary legislation, by inserting a new provision in the Privacy Act 1988 (Cth). 

“This will create greater clarity and certainty in the governing legal framework,” LCA president Pauline Wright said.

Ms Wright said that the government addressed a major concern of the Law Council by conferring a specific oversight role on the Privacy Commissioner. 

Attorney-General Christian Porter sought to allay privacy concerns about the app through release of the draft bill, as downloads of the app topped 5 million.

The draft legislation, which largely reproduces biosecurity orders designed to protect early users of the app before parliament returns on 12 May, creates a series of offences punishable by five years in prison, a $63,000 fine, or both for abuses of the data captured for any purpose other than authorised contact tracing.

Ms Wright said that the bill also confers powers on the commissioner to refer matters to state and territory privacy and law enforcement authorities where considered appropriate. It also extends the complaints, enforcement regime and remedies available under the Privacy Act to breaches of the specific requirements governing the operation of the COVIDSafe app.

In regards to the safety of data, “other amendments impose specific obligations on the data store administrator (who is responsible for the national data store) in relation to the deletion of data and notification and remediation of data breaches,” Ms Wright said.

VIEW ALL

According to Ms Wright, The bill retains the “prohibitions on the secondary use and disclosure of data collected by the app and coercing other persons to use the app”.

This also means it adds a further prohibition on the non-consensual uploading of data from a mobile device to the national data store if a person tests positive to COVID-19.

However, Ms Wright said that some of the core design parameters raised in the Law Council’s principles, released on 24 April 2020, are not yet fully incorporated. 

“In particular, the Law Council considers that the legislation should prescribe the core parameters or minimum design specifications of the COVIDSafe app and data store themselves, rather than leaving them to be determined from time to time,” Ms Wright said.

“For example, the legislation should provide that the app must operate on a strictly voluntary, opt-in basis at all times, with accessible mechanisms for users to ‘opt out’.”

The Law Council has also raised its support for prohibitions on creating and using ‘derivative data’ from data that has been collected by the app; and reverse engineering or re-identifying data that has been “de-identified”.

Other matters that the Law Council would like to see addressed in the bill include: 

• Provisions requiring the Privacy Commissioner to inspect and certify that the data deletion obligations at the end of the app’s period of operation have been complied with.
• Periodic reporting obligations while the app is operational, with these reports tabled in parliament; and
• Streamlined arrangements to manage the interaction of investigations by the Privacy Commissioner with law enforcement investigations of offences for breaching the prohibitions on the use of data, under which the commissioner is not obliged to discontinue investigations.