Under the bill, a new provision will be incorporated into the Privacy Act 1988
The Law Council of Australia has applauded the COVIDSafe exposure draft bill released by the government in response to data privacy concerns regarding the new contact tracking app.
The council’s statement, which was released on 5 May, noted that the bill proposes the incorporation of a new provision into the Privacy Act 1988 to replace the determination under Biosecurity Act 2015 with primary legislation.
Any breaches of the requirements in COVIDSafe’s operation will be subject to the complaints, enforcement regime and remedies under the Privacy Act. Moreover, the privacy commissioner will have the power to pass matters on to law enforcement and authorities on state and territory privacy as appropriate.
“The government has addressed a major concern of the Law Council by conferring a specific oversight role on the privacy commissioner,” said Law Council President Pauline Wright.
The data store administrator for the COVIDSafe app will have certain obligations with regard to deleting data, as well as to notifying and remediating data breaches. In the event that a user tests positive for COVID-19, the data administrator may not upload the data obtained from the mobile device to the national data store without the person’s consent.
This is in addition to previously set prohibitions against imposing the mandatory use of COVIDSafe and against the disclosure and secondary use of the information collected by the app.
The Law Council said that the bill will “create greater clarity and certainty in the governing legal framework.”
Nonetheless, the council also pointed out that a number of the core design principles it had outlined in April remained unaddressed.
“In particular, the Law Council considers that the legislation should prescribe the core parameters or minimum design specifications of the COVIDSafe app and data store themselves, rather than leaving them to be determined from time-to-time,” Wright said. “For example, the legislation should provide that the app must operate on a strictly voluntary, opt-in basis at all times, with accessible mechanisms for users to ‘opt out’.”
The council suggested that the bill should also require the privacy commissioner to confirm that data have been deleted from the data store once the app is no longer in operation. Should data breaches occur, “streamlined arrangements” should be developed to facilitate coordination between the commissioner and law enforcement on investigations.
Moreover, regular reports on the meeting of obligations should be made for tabulation in parliament throughout the app’s operational period.