The Australian Human Rights Commission has welcomed the release of the exposure draft of the Privacy Amendment (Public Health Contact Information) Bill 2020 (the ‘draft Bill’). This sets out the legal protections for the Australian Government’s contact-tracing COVIDSafe App.
The Commission has previously welcomed the development of the COVIDSafe App as an important public health initiative, which can help protect the rights of Australians to health and life. The Commission has analysed the draft bill to ensure that it includes all necessary protections of human rights. Our focus has not been on the efficacy of the App or other technical issues.
The draft Bill contains a number of important legal protections, including criminal offences regarding misuse of the COVIDSafe App. We support the provisions of the Bill making it illegal to coerce someone to download or use the App, for instance as a condition of employment, or before providing goods or services.
International human rights law requires that people have access to effective remedies when their human rights are violated (in this case, by misuse of the App or the personal data in it). For the most part, the Draft Bill does this.
However, the Commission considers that there are some ways in which protections in the Bill can be further improved and strengthened – and we would like to see these considered in the legislation.
The Bill prioritises criminal prosecutions over other remedies. The Commission considers that the Draft Bill should be amended to ensure that all people who suffer loss as a result of breaches can, in a quick and simple way, obtain compensation or other personal remedy for any losses sustained, whether that be because of actions of government while administering the App or conducting contact tracing, or the actions of private individuals.
People whose rights have been seriously affected by unlawful use of their personal information should not always have to wait for decisions about prosecutions to be made before having access to a remedy. It is also important that people are able to take steps in appropriate cases to protect their rights if some breach of the Bill is threatened.
The Privacy Impact Assessment released by the Department of Health outlines what data will be collected in relation to the App, where it will be stored, and when it is to be decrypted. Some of these design features protect privacy strongly. However, many are not mandated by the Draft Bill and we believe they should be.
The Commission recommends the Draft Bill restrict information storage in the COVIDSafe Data Store for the minimum period necessary to complete contact tracing, unless there are compelling reasons for why it needs to be kept for longer. The Commission recommends that the Draft Bill be amended to include a mandatory termination date for all data obtained through use of the App, or otherwise held in the Data Store.
The protections in the Draft Bill are there to ensure that information obtained through the App is only used for contact tracing. We think restrictions should also be in place for the use of any information contact tracers could obtain as a ‘by product’ of receiving information collected or generated by the App.
The Commission has also recommended that the Bill be amended to require the timely review of the operation and effectiveness of the App, the National COVIDSafe Data Store, and the provisions introduced to the Privacy Act by the Draft Bill. That review should be conducted by a parliamentary committee or an independent body, within six months of the passage of the Draft Bill.
Finally, some people with disability, older people and people with pre-existing health conditions are susceptible to more severe impacts from Coronavirus. It is important that they have the full opportunity to use, if they so choose, the COVIDSafe App, to increase their chances of being notified if they have potentially been exposed to COVID-19.
It is vital that careful monitoring take place to ensure the App is accessible in its design and operation, and that it be functional on as many devices as possible, including older and less expensive devices.