Support for the introduction of a coronavirus contact tracing app to monitor the spread of COVID-19 in Australia has been mixed, even within the government.
Whilst they support the effort to contain the virus, some politicians have been outspoken in their opposition of attempts to track the movement of private citizens (including themselves), whilst others have indicated their support is conditional on further privacy protections being guaranteed.
Some overseas governments have opted for rather invasive measures to be adopted in order to halt or slow the spread of the coronavirus, such as utilising smartphone location data, surveillance footage and credit card records to monitor whether people have been complying with self-isolation measures. For instance, some European mobile operators have begun sharing data with Italian, German and Austrian health authorities to ensure that movement restrictions are being complied with in an attempt to contain the effects of COVID-19.1
The Australian government has announced that it is looking at implementing measures similar to those employed by Singaporean authorities to help track the spread of the virus, at least on a voluntary basis. In Singapore, a smartphone app has been utilised which locates and tracks people who have tested positive for the virus in order to determine who they may have been in contact with.2 This proposed course of action clearly raises complex privacy issues and would understandably have some people concerned.
The Australian coronavirus contact tracing app will be able to identify when users have been within 1.5 metres of other users of the app for more than 15 minutes. Whilst each user is given an anonymous ID, the personal information that is collected by the app includes the user’s name, mobile number, postcode and age range. The information will be collected and stored in a central database and the federal government has noted that only certain state health officials will be able to see the data. The privacy risks stem from security concerns regarding a third party obtaining the secret keys or unlocking the keys. The downloading and use of the app is voluntary but the federal government is hoping that a reasonable portion of the population download it for the system to be effective.
Can the government use my location data?
Although Australia lacks a general cause of action for invasion of privacy, surveillance-related legislation has been enacted in each Australian State and Territory which seeks to regulate the recording of private activities.3 In the Northern Territory, Victoria, South Australia and Western Australia, the filming or recording of private activities without consent is generally precluded. For these purposes, an activity will generally not be regarded as private if carried on in circumstances where the parties to the activity should reasonably expect that the activity might be observed by someone else. In New South Wales, the focus is whether the recording occurs on private premises without authorisation – if the recording of an activity would involve unauthorised entry onto premises, that recording is prohibited. The Australian government’s proposed use of location data would not fall within these specific prohibitions.
Since October 2015, telecommunication companies are required to retain mobile phone “metadata” for a period of two years as part of a national data retention scheme.4 This data may be able to specify where a person has travelled and who they have been in contact with during the period of the COVID-19 outbreak in Australia. Under the Telecommunications Act 1997 (Cth), the disclosure of protected information obtained by service providers is only permitted in certain limited circumstances.5 However, service providers can be compelled to provide officers of the Commonwealth, States and Territories information that is reasonably necessary to enforce the criminal law, protect the public revenue and safeguard national security.
The likely source of power to enact these surveillance measures is the Biosecurity Act 2015 (Cth). This Act seeks to manage biosecurity threats to plant, animal and human health in Australia. Under the Biosecurity Act, the Governor-General may declare that a human biosecurity emergency exists if a disease exists which poses a severe and immediate threat to human health on a national scale.6 If a human biosecurity emergency is declared, the Minister for Health is permitted to take any action that he or she deems necessary to prevent or control the emergence, establishment or spread of the disease.7 A human biosecurity emergency was declared in relation to COVID-19 on 18 March 2020.
Can my private health information be collected and disclosed?
Another concern is whether, and if so, to what extent, government agencies and private organisations are able to collect, use and disclose private health information. On a state level, New South Wales, Victoria and the Australian Capital Territory have legislation dealing specifically with health records which promote the fair and responsible handling of health information.8
On a national level more generally, the Privacy Act 1988 (Cth) regulates privacy protection and the handling of personal information. In particular, the Privacy Act also regulates “health information”; that is, information regarding the health of an individual (including an illness, disability or injury of an individual) and information obtained through provision of health care services.9 Health information is treated as “sensitive information” under the Privacy Act and given greater protections than other types of personal information. The health or medical information of persons who have been tested for COVID-19, for instance, would be regarded as health information under the Privacy Act.
Collection of Health Information
Generally, the organisation or government entity must obtain consent from the individual prior to the collection of their health information. However, where the collection of the information is necessary to provide a health service to an individual or the collection is necessary for research relevant to public health or safety and it is impracticable for consent to be obtained, collection is permitted.10
Use and Disclosure of Health Information
The use or disclosure of health information by organisations is generally prohibited subject to the following exceptions:
- Where the use or disclosure is necessary for research relevant to public health or public safety and it is impracticable for the organisation to obtain the individual’s consent to the use or disclosure;11
- For the use or disclosure of genetic information, where the information has been obtained in providing a health service to an individual and the organisation reasonably believes that the use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of a genetic relative of the individual;12 and
- Where an organisation provides a health service to an individual, the recipient of the information is a responsible person for the individual, the individual is legally or physically incapable of giving consent and the carer of the individual is satisfied that the disclosure is necessary to provide care or treatment of the individual or is made for compassionate reasons.13
Although it has not yet been invoked, the exception for disclosure of health information on the grounds of public health and safety would, at first glance, seem to allow disclosure on the basis of preventing or lessening the effects of the COVID-19 pandemic.
How is the collection and use of my personal information regulated?
The collection, use and disclosure of information other than health information may be protected in some circumstances. Under the Privacy Act, agencies and organisations are required to comply with the Australian Privacy Principles (APPs),14 which protect the use of personal information. Personal information is intentionally defined broadly to include information or opinions about identified individuals, whether true or not.15 As well as health information, this includes other sensitive information such as information about a person’s criminal history, sexual orientation or religious beliefs. Personal information also includes credit information, employee information and tax file number information.16 Generally, personal information may only be disclosed for the purpose or purposes for which consent has been granted or otherwise for the purpose for which the information was lawfully collected.
The APPs apply to most government agencies and some private sector organisations.17 The APPs require that relevant agencies and organisations:
- Manage personal information in an open and transparent way;
- Take reasonable steps and implement practices, procedures and systems to ensure compliance with the Privacy Principles;
- Have in place and make freely available a policy dealing with the management of personal information;
- Unless required or authorised by law, give individuals the option of not identifying themselves;
- Must not collect personal information (other than sensitive information) unless it is reasonably necessary for or directly related to the entity’s functions or activities;
- Subject to the exceptions discussed above, must not collect sensitive information without consent of the individual;
- If required or authorised to do so, must only collect personal information by lawful and fair means;
- Notify individuals about the collection of personal information and provide them with a collection statement setting out matters such as why the personal information was collected and how the individual can access their information;
- If an entity holds personal information for a particular purpose, must not use or disclose the information for another purpose without consent;
- Take reasonable steps to ensure that personal information which has been collected is accurate, up-to-date and complete; and
- Take reasonable steps to prevent the misuse of personal information or unauthorised access to the personal information.
Special provision is also made for the collection, use and disclosure of personal information in emergencies and disasters.18 Although an emergency declaration under the Privacy Act has not been made in response to the COVID-19 outbreak, the Australian Government did make such a declaration in response to the 2019-20 Australian bushfires.19 Such declarations, which are reserved for events of national significance,20 allow relevant agencies and organisations to exchange information for purposes that would otherwise be prohibited and to use personal information for purposes such as identifying people who may be deceased or missing and assisting law enforcement to respond to the emergency.
Can my travel history be disclosed?
Relevantly, travel information (contained in “movement records”) such as a traveller’s name, date of birth, gender, nationality, departure and arrival date, flight number and port code is also regulated by both the Privacy Act and the Migration Act 1958 (Cth). It is an offence punishable by imprisonment of up to two years to read, examine, reproduce, use or disclose any part of a movement record unless you are an officer authorised by the Minister for Immigration, Citizenship, Migrant Services and Multicultural Affairs.21
What if one of my employees or someone I work with has contracted COVID-19?
Naturally, if an employee of an organisation has contracted or has potentially contracted COVID-19, it would be in the best interests of their work colleagues to be provided with this information. However, employers must still comply with their privacy obligations under Australian legislation.
The Office of the Australian Information Commissioner (OAIC) has made clear that the Privacy Act will not stop critical information sharing during the COVID-19 outbreak.22 Employers must therefore strike a balance between the need to maintain a safe workplace and the need to handle personal information legally and appropriately. The OAIC has recommended that the collection, use and disclosure of personal information be limited to only what is necessary to prevent or manage the COVID-19 outbreak. However, employers must still ensure that reasonable steps are taken to ensure that the personal information they collect is secure. For example, the OAIC has suggested that in some cases it may not be necessary to disclose an affected employee’s name to persons who have not been in contact with the affected employee or who work in a different office. Additionally, although the Privacy Act does not prevent employees from working remotely, employers must still comply with the APPs. It is suggested that workplaces whose staff are working remotely implement additional cyber security measures to prevent the unauthorised use and disclosure of personal information, such as ensuring that all devices used by employees are regularly updated, have strong passwords and are kept in safe and secure locations.
1. Elvira Pollina and Douglas Busvine, ‘European mobile operators share data for coronavirus fight’ Reuters (online, 19 March 2020) https://www.reuters.com/article/us-health-coronavirus-europe-telecoms/european-mobile-operators-share-data-for-coronavirus-fight-idUSKBN2152C2.
2. Natasha Singer and Choe Sang-Hun, ‘As Coronavirus Surveillance Escalates, Personal Privacy Plummets’ The New York Times (online, 23 March 2020) https://www.nytimes.com/2020/03/23/technology/coronavirus-surveillance-tracking-privacy.html.
3. Surveillance Devices Act 2007 (NSW); Surveillance Devices Act 2007 (NT); Surveillance Devices Act 2016 (SA); Surveillance Devices Act 1999 (Vic); Surveillance Devices Act 1998 (WA); Listening Devices Act 1992 (ACT); Invasion of Privacy Act 1971 (Qld); Listening Devices Act 1991 (Tas); and Police Offences Act 1935 (Tas).
4. Telecommunications (Interception and Access) Act 1979 (Cth) Pt 5-1A.
5. Telecommunications Act 1997 (Cth) Pt 13.
6. Biosecurity Act 2015 (Cth) s 475.
7. Biosecurity Act 2015 (Cth) s 477.
8. Health Records and Information Privacy Act 2002 (NSW); Health Records Act 2001 (Vic); Health Records (Privacy and Access) Act 1997 (ACT).
9. Privacy Act 1988 (Cth) s 16FA.
10. Privacy Act 1988 (Cth) s 16B(1)-(2).
11. Privacy Act 1988 (Cth) s 16B(3).
12. Privacy Act 1988 (Cth) s 16B(4).
13. Privacy Act 1988 (Cth) s 16B(5).
14. Privacy Act 1988 (Cth) s 15.
15. Privacy Act 1988 (Cth) s 6(1).
16. Privacy Act 1988 (Cth) s 6(1).
17. Entities to whom the APPs apply are called “APP entities”. Under section 6(1) of the Privacy Act 1988 (Cth), APP entities are ministers, government departments and organisations. An “organisation” for the purpose of the Privacy Act means an individual, a body corporate, a partnership, an unincorporated association or a trust that is not a small business operator, a registered political party, an agency, a State or Territory authority or a prescribed instrumentality of a State or Territory: see Privacy Act 1988 (Cth) s 6C.
18. Privacy Act 1988 (Cth) Pt VIA.
19. Privacy (Australian Bushfires Disaster) Emergency Declaration 2020 (Cth).
20. Privacy Act 1988 (Cth) s 80J.
21. Migration Act 1958 (Cth) s 488.
22. See Office of the Australian Information Commissioner, ‘Coronavirus (COVID-19): Understanding your privacy obligations to your staff’ (18 March 2020) https://www.oaic.gov.au/privacy/guidance-and-advice/coronavirus-covid-19-understanding-your-privacy-obligations-to-your-staff/.
Liability limited by a scheme approved under Professional Standards Legislation.
© ADDISONS. No part of this document may in any form or by any means be reproduced, stored in a retrieval system or transmitted without prior written consent. This document is for general information only and cannot be relied upon as legal advice.