Privacy 5 Minute Fix 02
OAIC to release findings from audit of COVID-19 contact tracing app
The OAIC has been investigating how the COVIDSafe app handles personal information and will soon detail its findings. The OAIC's investigations focus on the whole information lifecycle of the app data, from notification, collection and storage, to access and deletion. In May 2020, new Part VIIIA was inserted into the Privacy Act to protect COVIDSafe app data, including limiting the purpose for which data can be collected, used or disclosed, requiring data to be stored in Australia and prescribing penalties for breach. Information collected by the COVIDSafe app is also protected under the Biosecurity Act.
A key protection is that the information collected or generated through the operation of the COVIDSafe app can only be used for four main reasons:
- by a person employed or in the service of a state or territory health authority for contact tracing purposes
- by the National COVIDSafe Data Store administrator to enable contact tracing, ensure the proper functioning of the COVIDSafe app or data store, to delete registration data on request and to produce de-identified statistics on number of app registrations;
- by the OAIC to assess compliance with the Privacy Act; and
- by the police or director of public prosecutions to investigate and prosecute alleged breaches of the Privacy Act in relation to handling of COVID app data.
This is more restrictive than protections that apply to other personal information collected by Agencies and also more restrictive than the similar bespoke restrictions that were legislated in response to public criticism of the My Health Record system.
As part of its current investigations, OAIC is examining:
- Access controls applied to the National COVIDSafe Data Store by the Data Store Administrator,
- Access controls applied to the use of COVID app data by state or territory health authorities,
- Functionality of the COVIDSafe app against specified privacy protections set out under the COVIDSafe privacy policy and collection notices,
- Compliance of the Data Store Administrator with data handling and deletion requirements,
- The compliance of the Data Store Administrator with the deletion and notification requirements which relate to the end of the pandemic.
The Australian Information Commissioner will report every six months on the performance of her powers in relation to Part VIIIA of the Privacy Act.
South Australian Government to introduce new QR code contact tracing system
On 1 December 2020, the South Australian government will introduce a contact tracing function to the existing mySA GOV application. Currently, the app provides access to South Australian Government services, including completing transactions and accessing information on vehicle registration and licences, along with digitising government-issued passes and licences.
The new contract tracing function, COVID SAfe Check-In, will allow South Australians to scan a business's QR code to register their presence at the business. The application collects limited personal information which will be kept for 28 days and only released to SA Health for official contact tracing purposes. South Australian Premier Stephen Marshall explained that a government-run QR-code system was preferred as it would allow the government to verify individuals' identities. This addresses the problems other countries have faced of people registering fake names and numbers. However, concerns have been raised about whether this personal information can be accessed for reasons other than contract tracing, such as law enforcement.
Australia spends to set up "Quad tech network"
Australia will spend $500,000 setting up a network focused on cybersecurity and sensitive technology issues in collaboration with the "Quad" democracies, which is comprised of Australia, the US, Japan and India. The network will focus on protecting 5G networks and preventing misuse of artificial intelligence. DFAT is providing a $497,000 grant to the Australian National University to set up a 'Quad tech network', encouraging research focused on 'cyber and critical technology issues that reflect Australia's interests as a liberal democracy committed to the international rules-based order'. The ANU's national security college will work on the project with other partner research centres in India, the US and Japan. The research centres are expected to publish four research papers and engage in video teleconferences with DFAT.
Is a name Personal Information?
Chief Executive Officer, Services Australia and Justin Warren [2020] AATA 4557 The AAT has ruled that the names and telephone numbers of APS employees working on programs relating to "Robodebt" are exempt from FOI requests.
Mr Warren (the Respondent) made a request under the Freedom of Information Act 1982 (FOI Act) for information relating to Robodebt. At first instance Services Australia refused access to the documents. On review the Information Commissioner ordered the documents be disclosed.
The Agency sought review before the Tribunal, and contended that the names and telephone numbers of certain staff were exempt under section 47F of the FOI Act on the basis that disclosure of personal information would be unreasonable and contrary to public interest.
The Commissioner's decision was set aside by the AAT who agreed with the Agency and held that the documents are exempt from disclosure where they reveal the names of Agency employees.
Is a name personal information?
Typically the nature of personal information will vary depending on the context in which information appears, with a critical factor being the ability of the information to identify an individual. A name is something that would usually constitute personal information, unless is was completely removed from any other context that identified an individual, for example if random names were allocated to data without the ability to trace them to an actual individual.
In this case the Tribunal considered the question of whether a name is "personal information", as defined in the FOI Act. The Tribunal noted while there may be more than one person bearing the same name, this does not reduce the name as a means of identifying an individual, and it is therefore personal information under the FOI Act.
Does conditional exemption in section 47F apply to officers of an agency?
Section 47F states that a document is conditionally exempt if its disclosure under the FOI Act would involve unreasonable disclosure of personal information about any person. The Tribunal accepted that APS employees and Agency employees had been targeted on social media and had received threats directed at named officers. The Tribunal also noted that there was a likelihood of further threats to staff if their personal information was disclosed. Having regard to the fact that information can broadly disseminate online, the Tribunal found that publishing Agency employee names was found to be an unreasonable disclosure.
Would access to conditionally exempt documents be contrary to the public interest?
Ultimately, the Tribunal found that while there is a clear public interest in the substantive elements of the documents, any public interest in transparency and accountability is outweighed by:
- the public interest in not having personal information unreasonably disclosed;
- the Agency's responsibilities under the Workplace Health and Safety Act; and
- the national interest ensuring the APS upholds the Commonwealth's system of responsible government.
New Zealand's new privacy legislation
New Zealand's new Privacy Act 2020 came into force on 1 December, replacing the previous 1993 Act. The new Act makes it compulsory for organisations to immediately report data breaches where they believe it has caused, or is likely to cause, serious harm. This is similar to the notifiable data breach scheme in Australia. The Privacy Commissioner can also issue compliance notices to require an organisation to do, or cease doing, something, with penalties for non-compliance. The Act will also strengthen protection of personal information sent overseas, expands the extraterritorial application of New Zealand's privacy laws and introduces criminal offences relating to misleading agencies in a way that affects another's personal information or for destroying personal information when a request had been made for it. The New Zealand Ministry of Justice has listed its key initiatives for the new Act.
These changes further maintain New Zealand's capacity to exchange information with the EU. The GDPR allows the transfer of personal data between the EU and other countries only if adequate data protection can be guaranteed. New Zealand is recognised by the EU as providing adequate protection, though Australia has not yet received this recognition.
Recent Clayton Utz articles
Privacy 5 Minute Fix 01 This issue: Review of the Privacy Act; NIST Cybersecurity report proposes risk register; another ransomware attack; Data Availability and Transparency Bill 2020 exposure draft; OAIC annual report; latest EU privacy decision.
Digital is forever, but time limits are not: the ins and outs of digital publication in defamation cases Prospective defamation plaintiffs need to ensure that there is sufficient evidence to support their claims – particularly whether digital content has been accessed and downloaded within the limitation period.
Australian privacy law reforms – what you need to know The objective of the review is broad: to consider whether the scope of the Privacy Act and its enforcement mechanisms remain fit for purpose.
Webinar: Cyber Attacks and Crisis Management This is the second webinar aimed at the Higher Education sector. In this webinar, our Cyber Response and Legal Specialists from the Forensic & Technology Services (FTS) and IP & Technology teams perform a hypothetical cyber-attack against a university based on real world scenarios.
Australian privacy law reforms: insights from the OAIC's submissions The OAIC broadly supports the Federal Government's proposed review of the Privacy Act.