To protect individuals from being required to download or use the COVIDSafe app, the Australian Government intends to introduce draft legislation with the Privacy Amendment (Public Health Contract Information) Bill 2020 (the Bill). The Bill aims to “enshrine the determination’s privacy protections in primary legislation.” The ‘exposure draft’ of the Bill proposes an amendment to the Privacy Act 1988 (Privacy Act), including protections from the Determination as well as an additional suite of data protections. As the Bill is currently an exposure draft, there is a chance that it may be amended prior to it being passed by Parliament.
Background to the proposed legislation
To support the fight against COVID-19, the Federal Government has released the ‘COVIDSafe app’ available for voluntary download on the Android and IOS mobile platforms (the App). See our earlier summary of the App and contract tracing here.
To manage privacy concerns, the Minister for Health; Greg Hunt issued a Determination under the Biosecurity Act (the Determination). Under the Determination, data from the App can only be used to support State and Territory Health authorities’ with their contact tracing efforts, and only to the extent required to do so. The Determination also contained a range of protections, including a requirement for a ‘COVIDSafe user’ to consent before their data can be uploaded to the National COVIDSafe Data Store, and creating the offence of retaining app data on databases outside of Australia. Other offences include unauthorised disclosure, a prohibition on data decryption and an offence of ‘coercing the use of COVIDSafe’.
This prohibition on coercing the use of the App is found in clause 9 of the Determination. It is an offence for a person to require another person to download, have or consent to uploading their COVID app data to the National COVIDSafe Data Store. Essentially, the clause is designed to protect the entirely voluntary nature of the App and prevents individuals and employers from forcing employees or prospective employees to have the App as a precondition of their employment. The prohibition also extends to businesses who may wish to refuse entry, or deny providing/receiving goods and services to others who may not be using the App.
Relevance for employers
From an employment perspective, s 94H of the exposure draft is likely to be the most significant for employers. The section mirrors clause 9 of the Biosecurity Act determination, but goes further and creates a criminal offence, and or a breach of the Privacy Act if a person requires another person to download/activate/consent to the terms of the App.
The section also creates an offence if a person refuses to enter into, or continue a contract or arrangement with another person (including contracts of employment) or takes adverse action against another person based on that person not downloading/activating/consenting to the App .
Under the new section, an employer may be considered to have taken adverse action (under the Fair Work Act 2009) if they dismiss or discriminate between employees or prospective employees who do and do not have the App.
It will also be an offence to refuse entry into premises that would otherwise be accessible to the public, or that a person has a right to enter on the basis that a person has not downloaded/activated/consented to using the App.
Finally, employers are prohibited from refusing another person to participate in activities or refusing to receive/provide goods or services to others on the grounds that they have not downloaded/activated/consented to the App.
Other matters dealt with by the Bill
The Bill proposes the national privacy regulator; the Office of the Australian Information Commissioner (the OAIC), will have oversight of the COVIDSafe app, and will be given responsibility for managing complaints and conducting data security assessments. In addition, the Privacy Act’s ‘Notifiable Data Breaches’ regime will be extended to include breaches of COVIDSafe data. Amongst other additional protections, the Bill will prohibit the collection of data from individuals who have deleted the app and sets a process for COVIDSafe data to be deleted after the pandemic has passed.