PRIVACY AMENDMENT (PUBLIC HEALTH CONTACT INFORMATION) BILL 2020
This is a Bill, not an Act. For current law, see the Acts databases.
PRIVACY AMENDMENT (PUBLIC HEALTH CONTACT INFORMATION) BILL 2020
2019-2020
The Parliament of the
Commonwealth of Australia
HOUSE OF REPRESENTATIVES
Presented and read a first time
Privacy Amendment (Public Health
Contact Information) Bill 2020
No. , 2020
(Attorney-General)
A Bill for an Act to amend the
Privacy Act 1988
,
and for related purposes
No. , 2020
Privacy Amendment (Public Health Contact Information) Bill 2020
i
Contents
1
Short title ........................................................................................... 1
2
Commencement ................................................................................. 1
3
Schedules ........................................................................................... 2
Schedule 1--Amendments
3
Privacy Act 1988
3
Schedule 2--Repeals
24
Biosecurity (Human Biosecurity Emergency) (Human Coronavirus
with Pandemic Potential) (Emergency Requirements--Public Health
Contact Information) Determination 2020
24
Privacy Act 1988
24
No. , 2020
Privacy Amendment (Public Health Contact Information) Bill 2020
1
A Bill for an Act to amend the
Privacy Act 1988
,
1
and for related purposes
2
The Parliament of Australia enacts:
3
1 Short title
4
This Act is the
Privacy Amendment (Public Health Contact
5
Information) Act 2020
.
6
2 Commencement
7
(1) Each provision of this Act specified in column 1 of the table
8
commences, or is taken to have commenced, in accordance with
9
column 2 of the table. Any other statement in column 2 has effect
10
according to its terms.
11
12
2
Privacy Amendment (Public Health Contact Information) Bill 2020
No. , 2020
Commencement information
Column 1
Column 2
Column 3
Provisions
Commencement
Date/Details
1. Sections 1 to 3
and anything in
this Act not
elsewhere covered
by this table
The day this Act receives the Royal Assent.
2. Schedule 1
The day after this Act receives the Royal
Assent.
3. Schedule 2,
item 1
The day after this Act receives the Royal
Assent.
4. Schedule 2,
items 2 to 4
At the end of 90 days after the day
determined under subsection 94Y(1) of the
Privacy Act 1988
as amended by this Act.
Note:
This table relates only to the provisions of this Act as originally
1
enacted. It will not be amended to deal with any later amendments of
2
this Act.
3
(2) Any information in column 3 of the table is not part of this Act.
4
Information may be inserted in this column, or information in it
5
may be edited, in any published version of this Act.
6
3 Schedules
7
Legislation that is specified in a Schedule to this Act is amended or
8
repealed as set out in the applicable items in the Schedule
9
concerned, and any other item in a Schedule to this Act has effect
10
according to its terms.
11
Amendments
Schedule 1
No. , 2020
Privacy Amendment (Public Health Contact Information) Bill 2020
3
Schedule 1--Amendments
1
2
Privacy Act 1988
3
1 Subsection 6(1)
4
Insert:
5
communication device
means an item of customer equipment
6
(within the meaning of the
Telecommunications Act 1997
).
7
contact tracing
has the meaning given by subsection 94D(6).
8
COVID app data
has the meaning given by subsection 94D(5).
9
COVIDSafe
means an app that is made available or has been made
10
available (including before the commencement of this Part), by or
11
on behalf of the Commonwealth, for the purpose of facilitating
12
contact tracing.
13
COVIDSafe user
, in relation to a communication device, means
14
the person whose registration data was uploaded from the device
15
when the user was registered through COVIDSafe.
16
data store administrator
means:
17
(a) for the purposes of a provision of Part VIIIA specified in a
18
determination under section 94Z--the agency specified in
19
that determination (but not to the extent of any limitation in
20
that determination); or
21
(b) otherwise--the Health Department.
22
former COVIDSafe user
has the meaning given by subsection
23
94N(2).
24
Health Department
means the Department administered by the
25
Health Minister.
26
Health Minister
means the Minister administering the
National
27
Health Act 1953
.
28
in contact
: a person has been
in contact
with another person if the
29
operation of COVIDSafe in relation to the person indicates that the
30
person may have been in the proximity of the other person.
31
Schedule 1
Amendments
4
Privacy Amendment (Public Health Contact Information) Bill 2020
No. , 2020
National COVIDSafe Data Store
means the database administered
1
by or on behalf of the Commonwealth for the purpose of contact
2
tracing.
3
registration data
, of a person, means the information about the
4
person that was uploaded from a communication device when the
5
person was registered through COVIDSafe.
6
State or Territory health authority
means the State or Territory
7
authority responsible for the administration of health services in a
8
State or Territory.
9
State or Territory privacy authority
means a State or Territory
10
authority that has functions to protect the privacy of individuals
11
(whether or not the authority has other functions).
12
2 After Part VIII
13
Insert:
14
Part VIIIA--Public health contact information
15
Division 1--Preliminary
16
94A Simplified outline of this Part
17
There are several serious offences relating to COVID app data and
18
COVIDSafe. They deal with:
19
•
non-permitted collection, use or disclosure relating to COVID
20
app data; and
21
•
uploading COVID app data without consent; and
22
•
retaining or disclosing uploaded data outside Australia; and
23
•
decrypting encrypted COVID app data; and
24
•
requiring participation in relation to COVIDSafe.
25
Amendments
Schedule 1
No. , 2020
Privacy Amendment (Public Health Contact Information) Bill 2020
5
Other specific obligations relate to deletion of data and what is to
1
happen after the COVIDSafe data period has ended (as determined
2
by the Health Minister).
3
The general privacy law provided by this Act is applied to the
4
requirements of this Part, in particular by:
5
•
ensuring that COVID app data is taken to be personal
6
information and breaches of this Part are interferences with
7
privacy; and
8
•
enhancing the Commissioner's role in dealing with eligible
9
data breaches, making assessments and conducting
10
investigations in relation to this Part; and
11
•
enabling the Commissioner to refer matters to, and share
12
information or documents with, State or Territory privacy
13
authorities; and
14
•
providing for this Act to apply to State or Territory health
15
authorities in relation to COVID app data.
16
This Part imposes on State or Territory health authorities the Act's
17
rules and privacy protections, and Commonwealth oversight, in
18
relation to COVID app data, as Commonwealth property that those
19
authorities receive.
20
This Part also cancels the effect of Australian laws that are
21
inconsistent with the prohibitions in this Part.
22
94B Object of this Part
23
The object of this Part is to assist in preventing and controlling the
24
entry, emergence, establishment or spread of the coronavirus
25
known as COVID-19 into Australia or any part of Australia by
26
providing stronger privacy protections for COVID app data and
27
COVIDSafe users in order to:
28
(a) encourage public acceptance and uptake of COVIDSafe; and
29
(b) enable faster and more effective contact tracing.
30
Schedule 1
Amendments
6
Privacy Amendment (Public Health Contact Information) Bill 2020
No. , 2020
94C Constitutional basis of this Part
1
Principal constitutional basis
2
(1) This Part relies on the Commonwealth's legislative powers with
3
respect to matters that are peculiarly adapted to the government of
4
a nation and cannot otherwise be carried on for the benefit of the
5
nation.
6
Additional operation of this Part
7
(2) In addition to subsection (1), this Part also has effect as provided
8
by subsections (3) to (5).
9
(3) This Part also has effect as if a reference in this Part to COVID app
10
data were expressly confined to a reference to COVID app data
11
that was collected or generated for the purposes of quarantine
12
(within the meaning of paragraph 51(ix) of the Constitution).
13
(4) This Part also has effect as if a reference in this Part to COVID app
14
data were expressly confined to a reference to COVID app data
15
that was collected or generated using a service of a kind to which
16
paragraph 51(v) of the Constitution applies (postal, telegraphic,
17
telephonic and other like services).
18
(5) This Part also has effect as if it were expressly confined to giving
19
effect to Australia's obligations under the International Covenant
20
on Civil and Political Rights done at New York on 16 December
21
1966 ([1980] ATS 23), and in particular Article 17 of the
22
Covenant, in relation to COVID app data.
23
Note:
The Covenant is set out in Australian Treaty Series 1980 No. 23
24
([1980] ATS 23) and could in 2020 be viewed in the Australian
25
Treaties Library on the AustLII website (www.austlii.edu.au).
26
Division 2--Offences relating to COVID app data and
27
COVIDSafe
28
94D Collection, use or disclosure of COVID app data
29
(1) A person commits an offence if:
30
(a) the person collects, uses or discloses data; and
31
(b) the data is COVID app data; and
32
Amendments
Schedule 1
No. , 2020
Privacy Amendment (Public Health Contact Information) Bill 2020
7
(c) the collection, use or disclosure is not permitted under this
1
section.
2
Penalty: Imprisonment for 5 years or 300 penalty units, or both.
3
(2) The collection, use or disclosure is permitted if:
4
(a) the person is employed by, or in the service of, a State or
5
Territory health authority, and the collection, use or
6
disclosure is for the purpose of, and only to the extent
7
required for the purpose of, undertaking contact tracing; or
8
(b) the person is:
9
(i) an officer or employee of the data store administrator;
10
or
11
(ii) a contracted service provider for a government contract
12
with the data store administrator;
13
and the collection, use or disclosure is for the purpose of, and
14
only to the extent required for the purpose of:
15
(iii) enabling contact tracing by persons employed by, or in
16
the service of, State or Territory health authorities; or
17
(iv) ensuring the proper functioning, integrity or security of
18
COVIDSafe or of the National COVIDSafe Data Store;
19
or
20
(c) in the case of a collection or disclosure of COVID app data--
21
the collection or disclosure is for the purpose of, and only to
22
the extent required for the purpose of:
23
(i) transferring encrypted data between communication
24
devices through COVIDSafe; or
25
(ii) transferring encrypted data, through COVIDSafe, from
26
a communication device to the National COVIDSafe
27
Data Store; or
28
(d) the collection, use or disclosure is for the purpose of, and
29
only to the extent required for the purpose of, the
30
Commissioner performing the functions or exercising the
31
powers of the Commissioner under or in relation to this Part;
32
or
33
(e) the collection, use or disclosure is for the purpose of, and
34
only to the extent required for the purpose of:
35
(i) investigating whether this Part has been contravened; or
36
(ii) prosecuting a person for an offence against this Part; or
37
Schedule 1
Amendments
8
Privacy Amendment (Public Health Contact Information) Bill 2020
No. , 2020
(f) in the case of a use of COVID app data by the data store
1
administrator--the use is for the purpose of, and only to the
2
extent required for the purpose of, producing de-identified
3
statistical information about the total number of registrations
4
through COVIDSafe; or
5
(g) in the case of a use of COVID app data that the data store
6
administrator is required by section 94L to delete--the use
7
consists of access by the data store administrator for the
8
purpose of, and only to the extent required for the purpose of,
9
confirming that the correct data is being deleted.
10
(3) Subsection (1) does not apply to the collection of COVID app data
11
if:
12
(a) the collection of the COVID app data:
13
(i) occurs as part of the collection, at the same time, of data
14
that is not COVID app data (
non-COVID app data
);
15
and
16
(ii) is incidental to the collection of the non-COVID app
17
data; and
18
(b) the collection of the non-COVID app data is permitted under
19
an Australian law; and
20
(c) the COVID app data:
21
(i) is deleted as soon as practicable after the person
22
becomes aware that it had been collected; and
23
(ii) is not otherwise accessed, used or disclosed by the
24
person after it was collected.
25
Note:
A defendant bears an evidential burden in relation to the matters in
26
this subsection: see subsection 13.3(3) of the
Criminal Code
.
27
(4) The admissibility of the non-COVID app data as evidence in any
28
proceedings is not affected by the incidental collection of the
29
COVID app data, or by the subsequent deletion of the COVID app
30
data as required by subparagraph (3)(c)(i).
31
(5)
COVID app data
is data relating to a person that:
32
(a) has been collected or generated (including before the
33
commencement of this Part) through the operation of
34
COVIDSafe; and
35
(b) either:
36
(i) is registration data; or
37
Amendments
Schedule 1
No. , 2020
Privacy Amendment (Public Health Contact Information) Bill 2020
9
(ii) is stored, or has been stored (including before the
1
commencement of this Part), on a communication
2
device.
3
However, it does not include:
4
(c) information obtained, from a source other than directly from
5
the National COVIDSafe Data Store, in the course of
6
undertaking contact tracing by a person employed by, or in
7
the service of, a State or Territory health authority; or
8
(d) de-identified statistical information about the total number of
9
registrations through COVIDSafe that is produced by:
10
(i) an officer or employee of the data store administrator;
11
or
12
(ii) a contracted service provider for a government contract
13
with the data store administrator.
14
(6)
Contact tracing
is the process of identifying persons who have
15
been in contact with a person who has tested positive for the
16
coronavirus known as COVID-19, and includes:
17
(a) notifying a person that the person has been in contact with a
18
person who has tested positive for the coronavirus known as
19
COVID-19; and
20
(b) notifying a person who is a parent, guardian or carer of
21
another person that the other person has been in contact with
22
a person who has tested positive for the coronavirus known
23
as COVID-19; and
24
(c) providing information and advice to a person who:
25
(i) has tested positive for the coronavirus known as
26
COVID-19; or
27
(ii) is a parent, guardian or carer of another person who has
28
tested positive for the coronavirus known as
29
COVID-19; or
30
(iii) has been in contact with a person who has tested
31
positive for the coronavirus known as COVID-19; or
32
(iv) is a parent, guardian or carer of another person who has
33
been in contact with a person who has tested positive for
34
the coronavirus known as COVID-19.
35
Schedule 1
Amendments
10
Privacy Amendment (Public Health Contact Information) Bill 2020
No. , 2020
94E COVID app data on communication devices
1
A person commits an offence if:
2
(a) the person uploads, or causes to be uploaded, data from a
3
communication device to the National COVIDSafe Data
4
Store; and
5
(b) the data is COVID app data; and
6
(c) consent to the upload has not been given by:
7
(i) the COVIDSafe user in relation to that device; or
8
(ii) if the COVIDSafe user is unable to give consent--a
9
parent, guardian or carer of the COVIDSafe user; or
10
(iii) if the COVIDSafe user has requested a parent, guardian
11
or carer of the COVIDSafe user to act on the
12
COVIDSafe user's behalf--that parent, guardian or
13
carer.
14
Penalty: Imprisonment for 5 years or 300 penalty units, or both.
15
94F COVID app data in the National COVIDSafe Data Store
16
(1) A person commits an offence if:
17
(a) the person retains data on a database outside Australia; and
18
(b) the data is COVID app data that has been uploaded from a
19
communication device to the National COVIDSafe Data
20
Store.
21
Penalty: Imprisonment for 5 years or 300 penalty units, or both.
22
(2) A person commits an offence if:
23
(a) the person discloses data to another person who is outside
24
Australia; and
25
(b) the data is COVID app data that has been uploaded from a
26
communication device to the National COVIDSafe Data
27
Store; and
28
(c) the person is not a person who:
29
(i) is employed by, or in the service of, a State or Territory
30
health authority; and
31
(ii) discloses the data for the purpose of, and only to the
32
extent required for the purpose of, undertaking contact
33
tracing.
34
Amendments
Schedule 1
No. , 2020
Privacy Amendment (Public Health Contact Information) Bill 2020
11
Penalty: Imprisonment for 5 years or 300 penalty units, or both.
1
94G Decrypting COVID app data
2
A person commits an offence if:
3
(a) the person decrypts encrypted data; and
4
(b) the data is COVID app data that is stored on a
5
communication device.
6
Penalty: Imprisonment for 5 years or 300 penalty units, or both.
7
94H Requiring the use of COVIDSafe
8
(1) A person commits an offence if the person requires another person
9
to:
10
(a) download COVIDSafe to a communication device; or
11
(b) have COVIDSafe in operation on a communication device;
12
or
13
(c) consent to uploading COVID app data from a communication
14
device to the National COVIDSafe Data Store.
15
Penalty: Imprisonment for 5 years or 300 penalty units, or both.
16
(2) A person commits an offence if the person:
17
(a) refuses to enter into, or continue, a contract or arrangement
18
with another person (including a contract of employment); or
19
(b) takes adverse action (within the meaning of the
Fair Work
20
Act 2009
) against another person; or
21
(c) refuses to allow another person to enter:
22
(i) premises that are otherwise accessible to the public; or
23
(ii) premises that the other person has a right to enter; or
24
(d) refuses to allow another person to participate in an activity;
25
or
26
(e) refuses to receive goods or services from another person, or
27
insists on providing less monetary consideration for the
28
goods or services; or
29
(f) refuses to provide goods or services to another person, or
30
insists on receiving more monetary consideration for the
31
goods or services;
32
Schedule 1
Amendments
12
Privacy Amendment (Public Health Contact Information) Bill 2020
No. , 2020
on the ground that, or on grounds that include the ground that, the
1
other person:
2
(g) has not downloaded COVIDSafe to a communication device;
3
or
4
(h) does not have COVIDSafe in operation on a communication
5
device; or
6
(i) has not consented to uploading COVID app data from a
7
communication device to the National COVIDSafe Data
8
Store.
9
Penalty: Imprisonment for 5 years or 300 penalty units, or both.
10
(3) To avoid doubt:
11
(a) subsection (2) is a workplace law for the purposes of the
Fair
12
Work Act 2009
; and
13
(b) the benefit that the other person derives because of an
14
obligation of the person under subsection (2) is a workplace
15
right within the meaning of Part 3-1 of that Act.
16
94J Extended geographical jurisdiction for offences
17
Section 15.1 (extended geographical jurisdiction--category A) of
18
the
Criminal Code
applies to all offences against this Division.
19
Division 3--Other obligations relating to COVID app data
20
and COVIDSafe
21
94K COVID app data not to be retained
22
The data store administrator must take all reasonable steps to
23
ensure that COVID app data is not retained on a communication
24
device:
25
(a) for more than 21 days; or
26
(b) in any case in which it is not possible to comply with
27
paragraph (a) within 21 days--for longer than the shortest
28
practicable period.
29
Amendments
Schedule 1
No. , 2020
Privacy Amendment (Public Health Contact Information) Bill 2020
13
94L Deletion of registration data on request
1
(1) If the COVIDSafe user or former COVIDSafe user in relation to a
2
communication device, or a parent, guardian or carer of that
3
person, requests the data store administrator to delete any
4
registration data of the person that has been uploaded from the
5
device to the National COVIDSafe Data Store, the data store
6
administrator:
7
(a) must take all reasonable steps to delete the data from the
8
National COVIDSafe Data Store as soon as practicable; and
9
(b) if it is not practicable to delete the data immediately--must
10
not use or disclose the data for any purpose.
11
(2) A request under subsection (1) may only be made by a parent,
12
guardian or carer of the COVIDSafe user if:
13
(a) the COVIDSafe user is unable to make a request under
14
subsection (1); or
15
(b) the COVIDSafe user has requested that parent, guardian or
16
carer to act on the COVIDSafe user's behalf.
17
(3) Subsection (1) does not:
18
(a) prevent the data store administrator from accessing data for
19
the purpose of, and only to the extent required for the
20
purpose of, confirming that the correct data is being deleted;
21
or
22
(b) require the data store administrator to delete from the
23
National COVIDSafe Data Store data relating to the person
24
that:
25
(i) was uploaded from another communication device in
26
relation to which another person is a COVIDSafe user;
27
and
28
(ii) was collected through the other device interacting with
29
the device mentioned in subsection (1).
30
(4) This section does not apply to data that is de-identified.
31
94M Deletion of data received in error
32
A person who receives COVID app data in error must, as soon as
33
practicable:
34
Schedule 1
Amendments
14
Privacy Amendment (Public Health Contact Information) Bill 2020
No. , 2020
(a) delete the data; and
1
(b) notify the data store administrator that the person received
2
the data.
3
94N Effect of deletion of COVIDSafe from a communication device
4
(1) The data store administrator must not collect from a person,
5
through a particular communication device, COVID app data
6
relating to the person if the person is a former COVIDSafe user in
7
relation to that device.
8
(2) A person is a
former COVIDSafe user
, in relation to a
9
communication device, at a particular time if:
10
(a) COVIDSafe has been deleted from the device in relation to
11
which the person was the COVIDSafe user; and
12
(b) after COVIDSafe was last deleted from that device--
13
COVIDSafe has not been downloaded to that device.
14
94P Obligations after the end of the COVIDSafe data period
15
(1) After the end of the day determined under subsection 94Y(1), the
16
data store administrator must not:
17
(a) collect any COVID app data; or
18
(b) make COVIDSafe available to be downloaded.
19
(2) As soon as reasonably practicable after the end of the day
20
determined under subsection 94Y(1), the data store administrator
21
must delete all COVID app data from the National COVIDSafe
22
Data Store.
23
(3) As soon as reasonably practicable after the deletion, the data store
24
administrator must:
25
(a) inform the Health Minister and the Commissioner that all
26
COVID app data has been deleted from the National
27
COVIDSafe Data Store; and
28
(b) take all reasonable steps to inform all COVIDSafe users
29
(other than former COVIDSafe users) in relation to
30
communication devices that:
31
(i) all COVID app data has been deleted from the National
32
COVIDSafe Data Store; and
33
Amendments
Schedule 1
No. , 2020
Privacy Amendment (Public Health Contact Information) Bill 2020
15
(ii) COVID app data can no longer be collected; and
1
(iii) they should delete COVIDSafe from their
2
communication devices.
3
Division 4--Application of general privacy measures
4
94Q COVID app data is taken to be personal information
5
COVID app data relating to an individual is taken, for the purposes
6
of this Act, to be personal information about the individual.
7
94R Breach of requirement is an interference with privacy
8
(1) An act or practice in breach of a requirement of this Part in relation
9
to an individual constitutes an act or practice involving an
10
interference with the privacy of the individual for the purposes of
11
section 13.
12
Note:
The act or practice may be the subject of a complaint under section 36.
13
(2) Subsections 7(1A) and (1B) do not limit what is taken to be an act
14
or practice for the purposes of subsection (1) of this section, or for
15
the purposes of the application of this Act in relation to an
16
interference with the privacy of an individual involving a breach of
17
a requirement of this Part.
18
94S Breach of requirement may be treated as an eligible data breach
19
(1) For the purposes of this Act, if:
20
(a) the data store administrator; or
21
(b) an officer or employee of the data store administrator; or
22
(c) a contracted service provider for a government contract with
23
the data store administrator;
24
breaches a requirement of this Part in relation to COVID app data:
25
(d) the breach is taken to be an eligible data breach by the data
26
store administrator; and
27
(e) an individual to whom the data relates is taken to be at risk
28
from the eligible data breach.
29
(2) For the purposes of this Act, if:
30
(a) a State or Territory health authority; or
31
Schedule 1
Amendments
16
Privacy Amendment (Public Health Contact Information) Bill 2020
No. , 2020
(b) person employed by, or in the service of, the State or
1
Territory health authority;
2
breaches a requirement of this Part in relation to COVID app data:
3
(c) the breach is taken to be an eligible data breach by the State
4
or Territory health authority; and
5
(d) an individual to whom the data relates is taken to be at risk
6
from the eligible data breach.
7
(3) Part IIIC applies in relation to such a breach as if:
8
(a) subsection 26WE(3) and sections 26WF, 26WH and 26WJ
9
did not apply in relation to the breach; and
10
(b) Subdivision B of Division 3 of that Part:
11
(i) required the data store administrator, or State or
12
Territory health authority, to notify the Commissioner
13
that there were reasonable grounds to believe that there
14
had been an eligible data breach; and
15
(ii) only required compliance with sections 26WK and
16
26WL in relation to the breach if the Commissioner
17
required the administrator or authority so to comply;
18
and
19
(c) sections 26WN, 26WP, 26WQ, 26WS and 26WT did not
20
apply in relation to the breach.
21
(4) Without limiting the circumstances in which the Commissioner
22
may, under subparagraph (3)(b)(ii), require the administrator or
23
authority so to comply, the Commissioner must so require if:
24
(a) the Commissioner is satisfied that the breach may be likely to
25
result in serious harm to any of the individuals to whom the
26
information relates; and
27
(b) subsection (5) does not apply.
28
(5) The Commissioner may decide not to require compliance, or to
29
allow an extended period for compliance, if the Commissioner is
30
satisfied on reasonable grounds that requiring compliance, or
31
requiring compliance within the ordinary period for compliance,
32
would not be reasonable in the circumstances, having regard to the
33
following:
34
(a) the public interest;
35
(b) any relevant advice given to the Commissioner by:
36
(i) an enforcement body; or
37
Amendments
Schedule 1
No. , 2020
Privacy Amendment (Public Health Contact Information) Bill 2020
17
(ii) the Australian Signals Directorate;
1
(c) such other matters (if any) as the Commissioner considers
2
relevant.
3
(6) Paragraph (5)(b) does not limit the advice to which the
4
Commissioner may have regard.
5
94T Commissioner may conduct an assessment relating to COVID
6
app data
7
(1) The Commissioner's power under section 33C to conduct an
8
assessment includes the power to conduct an assessment of
9
whether the acts or practices of an entity or a State or Territory
10
authority in relation to COVID app data comply with this Part.
11
(2) Without limiting subsection 33C(2), if:
12
(a) the Commissioner is conducting under that subsection an
13
assessment of a matter of a kind mentioned in subsection (1)
14
of this section; and
15
(b) the Commissioner has reason to believe that an entity or a
16
State or Territory authority being assessed has information or
17
a document relevant to the assessment;
18
the Commissioner may, by written notice, require the entity or
19
authority to give the information or produce the document within
20
the period specified in the notice, which must not be less than 14
21
days after the notice is given to the entity or authority.
22
Note:
For a failure to give information etc., see section 66.
23
94U Investigation under section 40 to cease if COVID data offence
24
may have been committed
25
(1) This section applies if, in the course of an investigation under
26
section 40, the Commissioner forms the opinion that:
27
(a) an offence against Division 2 of this Part; or
28
(b) an offence against section 6 of the
Crimes Act 1914
, or
29
section 11.1, 11.2, 11.4 or 11.5 of the
Criminal Code
, being
30
an offence that relates to an offence against that Division;
31
may have been committed.
32
(2) The Commissioner must:
33
Schedule 1
Amendments
18
Privacy Amendment (Public Health Contact Information) Bill 2020
No. , 2020
(a) inform the Commissioner of Police or the Director of Public
1
Prosecutions of that opinion; and
2
(b) in the case of an investigation under subsection 40(1), give a
3
copy of the complaint to the Commissioner of Police or the
4
Director of Public Prosecutions, as the case may be; and
5
(c) subject to subsection (5) of this section, discontinue the
6
investigation except to the extent that it concerns matters
7
unconnected with the offence that the Commissioner believes
8
may have been committed.
9
(3) If the Commissioner of Police or the Director of Public
10
Prosecutions:
11
(a) has been informed of the Commissioner's opinion under
12
paragraph (2)(a); and
13
(b) decides that the matter will not be, or will no longer be, the
14
subject of proceedings for an offence;
15
the Commissioner of Police or the Director of Public Prosecutions,
16
as the case requires, must give a written notice to that effect to the
17
Commissioner.
18
(4) If the Commissioner of Police or the Director of Public
19
Prosecutions:
20
(a) has been informed of the Commissioner's opinion under
21
paragraph (2)(a); and
22
(b) is satisfied that an investigation relating to the matter, or
23
proceedings for an offence relating to the matter, will not be
24
jeopardised, or otherwise affected, by continuation of the
25
Commissioner's investigation;
26
the Commissioner of Police or the Director of Public Prosecutions,
27
as the case requires, may give a written notice to that effect to the
28
Commissioner.
29
(5) Upon receiving notice under subsection (3) or (4) the
30
Commissioner may continue the investigation discontinued under
31
paragraph (2)(c).
32
94V Referring COVID data matters to State or Territory privacy
33
authorities
34
(1) If:
35
Amendments
Schedule 1
No. , 2020
Privacy Amendment (Public Health Contact Information) Bill 2020
19
(a) a complaint has been made under section 36 about an act or
1
practice that may involve a breach of a requirement of this
2
Part; and
3
(b) before the Commissioner commences, or after the
4
Commissioner has commenced, to investigate the matter, the
5
Commissioner forms the opinion that:
6
(i) the complainant has made, or could have made, a
7
complaint relating to that matter to a State or Territory
8
privacy authority; and
9
(ii) that matter could be more conveniently or effectively
10
dealt with by that State or Territory authority;
11
the Commissioner may decide not to investigate the matter, or not
12
to investigate the matter further.
13
(2) If the Commissioner so decides, the Commissioner must:
14
(a) transfer the complaint to that State or Territory authority; and
15
(b) give notice in writing to the complainant stating that the
16
complaint has been so transferred; and
17
(c) give to that State or Territory authority any information or
18
documents that relate to the complaint and are in the
19
possession, or under the control, of the Commissioner.
20
(3) A complaint transferred under subsection (2) is taken, for the
21
purposes of this Act, to have been made to that State or Territory
22
authority.
23
94W Commissioner may share information with State or Territory
24
privacy authorities
25
(1) Subject to subsection (2), the Commissioner may share information
26
or documents with a State or Territory privacy authority:
27
(a) for the purpose of the Commissioner exercising powers, or
28
performing functions or duties under this Act in relation to
29
the requirements of this Part; or
30
(b) for the purpose of the State or Territory privacy authority
31
exercising its powers, or performing its functions or duties.
32
(2) The Commissioner may only share information or documents with
33
a State or Territory privacy authority under this section if:
34
Schedule 1
Amendments
20
Privacy Amendment (Public Health Contact Information) Bill 2020
No. , 2020
(a) the information or documents were acquired by the
1
Commissioner in the course of exercising powers, or
2
performing functions or duties, under this Act; and
3
(b) the Commissioner is satisfied on reasonable grounds that the
4
State or Territory privacy authority has satisfactory
5
arrangements in place for protecting the information or
6
documents.
7
(3) To avoid doubt, the Commissioner may share information or
8
documents with a State or Territory privacy authority under this
9
section whether or not the Commissioner is transferring a
10
complaint or part of a complaint to the authority.
11
94X Application to State or Territory health authorities
12
(1) This Act applies in relation to a State or Territory health authority,
13
as if the authority were an organisation, to the extent that the
14
authority deals with, or the activities of the authority relate to,
15
COVID app data.
16
(2) However, subsection (1) does not, in relation to a State or Territory
17
health authority:
18
(a) have the effect of applying Australian Privacy Principle 9 in
19
relation to a government related identifier that has been
20
assigned by that State or Territory or by a State or Territory
21
authority of that State or Territory; or
22
(b) have the effect of applying this Act in relation to data or
23
information that is not COVID app data.
24
Division 5--Miscellaneous
25
94Y Determining the end of the COVIDSafe data period
26
(1) Subject to subsection (2), the Health Minister must, by notifiable
27
instrument, determine a day if the Health Minister is satisfied that,
28
by that day, use of COVIDSafe:
29
(a) is no longer required to prevent or control; or
30
(b) is no longer likely to be effective in preventing or
31
controlling;
32
Amendments
Schedule 1
No. , 2020
Privacy Amendment (Public Health Contact Information) Bill 2020
21
the entry, emergence, establishment or spread of the coronavirus
1
known as COVID-19 into Australia or any part of Australia.
2
(2) The Health Minister must not make a determination under
3
subsection (1) unless the Health Minister has consulted, or
4
considered recommendations from, the Commonwealth Chief
5
Medical Officer or the Australian Health Protection Principal
6
Committee.
7
(3) The Commonwealth Chief Medical Officer or the Australian
8
Health Protection Principal Committee may recommend to the
9
Health Minister that the Health Minister make a determination
10
under subsection (1).
11
94Z Agencies may be determined to be data store administrator
12
(1) The Secretary of the Health Department may, by notifiable
13
instrument, determine that a particular agency is the data store
14
administrator for the purposes of one or more provisions of this
15
Part specified in the determination.
16
(2) The determination may limit the extent to which the agency is the
17
data store administrator for those purposes.
18
(3) The Secretary of the Health Department must not determine under
19
subsection (1) that any of the following is the data store
20
administrator:
21
(a) an enforcement body mentioned in paragraph (a) to (ea) of
22
the definition of
enforcement body
in subsection 6(1);
23
(b) an intelligence agency;
24
(c) the Australian Geospatial-Intelligence Organisation;
25
(d) the Defence Intelligence Organisation.
26
94ZA Reports on operation and effectiveness of COVIDSafe and the
27
National COVIDSafe Data Store
28
(1) The Health Minister must, as soon as practicable after:
29
(a) the end of the 6 month period starting on the commencement
30
of this Part; and
31
(b) the end of each subsequent 6 month period (if any) starting
32
on or before the day determined under subsection 94Y(1);
33
Schedule 1
Amendments
22
Privacy Amendment (Public Health Contact Information) Bill 2020
No. , 2020
cause a report to be prepared on the operation and effectiveness of
1
COVIDSafe and the National COVIDSafe Data Store during that 6
2
month period.
3
Note:
Section 94D prevents the inclusion of COVID app data in the report.
4
It would not be a permitted collection, use or disclosure under
5
subsection 94D(2).
6
(2) If the day determined under subsection 94Y(1) occurs during the 6
7
month period starting on the commencement of this Part, the report
8
under subsection (1) of this section relating to that period must be
9
prepared within 3 months after that day.
10
(3) The Health Minister must cause copies of a report prepared under
11
subsection (1) to be laid before each House of the Parliament
12
within 15 sitting days of that House after the completion of the
13
preparation of the report.
14
94ZB Reports by the Commissioner
15
(1) The Commissioner must, as soon as practicable after:
16
(a) the end of the 6 month period starting on the commencement
17
of this Part; and
18
(b) the end of each subsequent 6 month period (if any) starting
19
on or before the day determined under subsection 94Y(1);
20
cause a report to be prepared on the performance of the
21
Commissioner's functions, and the exercise of the Commissioner's
22
powers, under or in relation to this Part during the period.
23
Note:
Section 94D prevents the inclusion of COVID app data in the report.
24
It would not be a permitted collection, use or disclosure under
25
subsection 94D(2).
26
(2) If the day determined under subsection 94Y(1) occurs during the 6
27
month period starting on the commencement of this Part, the report
28
under subsection (1) of this section relating to that period must be
29
prepared within 3 months after that day.
30
(3) The Commissioner must publish a report prepared under
31
subsection (1) on the Commissioner's website.
32
(4) This section does not affect the matters that section 30 of the
33
Australian Information Commissioner Act 2010
requires the
34
Commissioner to include in an annual report.
35
Amendments
Schedule 1
No. , 2020
Privacy Amendment (Public Health Contact Information) Bill 2020
23
94ZC COVID app data remains property of the Commonwealth
1
COVID app data is the property of the Commonwealth, and
2
remains the property of the Commonwealth even after it is
3
disclosed to, or used by:
4
(a) a State or Territory health authority; or
5
(b) any other person or body (other than the Commonwealth or
6
an authority of the Commonwealth).
7
94ZD Operation of other laws
8
(1) This section cancels the effect of a provision of any Australian law
9
(other than this Part) that, but for this section, would have the
10
effect of permitting or requiring conduct, or an omission to act, that
11
would otherwise be prohibited under this Part.
12
(2) However, the cancellation does not apply to a provision of an Act
13
if the provision:
14
(a) commences after this Part commences; and
15
(b) expressly permits or requires the conduct or omission despite
16
the provisions of this Part.
17
Schedule 2
Repeals
24
Privacy Amendment (Public Health Contact Information) Bill 2020
No. , 2020
Schedule 2--Repeals
1
2
Biosecurity (Human Biosecurity Emergency) (Human
3
Coronavirus with Pandemic Potential) (Emergency
4
Requirements--Public Health Contact
5
Information) Determination 2020
6
1 The whole of the instrument
7
Repeal the instrument.
8
Privacy Act 1988
9
Note:
The repeals made by items 2 and 3 of this Schedule commence at the end of 90 days
10
after the day determined under subsection 94Y(1) of the
Privacy Act 1988
as amended
11
by this Act.
12
2 Subsection 6(1)
13
Repeal the following definitions:
14
(a) definition of
communication device
;
15
(b) definition of
contact tracing
;
16
(c) definition of
COVID app data
;
17
(d) definition of
COVIDSafe
;
18
(e) definition of
COVIDSafe user
;
19
(f) definition of
data store administrator
;
20
(g) definition of
former COVIDSafe user
;
21
(h) definition of
Health Department
;
22
(i) definition of
Health Minister
;
23
(j) definition of
in contact
;
24
(k) definition of
National COVIDSafe Data Store
;
25
(l) definition of
registration data
;
26
(m) definition of
State or Territory health authority
;
27
(n) definition of
State or Territory privacy authority
.
28
3 Part VIIIA
29
Repeal the Part.
30
Repeals
Schedule 2
No. , 2020
Privacy Amendment (Public Health Contact Information) Bill 2020
25
4 Transitional
1
After the commencement of this item:
2
(a) the powers of the Commissioner under or in relation to Part
3
VIIIA of the
Privacy Act 1988
as amended by this Act
4
continue to apply in relation to matters that arose under or in
5
relation to that Part before that commencement; and
6
(b) any obligations of the Health Minister or the Commissioner
7
under that Part relating to a report continue to apply;
8
as if the repeals made by items 2 and 3 of this Schedule had not been
9
made.
10