COVIDSafe Act: Click here to run consultation

Run the consultation

Overview

Purpose

This is a legal expert and decision-support system designed to answer questions about offences and obligations relating to the COVIDSafe app and COVID app data. The relevant legislation is Pt VIIIA of the Privacy Act 1988 (Cth), which was inserted in May 2020 by the Privacy Amendment (Public Health Contact Information) Act 2020 (Cth) ('COVIDSafe Act').

The system is also designed to showcase the capabilities of AustLII's DataLex software: how it enables legislation to be coded with relative ease by legal practitioners, how it can be used to create user-friendly expert and decision-support systems, and how it may assist practitioners in the provision of legal advice.

This system is recommended for people with some legal training or experience, such as a law student, lawyer or paralegal, acting as an intermediary between the client and the system. It is usable by people with minimal or no legal training or experience, but they may have more trouble understanding certain aspects of the system.

We would greatly appreciate any feedback you may have about how we can improve the system. The feedback form is available here .

Please note that this system is for educational and testing purposes only. Any information provided does not constitute legal advice and must not be relied on as such. Legislation current as of 15 November 2020.

Further material

Run Consultations

Knowledge Bases ('KB') used in this system

Using the System

How does this system work?

You will be asked a series of questions to which you will answer ‘yes’ or ‘no’ or type a short response (only when prompted).

Other features include:

• The ‘why’ button: This will tell you why the question is being asked.
• The ‘uncertain’ button: The dialogue may continue if the answer to the current question is not essential to the conclusion.
• The ‘what if’ button: This can be used to test hypothetical situations. The button must be de-selected in order for the consultation to continue.

An automated conclusion report will be generated from the answers you give to the questions asked.

For further information how the user interface works please refer to the DataLex User Interface Manual.

Which goal should I pick?

	Select this goal if...	Expected result
Goal 1 (‘Mishandling of data’)	You know or suspect you or someone else has: Collected, used or disclosed COVID system data Uploaded COVID system data from a communication device to the National COVIDSafe data store Retained COVID system data on an overseas database Decrypted encrypted COVID system data	You will be informed whether you or the relevant person may have committed an offence under Pt VIIIA of the Privacy Act 1988.
Goal 2 (‘Requiring use’)	You know or suspect that you or someone else has required another person to download or otherwise use the COVIDSafe system.	You will be informed whether you or the relevant person may have committed an offence under Pt VIIIA of the Privacy Act 1988.
Goal 3 (‘Received in error’)	You know or suspect that you or someone else has either sent or received COVID system data in error.	You will be informed what your or the relevant person’s obligations are.
Goal 4 (‘Data store administrator’s obligations')	You know or suspect that: Your or someone else’s COVID system data has been retained for more than 21 days You or someone else has requested for their COVID system data to be deleted You or someone else is a former COVIDSafe user The COVIDSafe data period has ended	You will be informed what the data store administrator’s obligations are.

What is COVID app data?

You will notice that the goals listed above and the system itself refers several times to the term 'COVID app data'. It is necessary for the generation of a correct report that you know whether the relevant data is COVID app data or not.

As you go through the system, you may come across a question asking you whether the data under consideration is COVID app data (pictured below).

You can access a separate consultation advising you on whether the data is COVID app data by clicking on the blue hyperlinked 'COVID app data' text, or going here.

What is an OAIC complaint?

A breach of any of the COVID app related provisions (including both the offence and obligation provisions) of the Privacy Act is considered an 'interference with privacy'. This triggers the OAIC's investigative and regulatory powers under the Privacy Act. You can use our OAIC complaint app (click here) to generate a complaint document that you may then email, mail or fax to the OAIC to lodge a privacy complaint with the OAIC.

For more information on making an OAIC privacy complaint process click here.

Sample Client Scenarios

These are hypothetical questions that clients may have about their rights and obligations under the COVIDSafe Act that a notional intermediary legal professional could use our system to answer.

For further information on how the following conclusions were reached, click here.

Offences

(1) Martin went to his favourite cafe and was turned away by a staff member, Steven, because he did not have the COVIDSafe app downloaded on his phone. He is furious about the poor service. Martin uses the system to find out what he can do about the staff member's conduct.

• Outcome: Steven has likely committed an offence under s 94H(2).

(2) Ivan’s boss threatened to leave him off next week’s work roster if he doesn’t download the COVIDSafe app before his next shift. He does not want to download the app because he is concerned about his privacy. Ivan uses the system to find out whether his boss is allowed to do this.

• Outcome: Ivan’s boss has likely committed an offence under s 94H(2).

(3) Karen, a computer science student, borrowed her friend’s phone. To practice what she learned at university, and as a practical joke, she decrypted COVID app data on the borrowed phone. Karen's conscience later gets the better of her, and she uses the system to find out whether her ‘practical joke’ was illegal.

• Outcome: Karen has likely committed an offence under s 94G.

(4) Nina works for a state health authority. Her parents, who live overseas, are very concerned about how poorly Australia is managing the COVID-19 situation. To reassure them that there are not many active cases where she lives and that she is safe from the virus, she disclosed COVID app data from the National COVIDSafe Data Store. Nina becomes worried that this will cost her her job, so she uses the system to find out whether she committed an offence by doing so.

• Outcome: Nina has likely committed an offence under s 94F(2).

(5) Nina’s parents are not very tech-savvy and accidentally saved the COVID app data that Nina sent them to a database in their country. When Nina finds out, she uses the system to find out whether her parents have inadvertently committed an offence.

• Outcome: Nina's parents have likely committed an offence under s 94F(1).

(6) Edward used COVID system data for his university assignment comparing national policy approaches to the pandemic around the world. His lecturer reads the assignment and is concerned about where and how Edward obtained the data, and whether people are allowed to use COVID system data for this purpose, so he uses the system to find out.

• Outcome: Edward has likely committed an offence under s 94D.

(7) Sejeong has borrowed her friend Mike’s old phone after having dropped hers into the toilet. She receives a notification from the COVIDSafe app that Mike had previously installed onto the phone in his name. The notification asks for permission to upload COVID app data to the National COVIDSafe Data Store. Sejeong agrees to the upload as she knows that Mike had recently tested positive for COVID-19. Mike finds out about this and is livid. He uses the system to find out whether Sejeong has done anything wrong.

• Outcome: Sejeong has likely committed an offence under s 94E.

General Obligations

(8) Ellie, who has resided in NSW since the start of the pandemic, received COVID app data of somebody residing in the Northern Territory who she had never met or heard of. Ellie found this funny and took a screenshot, which she also saved on her laptop. A month later, she showed the screenshot to her friend, who warned her that this may not have been the right thing to do. Ellie is now concerned that she may has done something illegal and consults the system for guidance.

• Outcome: Ellie likely breached her obligation under s 94M.

About COVIDSafe

The COVIDSafe app is designed to facilitate the identification of close contacts of people who have tested positive for COVID-19.

Users:

1. Download COVIDSafe from the Apple App Store or Google Play Store onto their mobile device.
2. Register by giving a name, which does not have to be their real name, their age range, their mobile phone and their postcode. This is their ‘registration data’.
3. Use the app by switching it ‘on’ and leaving it running in the background as they go about their day.

Downloading, signing-up to and using the app is entirely voluntary. The object of the COVIDSafe Act is not to authorise or require use of the app, it is instead a measure intended to protect the privacy of existing and prospective users. It is an offence to require someone to, or coerce someone into, downloading or using the app.

The app does not collect any geolocation data. When the app is installed and switched-on, and it detects a Bluetooth signal coming from another device nearby with the app installed and switched-on, it creates a piece of encrypted data on your device – known as a ‘digital handshake’. The Act makes it illegal to decrypt this data.

Any encrypted data will only leave your phone if somebody who you have digitally ‘shaken hands with’ tests positive for COVID-19, and you consent for the data to be uploaded to the National COVIDSafe Data Store. It is illegal for the encrypted data to leave your phone if you haven’t consented, and it is illegal to store the data outside Australia

Any breach of a COVIDSafe Act provision constitutes an ‘interference with privacy’ under section 13 of the Privacy Act 1988 (Cth), which entitles affected persons to make a complaint to the Information Commissioner under section 36.

For more information on the COVIDSafe app click here.

About this Project

This system was created by a group of UNSW Law students (Meryl Mao-Jiang, Adam Schwartz, Muhammad Abubakar, Emily Hunyor and Erol Gorur) as part of the subject 'Designing Technology Solutions for Access to Justice', taught by Dr Lyria Bennett Moses.

We wish to thank Philip Chung and Graham Greenleaf for their guidance throughout the project, Lyria for her teaching and support, and our classmates for their insights.

Bibliography

A Articles

Greenleaf, Graham and Kemp, Katharine, Australia’s COVIDSafe Experiment, Phase III: Legislation for Trust in Contact Tracing (May 15, 2020). UNSW Law Research, Available at SSRN: https://ssrn.com/abstract=3601730 or http://dx.doi.org/10.2139/ssrn.3601730</a

B Legislation

Fair Work Act 2009 (Cth)

Privacy Act 1988 (Cth)

Privacy Amendment (Public Health Contact Information) Act 2020 (Cth)

C Other

‘Australia - Main Reasons for Not Downloading the COVIDSafe App 2020’, Statista < https://www.statista.com/statistics/1153896/australia-main-reasons-for-not-downloading-the-covidsafe-app/ >

Australian Government Department of Health, ‘COVIDSafe App’, Australian Government Department of Health (Text, 24 April 2020) < https://www.health.gov.au/resources/apps-and-tools/covidsafe-app >

‘COVIDSafe App’ < https://covidsafe.gov.au >

‘COVIDSafe App’, Australia < https://www.australia.gov.au:443/content/australia/home/app.html >

‘COVIDSafe App Guidance | Safe Work Australia’ < https://www.safeworkaustralia.gov.au/covid-19-information-workplaces/other-resources/covidsafe-app-guidance >

Explanatory Memorandum, Privacy Amendment (Public Health Contact Information) Bill 2020 (Cth)

Parliamentary Joint Committee on Human Rights, Human rights scrutiny report (Report 6 of 2020, 20 May 2020)

‘Privacy Complaints’, OAIC < https://www.oaic.gov.au/privacy/privacy-complaints/ >

‘The COVIDSafe App and My Privacy Rights’, OAIC < https://www.oaic.gov.au/privacy/covid-19/the-covidsafe-app-and-my-privacy-rights/ >