Privacy Amendment (Public Health Contact Information) Act 2020

The Privacy Amendment (Public Health Contact Information) Act 2020 amended the Privacy Act 1988 to create a dedicated set of rules for the COVIDSafe app. The legislation inserted Part VIIIA into the Privacy Act and set out offences, handling rules, deletion requirements and privacy enforcement mechanisms for "COVID app data".

The object of the Part was to help prevent and control the spread of COVID-19 by giving stronger privacy protections to COVIDSafe users and their data. The legislation expressly linked those protections to encouraging public acceptance and uptake of COVIDSafe and enabling faster and more effective contact tracing.

This was not a broad rewrite of Australian privacy law. It was a targeted regime for a particular Commonwealth app and the data collected or generated through that app.

The clearest in-scope groups were State and Territory health authorities undertaking contact tracing, the data store administrator, and officers, employees and contracted service providers working with the National COVIDSafe Data Store or the operation, integrity or security of COVIDSafe.

But the Act was not limited to government bodies. Some obligations and offences were framed broadly enough to affect private businesses and individuals. In particular, the prohibition on requiring another person to download COVIDSafe, operate it on a device, or consent to upload data could affect employers, landlords, venues, service providers and anyone else dealing with staff, customers, contractors or visitors.

Businesses could also come within the Act if they handled COVID app data incidentally or received it in error. That is why IT support providers, device managers and technology businesses needed to understand the rules even if they were not part of the official COVIDSafe system.

Most ordinary businesses were otherwise outside the direct operational core of the regime. If your business never handled COVIDSafe app data and never tried to require people to use the app, the Act was unlikely to impose day to day obligations on you.

The legislation defines COVID app data as data relating to a person that has been collected or generated through the operation of COVIDSafe and is either registration data or data stored, or previously stored, on a communication device. The definition is specific. It is tied to the operation of COVIDSafe itself.

The Act also carves some things out. It says COVID app data does not include information obtained from a source other than directly from the National COVIDSafe Data Store in the course of contact tracing by a person employed by, or in the service of, a State or Territory health authority. It also excludes de-identified statistical information about the total number of registrations through COVIDSafe produced by the data store administrator or its contracted service providers.

That distinction matters for businesses. This page should not be treated as a general guide to all health information, all pandemic records, or all contact tracing tools. The regime was deliberately narrow.

For a business, the main trigger points under the Act were practical rather than technical.

One trigger was considering whether to ask or require people to use COVIDSafe. The Act made that a high-risk area because it prohibited requiring another person to download the app, have it operating on a device, or consent to upload COVID app data. It also prohibited a range of conduct based on whether a person had done those things, including refusing contracts, taking adverse action, refusing entry, refusing participation, refusing to receive goods or services, or changing the price or terms of goods or services.

Another trigger was handling devices or systems that might contain COVID app data. If a business incidentally collected COVID app data while lawfully collecting other data, it needed to delete the COVID app data as soon as practicable after becoming aware of it and not otherwise access, use or disclose it. If a person received COVID app data in error, they had to delete it and notify the data store administrator.

A further trigger applied to organisations directly involved in the official COVIDSafe system. Their collection, use and disclosure of COVID app data was only permitted for tightly defined purposes, such as contact tracing, enabling contact tracing, ensuring the proper functioning, integrity or security of COVIDSafe or the National COVIDSafe Data Store, or limited regulatory and enforcement purposes set out in the Act.

The Act imposed a mix of prohibitions and positive obligations.

First, COVID app data could not be collected, used or disclosed unless the Act permitted it. The permitted purposes were narrow and tied to contact tracing, system operation and security, privacy regulation, investigation and prosecution, and a small number of other specific functions.

Second, uploading COVID app data from a device to the National COVIDSafe Data Store required consent from the COVIDSafe user, or in limited cases a parent, guardian or carer.

Third, the data store administrator had to take all reasonable steps to ensure COVID app data was not retained on a communication device for more than 21 days, or if that was not possible, for no longer than the shortest practicable period.

Fourth, if a COVIDSafe user or former user asked for uploaded registration data to be deleted from the National COVIDSafe Data Store, the data store administrator had to take all reasonable steps to delete it as soon as practicable. If immediate deletion was not practicable, the data could not be used or disclosed for any purpose in the meantime.

Fifth, a person who received COVID app data in error had to delete it and notify the data store administrator as soon as practicable.

Sixth, the Act restricted offshore handling. It created offences for retaining uploaded COVID app data on a database outside Australia and for certain disclosures of uploaded COVID app data to a person outside Australia.

Seventh, the Act made it an offence to decrypt encrypted COVID app data stored on a communication device.

The Act created several criminal offences. The extract states a maximum penalty of 5 years imprisonment or 300 penalty units, or both, for non-permitted collection, use or disclosure of COVID app data, uploading without consent, retaining uploaded data outside Australia, certain disclosures outside Australia, decrypting encrypted COVID app data on a device, and requiring participation in relation to COVIDSafe.

The legislation also connected these rules to the broader Privacy Act framework. COVID app data relating to an individual was taken to be personal information. A breach of a requirement in Part VIIIA in relation to an individual was treated as an interference with the privacy of that individual, which meant the complaint and investigation framework under the Privacy Act could apply.

The Act also set special rules for eligible data breaches involving COVID app data. In the situations described in the legislation, a breach was taken to be an eligible data breach by the data store administrator or the relevant State or Territory health authority, and the individual was taken to be at risk. The Commissioner was given enhanced assessment and investigation powers in relation to compliance with the Part.

For employers, there was an additional workplace law angle. The Act states that the prohibition on certain discriminatory conduct connected to COVIDSafe is a workplace law for the purposes of the Fair Work Act 2009, and that the benefit a person derives from that obligation is a workplace right.

The Act received Royal Assent on 15 May 2020. Schedule 1, which inserted the main amendments into the Privacy Act, commenced on 16 May 2020. Schedule 2, item 1 also commenced on 16 May 2020.

The commencement table in the legislation records that Schedule 2, items 2 to 4 took effect at the end of 90 days after the day determined under subsection 94Y(1) of the Privacy Act, with the table noting 14 November 2022.

The legislation also set out what had to happen after the end of the COVIDSafe data period. After the end of the day determined under subsection 94Y(1), the data store administrator could not collect any COVID app data or make COVIDSafe available to be downloaded. As soon as reasonably practicable after that, the data store administrator had to delete all COVID app data from the National COVIDSafe Data Store, inform the Health Minister and the Commissioner that deletion had occurred, and take all reasonable steps to inform current users that the data had been deleted, no further data could be collected, and they should delete COVIDSafe from their devices.

For most businesses, that means the Act is now mainly historical in operation. It remains useful as a record of the legal settings that applied to COVIDSafe app data and as a reminder that the regime was app-specific.

Before relying on this page for a current compliance decision, check three things.

First, confirm whether the information you are dealing with is actually COVID app data as defined by the Act. If it is not data collected or generated through the operation of COVIDSafe, this regime may not apply.

Second, confirm whether your issue is historical or current. Because the COVIDSafe data period has ended, many of the Act’s practical obligations are no longer part of ordinary business operations. Historical incidents, legacy records or past conduct may still need careful analysis.

Third, if your organisation is dealing with health information, employee records, app data, or public health directions outside COVIDSafe, check the other laws and policies that may apply. This Act did not replace the rest of Australian privacy law and did not create a universal rule for all contact tracing or health data.

This page summarises the Privacy Amendment (Public Health Contact Information) Act 2020 as published on the Federal Register of Legislation. The Act amended the Privacy Act 1988 by inserting Part VIIIA and included commencement provisions and repeals connected to the earlier emergency determination.

If you need the exact legal text, use the Federal Register of Legislation version for the Act and the amended Privacy Act provisions referred to in it.