The following information has been released by the Office of the Australian Information Commissioner as to the COVIDSafe App, the Privacy Act and how this effects venues.
Information about the COVIDSafe App and the Privacy Act
It is an offence to require an individual to download or use the App
The App is voluntary, and individuals cannot be required to download the App under any circumstances. It is an offence for an individual, organisation or government agency to require another person to download the App, have it in operation on a device, or to require them to upload the data from their device to the National COVIDSafe Data Store.
It is against the law to refuse goods or services to individuals who do not want to download the App, or to stop them from participating in an activity, or take adverse action against them.
For example:
- An organisation, including a venue or entity operating in a venue, cannot refuse service, or charge someone more for, a product or service just because they are not using the App
- a restaurant, food vendor or catering service cannot refuse someone service because they don’t have the App
- a venue cannot require patrons to download the app as a condition of entry
- an employer cannot dismiss their employee, alter their position to their detriment, stop them entering the workplace, or pay them less just because they don’t have the App (even if they are using a work-issued phone)
A breach of this rule is:
- a crime punishable with 5 years imprisonment and/or a $63,000 fine, and
- an interference with privacy which enables a complainant to seek compensation and enlivens the Privacy Commissioner’s regulatory powers.
An offence is committed regardless of whether or not an individual actually downloads the App.
The OAIC has been given powers to refer any privacy complaint which may involve a breach of this provision to the Australian Federal Police (AFP) for their investigation.
Why is it an offence to require someone to download the App?
These provisions have been enacted because every individual has the right to privacy, and to be protected by law from arbitrary or unlawful interference with their privacy. The privacy protections enshrined in the law are designed to ensure that individuals can have confidence that their personal information will be handled in an open and transparent manner, in line with clearly defined public health objectives.
The Privacy Act itself states that the object of the law as it applies to the App is to:
- encourage public acceptance and uptake of COVIDSafe, and
- enable faster and more effective contact tracing of individuals who may have been exposed to COVID-19.
What if an entity has already indicated that individuals are required to download the App?
If an entity has required an individual to download or use the App, or has taken other steps such as pre-installing the App on individual’s devices, they should cease and desist immediately, and take steps to ensure that they are not requiring individuals to use the App. This applies even where the App is installed on a work phone or other device that a business or entity otherwise owns.
Such steps may include uninstalling the App on any devices, clarifying any recent communications which have caused confusion or concern, and contacting any individuals who have complained or indicated that they have been required to download the App to explain that the App is voluntary and that they are not required to download and use it.
It is important to consider the context of any messaging to the community
Peak bodies, their members, venue owners and entities operating in a venue are encouraged to carefully consider any messaging they wish to communicate to the public or to their employees in relation to the use of the App.
It is not an offence to encourage uptake and use of the App. However, the context in which such messaging is communicated could contribute to an impression that an individual is required to download the App. An individual can make a privacy complaint to the OAIC, where it will be considered and referred to the AFP if the Privacy Commissioner forms the view that a crime has been committed.
The OAIC understands that entities are actively looking to manage the ongoing risks of COVID-19 in their workplaces and industries as COVID-19 restrictions are eased. It is therefore important that communications to the public are informed by the privacy protections set out in the Privacy Act, including the prohibition on requiring individuals to download and use the App.
Entities should consider the context in which their communications are sent and received by individuals. It must be made clear that individuals have the choice whether or not to use the App, and that they will not be punished, excluded or otherwise disadvantaged by choosing not to download the App. To do so otherwise is a breach of the Privacy Act.
The OAIC has published guidance for individuals – the COVIDSafe App and My Privacy Rights – which your members may wish to consider and provide to individuals as part of their communications.
Useful resources
- Guide to undertaking Privacy Impact Assessments
- Privacy Impact Assessment eLearning tool
- Guidance for businesses collecting personal information for contact tracing
- The COVIDSafe App and My Privacy Rights
- Privacy obligations regarding COVIDSafe and COVID app data
- Australian Privacy Principle (APP) Guidelines