Australian privacy laws won’t stand in the way of the federal government’s COVID-19 pandemic response, but regulators will work to ensure all initiatives are proportionate and time-limited, Information Commissioner Angelene Falk says.
Government policies, particularly around contact tracing, have raised concerns about privacy and data protection, and how Australian laws will be applied.
Ms Falk has brought together a National COVID-19 Privacy Team to deal with these issues, featuring the relevant state and territory commissioners and ombudsman and officials from their offices.
The group will quickly meet when necessary to discuss potential government policies and their privacy implications, and make recommendations accordingly.
“As privacy regulators we are actively engaged in privacy issues that are relevant to this pandemic, and we want to be able to quickly convey information to government on how privacy laws apply in the current circumstances, and to have a rapid response and provide guidance on proposals that arise involving the handling of personal information,” Ms Falk told InnovationAus.
“We’ve got an opportunity to come together very quickly to consider the application of our laws and look at where we might be able to assist in order to mitigate any privacy implications.”
Australian privacy laws do have clauses allowing for increased data sharing, including personal medical information, during times of crisis, Ms Falk said.
“These laws though aren’t unconstrained and say that information sharing needs to be reasonable and necessary,” she said.
Victorian Information Commissioner Sven Bluemmel, who is part of the new COVID-19 privacy team, said that any new measures introduced by the government that impact the privacy of Australians must have a clear time limit.
“To the extent that they rely on an argument that this is a crisis response, we want to make sure that once the crisis has passed we go back to a more normal approach, so that we don’t have increased privacy risks,” Mr Bluemmel told InnovationAus.
“We certainly will be realistic regulators here, we understand that a response here needs to be speedy and effective, and generally privacy legislation does allow for that in a crisis situation.”
There have been growing calls for the federal government to introduce a COVID-19 contact tracing app, similar to the one in use in Singapore.
The Singapore government’s TraceTogether app voluntarily uses a phone’s Bluetooth to conduct contact tracing once a user is diagnosed with the virus.
Other countries, including China, South Korea, Hong Kong and Israel have also rolled out similar apps.
In the UK, the Information Commissioner’s Office has given the green light for the government to use personal data from someone’s phone to track them to fight the spread of COVID-19.
Reports have emerged that the UK government was in talks with local telcos to use anonymous location and usage data to chart the movement of people, potentially to ensure they are complying with quarantine restrictions.
Prime Minister Scott Morrison said that Australia would not be going down the same path as the UK in terms of accessing phone data, but it’s understood a review is currently underway into the Singapore contract tracing app.
Ms Falk said any potential use of phone data to track individuals needed to be transparent and have a set end-date.
“The principal position that I’m coming from is to ensure that any information handling is necessary, reasonable and proportionate. Technology can play an important role in addressing public health issues, but it’s important we have safeguards in place and that any change to information handling arrangements are time-limited to address these immediate concerns,” she said.
“We’re in exceptional circumstances but at the same time we do need to ensure that personal information is protected and handled in accordance with the law.”
Australians will likely be more willing to trade some personal privacy for the public health, Mr Bluemmel said, but only if governments are open and transparent about why they need access to the data, and how they will use it.
“If people don’t trust their governments and regulators then the crisis response becomes much, much harder, and if we see privacy being completely ignored then over time people might reduce that trust, and that’s bad for the response to future crises,” he said.
“I think people understand that in current crisis times things have to operate a little differently to ensure a good public health outcome, but it has to be necessary and proportionate, and has to be done in a way that government is transparent about what they are doing and why it is necessary.
“Privacy laws don’t stand in the way of a meaningful crisis response, but we must make sure that the crisis doesn’t lead to bad policy outcomes in the medium and long term. I’m entirely confident we can do both, but we have to be open and have to demonstrate ourselves to be trustworthy.
“We have to respect people and take them on the journey with us, and then we can be effective and have respect for privacy.”