The Commonwealth government's next hope in ending COVID-19 dropped into the app stores at 6pm yesterday and within a few hours had been downloaded over a million times.

Of those million people, about 7 have probably read the terms and conditions and privacy policy. But don't worry, we did and here is what you need to know:

  • The app works by constantly searching (via Bluetooth) for anyone near you who also has the app. If you remain within about 1.5 metres of a person for 15 minutes or more a 'contact' is logged. Every contact is then recorded and stored on your phone (and the other peoples' phones).
  • If you contract COVID-19 you will be asked if you consent to upload the contact data on your phone to a database. The relevant state or territory health department will then use the data to contact all the users you have had contact with (while not naming you to those people).
  • Note, if you are the infected person you need to consent to upload your data, but if you have had contact with an infected person, you are not asked to grant consent for the government to contact you.
  • The privacy policy states that the data will only be used for contact tracing, and the 'proper and lawful functioning of COVIDSafe'.
  • The app does not collect location data (it learns the date, time, distance and duration of a contact, but not where the contact occurred).
  • Your data is encrypted on your mobile phone and is automatically deleted after 21 days (allowing for a reasonable incubation plus testing period for the virus).
  • You can delete the app at any time, and it will then stop recording contact data and delete the data on your phone. However, any of your data that has been uploaded to the government database will not be deleted until the end of the pandemic. You can request that this data be deleted. You will not be able to access your contact records.

In short, the privacy policy says all the right things and puts in place the protections ScoMo has constantly assured us will be there.

There is, however, a right under the Privacy Act for law enforcement bodies to obtain personal information without the consent of the individual if the body believes it is reasonably necessary for an enforcement related activity. So, the cops ordinarily could use your contact data to prove you attended that dinner party in breach of the social distancing laws.

But, the government has also attempted to close this loophole. The Health Minister has made a determination under the Biosecurity Act which provides that no person can collect, use or disclose any data collected via the COVIDSafe app for any purpose other than contact tracing. The determination overrides the provisions of the privacy laws, and anyone breaching the terms of the direction could be guilty of an offence under the Biosecurity Act.

This all sounds like good news for those of us concerned about our privacy when using the app. However, it could be that the Minister's determination has no legal weight at all (because it is either not necessary for the management of the pandemic, and/or a ministerial direction can't override legislation). It seems even the government is not so sure about it, as buried in the FAQs for the app is a statement that the determination will be 'enshrined' by parliament in May. If the protections in the direction fail, it will indeed be a free-for-all when enforcement bodies want to track your contacts.

We do not disclaim anything about this article. We're quite proud of it really.