| > For example, the minister said that even in the event of a crime, the data could not be used. However, two parts combine that show actually, they can. That's incorrect. The only crime that could be a valid reason for using the data is a breach of the emergency biosecurity laws [6(2)(d)] (also see s477 of the Biosecurity Act 2015 (Cth)). Two common legal 'tools' are inclusive clauses and exhaustive clauses. An inclusive clause lists examples of what a section of legislation or a contract applies to, but it's not a complete list. You may have seen something like this in an employment contract, where the contract lists out your roles and responsibilities with a list that starts with "including, but not limited to: ". E.g the items listed definitely apply but there may be more other items that are not listed.
Exhaustive clauses are the opposite, if it's not expressly stated in the list, it doesn't apply. Part 2 limits how the data can be collected and used by using an exhaustive clause, i.e. section 6(2). Breaking it down, section 6(1) states: 'A person must not collect, use or disclose COVID app data except as provided by subsection (2).' So unless the reason is expressly listed under subsection 6(2), it cannot be used/collected. Very roughly paraphrasing the reasons in 6(2): - 6(2)(a): The person is a State/Territory HEALTH official (i.e. not law enforcement) AND the reason for is contact tracing only - 6(2)(b): The person is an employee/officer/contractor of the Health Department or Digital Transformation Agency (DTA) to help a Health employee with contact tracing, or to ensure the app / data store is functioning properly. E.g Devs bug fixing the app, API etc - 6(2)(c) Moving encrypted data from a mobile to the CovidSafe database - 6(2)(d) Investigating an offence of the emergency biosecurity laws - 5(2)(e) Using data for 'de-identified' statistics So going back to the grandparent comment, it's not correct say that the regulation has no effect due to the previous laws that weaken privacy. In fact the wording for the valid uses is refreshingly restrictive. E.g using '..[for the] purpose of, and only to the extent required for the purpose of' and not just 'for the purpose of' is a cue for the courts to interpret the use case quite restrictively. With all that said, this may be all well and good in theory, but it remains to be seen if the Government can enforce these restrictions in practice. There are some very valid concerns about that. However that's for another conversation/thread. [edit: formatting] |
You haven't fully understood what I tried to convey. Whilst it is true that the data can only be copied from the data store for a restrictive reason, such as ensuring the security of the data store, once it is outside that store, it is no longer protected by the limitations.
So this sequence of events is possible, and legal:
+ Data store data is taken off site for a legitimate reason, such as validation, by the correct department.
+ The police upload from a suspect's CovidSafe app, as a matter of policy, to help protect the public.
+ The police issue a data request, such as under the recently passed AABill law, from the Health Department.
The protections around the data only refer to it in two ways: App data, when it is on the phone, or when referencing it in regards to the Data Store in Canberra. Once it leaves, it is no longer protected.
The definitions refer to the data in terms of location, if that location changes, then it's out of those protections.