Privacy Policy for COVIDSafe Application


Read the privacy policy in languages other than English.

The Australian Government Department of Health, with the support of the Digital Transformation Agency, is implementing COVIDSafe to help State and Territory health officials (health officials) conduct contact tracing to stop the spread of COVID-19.

Contact tracing is a fundamental element of a public health response to disease outbreak. It is the process of identifying people who may have come into contact with someone who has COVID-19, so that they can be advised to take measures to help stop the further spread of COVID-19 (such as getting tested or self-isolating).

This privacy policy sets out how personal information that is collected via COVIDSafe will be handled in accordance with the Privacy Act 1988. This Act was amended by the Privacy Amendment (Public Health Contact Information) Act 2020) in May 2020 to provide stronger privacy protections for users of the COVIDSafe App and information collected through the App.

The Secretary of the Department of Health has determined that the Digital Transformation Agency (we, us, our) is the National COVIDSafe Data Store Administrator. It will collect, use or disclose your personal information only in accordance with this policy and the Privacy Act 1988. The Australian Department of Health does not have access to personal information that is collected about you when using the app.

What personal information will be collected, and why is it being collected?

We collect personal information to help conduct contact tracing when you register for, use or upload data to COVIDSafe.

When you register for COVIDSafe

We will ask you to consent to the collection of your:

  • mobile phone number — so that you can be contacted if needed for contact tracing
  • name — so the relevant health officials can confirm they are speaking to the right person when performing contact tracing. This will be easiest if you provide your full name, but you can use a pseudonym or fake name if you prefer​
  • age range — so health officials can prioritise cases for contact tracing, if needed​​
  • postcode — to make sure health officials from the right State or Territory who work in your area can contact you, and to prioritise cases for contact tracing, e.g. hotspot areas

If you are under 16 years of age, your parent, guardian or carer will need to consent to the collection of your registration information and contact data.

When you come into contact with another COVIDSafe user

Your app will only record the following contact data: (1) the encrypted user ID, (2) date and time of contact, (3) Bluetooth signal strength, and (4) make and model of the phone of other COVIDSafe users with which you come into contact. This information will also be recorded on the other users’ devices and stored in an encrypted format.

An encrypted user ID will be created every 2 hours. This will be logged in the National COVIDSafe Data Store (data store), operated by the Digital Transformation Agency, in case you need to be identified for contact tracing.

No location data (data that could be used to track your movements) will be collected at any time. No user will be able to see the contact data stored on their device as it will be encrypted. Any attempt to decrypt contact data is an offence. Contact data stored on a device will be automatically deleted after 21 days.

We cannot access any contact data stored on a device, or share this with health officials, unless and until a COVIDSafe user, or their parent, guardian or carer, consents to upload the data to the data store.

If you test positive to COVID-19

A health official will contact you and ask for consent to enter your mobile number into the data store to generate a PIN to be sent to you by SMS.

If you enter the PIN, you can give your consent to upload contact data on your device into the data store to share with health officials to enable contact tracing.

If another user tests positive to COVID-19, they may upload their contact data, which may include details of their contact with you.

Making sure COVIDSafe is working on your phone

We also collect diagnostic information from your device to ensure the proper functioning, integrity or security of COVIDSafe or of the data store in accordance with section 94D(2)(b)(iv) of the Privacy Act 1988.

The ‘diagnostic information’ is information about:

  • the operating system on your phone – to be able to identify if there are specific issues with your operating system;
  • the version of COVIDSafe installed on your phone – to check if you have the latest version of the app and all of the benefits that it offers;
  • the language your device is set to – to ensure that COVIDSafe displays in your preferred language where available, and to identify any issues with a particular language version;
  • whether your phone has Bluetooth enabled – COVIDSafe only works if Bluetooth is turned on;
  • whether your phone has battery optimisation enabled – on Android/Google devices, battery optimisation must be turned off for COVIDSafe to work;
  • whether your phone has location services enabled on Android/Google devices only – this is needed for COVIDSafe to access Bluetooth on your device;
  • whether your App has recorded any contacts with other COVIDSafe users in the previous seven days - this is a ‘yes’ or ‘no’ response – and provides us an indication that we may need to investigate that the App is working effectively.

This information is automatically generated by your device and is sent regularly to the data store. An automated system uses this information to decide whether to send you a notification to let you know that something is not working in your App. It will also guide you through the process to fix it. This information is not used for any other purpose.

How will personal information be collected?

Use of COVIDSafe is completely voluntary. You can install or delete COVIDSafe at any time.

As part of your use of COVIDSafe, we will collect:

  • your registration information after you successfully enter a PIN sent by SMS
  • information about your encrypted user ID when you have COVIDSafe open or running on your device
  • information that you have tested positive to COVID-19 when you agree to a health official sending you an SMS to enable you to upload your contact data
  • your contact data, if you test positive to COVID-19 and choose to upload your contact data on your device
  • contact data of another COVIDSafe user, where that user has tested positive to COVID-19 and chooses to upload their contact data on their device, which may include details of their contact with you.

No user should feel pressured to install or continue to use COVIDSafe, or to agree to upload contact data to the data store. This is prohibited under the Privacy Act 1988. If you feel pressured to do any of these things, you can make a complaint to the Office of the Australian Information Commissioner, and/or the Australian Federal Police.

How will personal information be stored?

We will store all registration information, encrypted user IDs and contact data, in the data store. It is a cloud-based facility, using infrastructure located in Australia, which has been classified as appropriate for storage of data up to the ‘protected’ security level.

We will delete all data in the data store as soon as possible after the day determined by the Health Minister to be the end of the COVIDSafe Data Period as required by the Privacy Act 1988.

Contact data on your device will be automatically deleted from your device 21 days after contact occurs. It will also be deleted if you remove COVIDSafe from your device or upload your contact data to the data store.

How will personal information be used and disclosed?

We will use or disclose your personal information to enable contact tracing by health officials. This includes:

  • using your mobile number to send you an SMS to confirm your number or upload your contact data
  • using encrypted user IDs in uploaded contact data to identify other COVIDSafe users that a positive COVIDSafe user had contact with in the last 21 days (contact users)
  • providing health officials with access to the registration information and contact data of contact users to enable contact tracing

Contact users may be advised by health officials to take such public health measures as are required by their State or Territory (such as self-isolating). Failure to comply with these measures may be in breach of State or Territory law.

We will also use or disclose your personal information:

  • to ensure the proper functioning, integrity or security of COVIDSafe or of the data store
  • to produce de identified statistical information about the total number of registrations through COVIDSafe
  • to confirm that the correct data is being deleted, when you make a request to delete personal information held in the data store
  • to the Information Commissioner to perform functions or exercise powers under or in relation to Part VIIIA of the Privacy Act 1988
  • if it is necessary, for the purposes of investigation and prosecution of a breach under Part VIIIA of the Privacy Act 1988

We will not use or disclose your personal information for any other purpose.

Can personal information be deleted?

You can also uninstall COVIDSafe at any time. This will automatically delete all information stored on your device and stop other users from collecting your contact data.

Uninstalling COVIDSafe will not automatically delete any information already uploaded to the data store, or any of your contact data stored on another user’s device in the last 21 days, which could still be uploaded to the data store and used for contact tracing purposes. If you wish any of your contact or diagnostic data uploaded to the data store to be deleted you can expressly ask us to delete your information.

Can a user correct or access personal information?

You can:

  • change your registration information by deleting and re-installing COVIDSafe
  • seek the deletion of the registration information we hold in the data store by contacting us
  • register the correct information on COVIDSafe

To ensure maximum security of your COVIDSafe data, you will not be able to access your data held in the data store.

Further information about privacy

For further information about the COVIDSafe app and your privacy rights, the Office of the Australian Information Commissioner outlines how the Privacy Act 1988 applies to the Australian Government’s COVIDSafe app.

Contact us

COVIDSafe Privacy enquiries and complaints

Contact us to find out more about COVIDSafe Privacy or to make a privacy enquiry or complaint.

Privacy Officer: privacy@dta.gov.au
Phone: 02 6120 8707

Postal address:
Digital Transformation Agency
GPO Box 457
Canberra ACT 2601

The Privacy Officer will refer enquiries of a general nature to the Australian Government Department of Health to provide a response. The Privacy Officer will handle any individual complaints about privacy in accordance with the provisions of the Privacy Act 1988, which include a requirement to refer privacy breaches to the Office of the Australian Information Commissioner for investigation.

Alternatively, you can:

Last updated:
12 October 2020