Unless there's something I've missed entirely in the regulation, there's nothing that says the data loses its restrictions once it moved. Happy to be corrected and pointed to the specific clause, I just don't see it.
Section 3: "COVID app data is data relating to a person that...has been collected or generated through the operation of an app... and is, or has been, stored on a mobile telecommunications device." The data is defined by its origin, not its current location. The protections apply wherever it currently is.
Section 8: "A person must not decrypt encrypted COVID app data that is stored on a mobile telecommunications device"
Using your scenario, part two would be illegal (s8 especially) and the data request in part 3 should be rejected. The bigger problem is that's what _should_ happen. Whether it's enforced is another story...
> Unless there's something I've missed entirely in the regulation, there's nothing that says the data loses its restrictions once it moved.
It isn't explicitly stated, which is the point. We only have the data defined two ways: In the Data Store, and on a phone. Once downloaded from the Data Store, it is outside the definitions used within the bill.
This statement is the big one:
> However, it does not include information obtained, from a source other than the National COVIDSafe Data Store, in the course of undertaking contact tracing by a person employed by, or in the service of, a State or Territory health authority.
If the data was at one time obtained from the Data Store, but this new location is used as a source, it is no longer under the definitions of the bill.
Unless there's something I've missed entirely in the regulation, there's nothing that says the data loses its restrictions once it moved. Happy to be corrected and pointed to the specific clause, I just don't see it.
Section 3: "COVID app data is data relating to a person that...has been collected or generated through the operation of an app... and is, or has been, stored on a mobile telecommunications device." The data is defined by its origin, not its current location. The protections apply wherever it currently is.
Section 8: "A person must not decrypt encrypted COVID app data that is stored on a mobile telecommunications device"
Using your scenario, part two would be illegal (s8 especially) and the data request in part 3 should be rejected. The bigger problem is that's what _should_ happen. Whether it's enforced is another story...