People caught making unauthorised use of the COVIDSafe app data, including transferring or storing it offshore, could face up to five years imprisonment under privacy safeguards contained in draft legislation.
Attorney-General Christian Porter has unveiled amendments to the Privacy Act 1988 to enshrine stiff penalties for breaches in the use of the app as the government pushes for extensive public take-up.
The app has been downloaded more than four million times and Prime Minister Scott Morrison has made its widespread adoption a key condition in national cabinet deliberations on when to begin easing physical distancing restrictions.
Surveys indicate that although a significant proportion of Australians are prepared to install the technology on their smart phones, many have privacy and data security concerns.
When he launched the app a week ago, Health Minister Greg Hunt revealed he had made a determination under the Biosecurity Act to include severe penalties for unauthorised use.
The draft legislation unveiled by Mr Porter will, if passed, enshrine this determination in law and is expected to be introduced when parliament resumes on May 11.
The government has criminalised the collection, use or disclosure of COVIDSafe app data for purposes unrelated to contact tracing.
It has also made it a criminal offence to coerce people to use the app, to store or transfer COVIDSafe app data to a country outside Australia and to decrypt app data.
The maximum penalty for breaches is five years imprisonment or $63,000 fine.
"The draft Bill ... will enshrine these protections in primary legislation and gives Australians confidence to download COVIDSafe, continue the fight against COVID-19 and get our nation back to business as usual," the Attorney-General said.
"As the final step of our 'triple lock' of privacy protections, this draft Bill will build upon the Biosecurity Determination and agreements with the states and territories to comprehensively guarantee that Australians' data is in safe hands when they download and use COVIDSafe."
The draft laws will empower the Australian Federal Police to investigate the misuse of COVIDSafe data, and allow for individual complaints to be heard by the Office of the Australian Information Commissioner or state or territory privacy watchdogs "if appropriate".
Australian Privacy Foundation chair David Vaile said significant concerns remained despite the release of the draft legislation.
Part of the function of the app is to transmit information collected on close contacts to a central data store for access by state and territory public health officials tracing infections.
The draft legislation applies at the Commonwealth level and Mr Vaile said it was unclear whether it would extend to the states and territories.
The privacy expert said technical analysis indicated that most of the data processing would take place in the central data store rather than in the app, which was at odds with the government's description of how the technology worked.
Mr Vaile said government secrecy was undermining its efforts to encourage public confidence in the app.
"We don't have enough information to understand the way the system works," he said. "Increasingly it looks like the app is just the front end."
He called on the government to immediately share details including the app's design specifications, its source code and communication protocols.
- You can also call the Coronavirus Health Information Line on 1800 020 080
- If you have serious symptoms, such as difficulty breathing, call Triple Zero (000)
Our COVID-19 news articles relating to public health and safety are free for anyone to access. However, we depend on subscription revenue to support our journalism. If you are able, please subscribe here. If you are already a subscriber, thank you for your support. If you're looking to stay up to date on COVID-19, you can also sign up for our twice-daily digest here.