The federal government has sought to allay privacy concerns with its contact tracing app by proposing a jail term of up to five years for those that use COVIDSafe data for any purpose other than contact tracing.

Attorney-general Christian Porter revealed an exposure draft of the much-anticipated legislation [pdf] late on Monday, as the number of app downloads and registrations close in on the five million mark.

The Privacy Amendment (Public Health Contact Information) Bill 2020 is expected to be introduced when Parliament sits next week.

It will replace the interim determination issued by health minister Greg Hunt under the Biosecurity Act when COVIDSafe was launched last week.

The bill, which largely replicates the determination, specifies that COVIDSafe data can be collected, used and disclosed by a person “employed by, or in the service of a state or territory health authority” for the purposes of COVID-19 contact tracing.  

The Digital Transformation Agency can also collect, use and disclose data, though this is limited to maintaining the “proper functioning, integrity or security” of the app and National COVIDSafe data store, and producing de-identified statistical information about registrations.

Anyone that collects, uses or discloses app data outside of these designated purposes or uploads data to the nation COVIDSafe data store, including individuals located outside of Australia, faces five years imprisonment or a $63,000 fine.

The same penalty will also be imposed on anyone - bar state or territory health officials - that discloses COVIDSafe data to persons outside Australia or retains COVIDSafe data on a database outside of Australia.

A penalty of five years imprisonment will also apply to anyone who decrypts encrypted COVIDSafe app data stored on a mobile device.

As outlined in the interim determination, it is also illegal to coerce someone into downloading and using COVIDSafe, including as part of an employment contract or to gain access to “premises that the other person has a right to enter”.

Deletion and the end of COVID-19

As the data store administrator, the DTA is required to “take all reasonable steps to ensure that COVID app data is not retained on a mobile … device” for more than 21 days.

Registration data uploaded to the National COVIDSafe data store must also be deleted “as soon as practicable” when requested by a user or, if a user is unable, their parent or guardian.

However, there is no requirement for the DTA to delete de-identified data relating to a person that was “collected through interactions with other devices or “uploaded from another … device”.

Any data that is received in error must be deleted as soon as practicable, with the person who received it to “notify the data store administrator” that the data was received. 

The bill provides that the health minister will determine when the COVIDSafe data retention period ends taking into account the app’s effectiveness in preventing or controlling spread.

When this determination is made, the DTA must not stop collecting any COVID app data and “delete all COVID app data from the national COVIDSafe data store”.

The DTA is then required to “take all reasonable steps to inform all [current] COVIDSafe users” the deletion has occurred and that no data will be collected in the future.

Porter said the draft bill “will enshrine these protections in primary legislation and gives Australians the confidence to download COVIDSafe, continue the fight against COVID-19 and get our nation back to business as usual”.

“As the final step of our triple-lock privacy protections, this draft bill will build upon the biosecurity determination and agreements with the state and territories to comprehensively guarantee that Australians’ data is in safe hands when they download and use COVIDSafe,” he said.

“The draft bill clarifies the enforcement mechanisms for the penalties that are already in place against misuse of data from the COVIDSafe app.

“Criminal offences under the bill can be investigated by the Australian Federal Police. Individuals can also have their complaints heard by the Office of the Australian Information Commissioner or the relevant state or territory privacy regulator if appropriate.”