Special Feature
Part of a ZDNet Special Feature: Coronavirus: Business and technology in a pandemic

COVIDSafe legislation introduces AU$63,000 fine for data misuse

Serious offences can incur five years jail time and a AU$63,000 penalty. Making the app mandatory is also blocked.

The federal government has introduced the legislation surrounding its coronavirus trace tracking mobile app, COVIDSafe, introducing a tonne of penalties for the collection and misuse of data collected by the initiative.

In addition to the protections provided by the Biosecurity Determination, the Privacy Amendment (Public Health Contact Information) Bill 2020 supports the COVIDSafe app, and according to Attorney-General Christian Porter, provides strong ongoing privacy protections.

The legislation [PDF] introduces serious offences relating to COVIDSafe app data, covering the non-permitted collection, use, or disclosure of the data; the uploading of app data without consent; retaining or disclosing uploaded data outside Australia; decrypting the encrypted app data; and requiring COVIDSafe participation.

Each offence can result in imprisonment for five years or 300 penalty units – at AU$210 per unit -- or both.

Must read: Australia's COVIDSafe contact tracing story is full of holes and we should worry

The collection, use, or disclosure of COVIDSafe data is permitted if the person is employed by, or in the service of, a state or territory health authority, and the data is to be used only to the extent required for the purpose of undertaking contact tracing. It is also permitted if the person is an officer, employee, or contractor of the data store administrator and they are performing the same duties, as well as if they are charged with ensuring the proper functioning, integrity, or security of COVIDSafe or of the National COVIDSafe Data Store.

In the case of a collection or disclosure of COVID app data, it's also permitted if it is to perform the transfer of encrypted data between mobile devices through COVIDSafe; or transferring encrypted data through COVIDSafe from a device to the National COVIDSafe Data Store.

The data can also be accessed to prosecute a person for an offence against the legislation.

The Bill also allows for the data store administrator to access the data to determine how many users it has.

A person commits an offence if they upload, or cause to be uploaded, data from a mobile device to the National COVIDSafe Data Store if consent to the upload has not been given by the user or their parent, guardian, or carer.

A person also commits an offence if they retain COVIDSafe data on a database outside Australia. It is also considered an offence if a person discloses data to another person outside Australia.

Decrypting data is also prohibited.

In a bid to build trust from Australians, it is also considered an offence to require an individual to download COVIDSafe, have the app in operation, and force someone to consent to uploading COVID app data.

See also: Canberra using a cold beer on a Friday as a guilt trip to download COVIDSafe

The legislation also blocks the ability for businesses to force employees or visitors to use COVIDSafe.

A person commits an offence if they refuse to enter into, or continue, a contract or arrangement with another person, including a contract of employment, due to a party not using the app, or if they terminate employment for not using the app.

Also an offence is the refusal of entry to a public space or access to a service on the grounds that they are not using COVIDSafe.

COVID app data is not to be retained after 21 days and data cannot be collected if the user has deleted the app.

A person who receives COVID app data in error must, as soon as practicable, delete the data and notify the data store administrator.

All data must be deleted from the National Data Store when the pandemic is over.

"The draft Bill I have released today will enshrine these protections in primary legislation and gives Australians confidence to download COVIDSafe, continue the fight against COVID-19 and get our nation back to business as usual," the Porter said.

"As the final step of our 'triple lock' of privacy protections, this draft Bill will build upon the Biosecurity Determination and agreements with the States and Territories to comprehensively guarantee that Australians' data is in safe hands when they download and use COVIDSafe."

As of Monday night, there had been over 4 million COVIDSafe registrations.

At the time of writing, the World Health Organization reported that there have been over 3.5 million confirmed cases, with over 250,000 fatalities as a result of the virus. Australia is still reporting around 6,800 cases and 95 deaths.

More than 650,000 tests have been conducted across Australia.