In a sweeping amendment to the Privacy Act, the government will make it a criminal offence for people to access the data unless they do it for a state health agency for the purpose of contact tracing.
Federal officials said this would block access to all those outside the state health authorities, even to the point of blocking police and security agencies as well as commonwealth and state departments and individuals or companies.
The nation’s existing privacy authority, the Office of the Australian Information Commissioner, will have the power to hear complaints about privacy breaches and refer them to the Australian Federal Police.
Authorities would have to notify the commissioner of any data breach and individuals would have the power to ask the federal government to delete any information about them at the federal data store.
The bill will also make it an offence to hold the data on a database outside Australia, a key requirement following concerns that global company Amazon Web Services will manage some of the project.
Attorney-General Christian Porter took the draft bill to a Coalition backbench committee on Monday night to clear the way for a debate on the plan when Parliament meets next week.
With 4.5 million downloads so far, the government is almost halfway to its informal goal of getting 40 per cent of Australians to use the app and make it faster to trace any outbreaks of the virus.
Section 94D makes it a criminal offence to collect, use or disclose the data unless the person who does so is employed or in the service of a state or territory health authority and does so for the purpose of contact tracing.
The section appears to restrict access but a group of privacy advocates led by Malcolm Crompton, a former federal privacy commissioner, has called in recent days for stronger safeguards.
“The key missing link is that commonwealth law is highly unlikely to apply to state agencies,” Mr Crompton said before the public release of the draft bill.
“If the states thumb their noses at the commonwealth it just doesn’t work – because the states should have to pass their own laws.”
The app uses Bluetooth to record contact with other phones nearby and store this in an encrypted file on the user’s phone. If the user tests positive for COVID-19, they are asked to upload the information to a central data store so the state or territory health agencies can use it to trace contacts over the previous 21 days.
The app does not use GPS to track a person’s movement and the user can put in any name they like when setting it up.
Rather than having a “sunset clause” that specifies an end date, the draft bill gives state and territory medical officers, through the Australian Health Protection Principal Committee, the authority to advise the federal Health Minister on when the app and the bill are no longer needed.
The bill lapses 90 days after the minister acts on this advice.
David Crowe is chief political correspondent for The Sydney Morning Herald and The Age.