The Government's contact-tracing app COVIDSafe aims to help track down people who may have been exposed to COVID-19.

But like any smartphone app, it raises privacy and security questions — especially because data the platform collects will be used for potentially sensitive healthcare situations.

Downloading the app is voluntary but the Government has previously said 40 per cent of Australians — or 10 million people — need to take up the contact-tracing app for it to be a success (although they have not shared the modelling behind this number).

As of 6:00am, 1.13 million people had downloaded the app.

The Government hasn't yet released the app's source code and new legislation governing its use has yet to be shared. But that hasn't stopped researchers from digging into both the technical and legal implications of this unprecedented bit of software.

We're sure to find out more in the coming days, but let's take a look at what we know about the app for now, and where any issues may arise.

What data does the COVIDSafe app share and collect?

First things first: COVIDSafe does not collect your location.

When you sign up for the app, you will enter your name (it can be a pseudonym), age range, postcode and phone number.

This creates an encrypted code, which is then shared over Bluetooth with other COVIDSafe apps you come into close contact with.

These IDs are encrypted and stored on the app for 21 days before being deleted.

The app will also make a record of the date and time that digital "handshake" occurred, its duration and the proximity of contacts.

"My personal view is that the data that is being captured is suitably anonymised, suitably protected and access to it is reasonably restricted," said Paul Haskell-Dowland, associate dean for Computing and Security at Edith Cowan University.

"The opportunity for misuse is incredibly small."

But it's also sharing your phone make and model?

Robert Merkel, lecturer at Monash University's Clayton School of Information Technology, has taken a look at the app. (You can dig into some more analysis by Dr Merkel and colleagues here.)

In the Bluetooth messages that are sent to other phones, he found COVIDSafe also shares the phone's make and model.

This information about phone model appears to be sent unencrypted over Bluetooth, which means it could be intercepted and create a certain level of privacy risk if someone was determined to track you (for most people and in most contexts, he said, this is not a huge risk).

"The protocol transfers your phone make and model 'in the clear' to everyone," he said. "It doesn't have to be the official COVIDSafe app to receive it."

Singapore's app TraceTogether also collected this data, and unlike in Australia, it explained why in its terms of service.

"In order to measure distance, information about the phone models and signal strength recorded is also shared, since different phone models transmit at different power," it said.

Australia used code from Singapore's contact-tracing smart phone app TraceTogether to build its own app.

Is it safe to have Bluetooth on all the time?

Nothing digital is 100 per cent secure, and neither is Bluetooth.

This technology opens a channel for two devices to communicate — your phone and a wireless headset, or now, two phones with the COVIDSafe app.

But this communication can also allow vulnerabilities to creep in.

Often these issues are fixed in software updates, so before using COVIDSafe and turning on Bluetooth, Dr Merkel advised people to make sure their phones are using the latest operating system.

In general, the likelihood of Bluetooth attacks being used against random individuals is low, he suggested, but everyone who downloads the app will have to decide that risk for themselves.

Who can see my data if I'm diagnosed with COVID-19?

If you're diagnosed with COVID-19, health officials may ask you to upload 21 days' worth of the anonymised IDs your app has stored for contact tracing to a central server.

The people you've been in close contact with won't be told your name, but health officials may then call your close contacts and advise them to isolate or get tested.

On Sunday, Health Minister Greg Hunt shared a determination under the Biosecurity Act to protect people's privacy and restrict access to app information to state or territory health authorities only for the purpose of contact tracing.

But legal experts said that should be a stopgap only, as a "determination" can be amended or repealed at any time.

"Legislation would be better than a non-disallowable instrument; but it is better than no law at all," said Graham Greenleaf, professor of law and information systems at the University of New South Wales.

"Legislation should be enacted by Parliament as soon as possible."

The determination also bars law enforcement or other federal agencies from being able to access the app's information, but some questions remain about the strength of this prohibition.

Chief Medical Officer Brendan Murphy said today that the Federal Government had no access to any of the data.

"We have locked this down so completely, so thoroughly with the biosecurity bill and legislation that is coming," he said.

"This app will only ever be used by public health officials [for] the purposes of contact tracing."

In a statement, however, Law Council of Australia president Pauline Wright warned there was some potential legal ambiguity around whether laws authorising the law enforcement and intelligence warrants "could override" the determination's prohibition on access.

Minister Hunt has indicated legislation concerning COVIDSafe will be introduced in May when Parliament resumes.

COVIDSafe aims to assist with the process of identifying those who may have been exposed to COVID-19.

Who makes sure the app is used properly?

The Government has encouraged all Australians to download COVIDSafe, but according to the Law Council of Australia, the determination "makes no provision for oversight and reporting on its use".

There is no clear oversight of COVIDSafe, agreed Kimberlee Weatherall, technology law professor at the University of Sydney.

"So no mechanism by which we can see how it is used, or get reports on whether it is effective."

However, an individual with a complaint about their privacy could go to the Office of the Australian Information Commissioner.

When will the app be switched off?

While you can delete the app at any time, it's unclear when it will be officially switched off.

The Government says users will be prompted to delete the app from their phone "at the end of the Australian pandemic".

The data held on the central storage database will also be destroyed then, but it's unclear whether this will be mandated by the May legislation.

If you've had data uploaded from the app to the central server, you can also request that be deleted here.

Will my data be kept in Australia?

Last week, the ABC reported that data from the contact tracing app would be stored by the American technology giant, Amazon.

Mr Hunt's determination through the Biosecurity Act prohibits transferring data to any country other than Australia.

The Government was contacted for comment about the questions raised in this story but did not respond by deadline.