Australia: A poor model for QR data ‘attendance tracking’

In Australia, two main technologies have been used for COVID-19 contact tracing: a Bluetooth-based proximity tracking app, and QR Codes to assist tracking of those attending venues or events. They take radically different approaches to the protection of privacy, including that the first is voluntary, the second is (in effect) compulsory. Effective contact tracing is one of the highest priorities for countries like Australia that have had good success to date in limiting the number of COVID-19 infections and resulting deaths. Few jurisdictions appear to have utilised QR Codes for attendance tracking in a way similar to the compulsion used in Australia.

This article is about the risks to privacy, to public trust, and to effective contact tracing, if QR Codes are implemented without sufficient privacy protections. It contrasts protections given to the app and recommends that a similar approach be taken to QR Code data.

The COVIDSafe Act makes the app ‘COVID-safe’
Facilitating contact tracing is the sole objective of the COVIDSafe app, developed by the Australian federal government (derived from a Singaporean model), and downloaded by approximately seven million Australians since its release at the end of April 2020. It is based on recognition and recording of contact between devices (phones, watches etc.) using Bluetooth signals.[1] Because it makes no records of a person’s location, either by geo-location or venue/event attendance, it is not location tracking. This makes it qualitatively different from the use of QR Codes.

The COVIDSafe app was followed two weeks later by the enactment of the ‘COVIDSafe Act’, a new Part VIIIA of the federal Privacy Act 1988. It made downloading and use of the app voluntary, made it illegal to attempt to coerce people to use it, and imposed very strict limits on what uses (essentially ‘contact tracing only’) could be made of ‘COVID app data’. The Act’s privacy protections are discussed later and detailed elsewhere.[2] No breaches of the Act are yet known.[3]  Little effective use of the data collected by the app for contact tracing has yet been made by State or Territory health departments,[4] who are responsible for contact tracing in Australia’s federal system. There have been reported 17 identifications of otherwise unknown contacts by NSW health authorities, but none from other States and Territories. In short, while the app may have been far less effective for contact tracing than expected, it was given the highest level of privacy protection yet seen in Australian law, and there is no evidence of the failure of that protection.

QR Code data collection is epidemic
From late March 2020 there were mandatory closures of most non-essential businesses, and social venues and events across Australia, varying between jurisdictions. By December 2020 almost everything has re-opened, Australia-wide, subject to social distancing and attendance limits. Re-opening has been accompanied by State and Territory government requirements that venues and events record the contact details of all attendees, so that if it subsequently transpires that a COVID-19 affected person attended the venue/event, all other persons attending at a sufficiently proximate time could be efficiently contacted. Justification for this otherwise unprecedented system of compulsory location tracking is that it is necessary for effective contact tracing of COVID-19.

QR Codes are being used in all eight States and Territories to facilitate this contact tracing by requiring venues/events to keep records of attendees, by use of QR Codes or other electronic means, sometimes allowing customers to opt for manual record-keeping. A very significant percentage of this record-keeping is by QR Codes, and electronic records are mandatory in some States. All governments are developing their own QR apps, sometimes as an added feature to a broader government services app (e.g. the ‘Service NSW’ app).  All still allow the use of apps by private sector QR Providers as an alternative to the ‘public sector’ app. There are a large number of private-sector QR Providers, both in-house for larger companies, and those provided by third parties, not all of which are based in Australia.

The range of businesses and agencies required to collect QR Code data is exceptionally broad, with significant variation between jurisdictions.  In NSW, the 21 categories of venues include entertainment venues, hospitality venues (which include restaurants, pubs and casinos), function centres, indoor recreational facilities, public swimming pools, education facilities, and various sex-related venues. The Northern Territory adds attendance at a government agency, and ‘religious worship places’. Almost all members of the community will be required to periodically provide their details, and some people will need to do so multiple times in one day, resulting in millions of instances of attendance tracking per day. Identification data required to be collected varies between jurisdictions, as does deletion details (at best, after 28 days).

These QR Code systems have been established without any new protective legislation. When QR Code data is held by businesses (restaurants etc), or private sector QR Providers, it is regulated by the Privacy Act 1988 (Cth). When it is held by State or Territory government entities (museums, galleries or other agencies required to collect it; government app providers; or health agencies), those jurisdictions’ privacy laws apply (two States have none). Specific State or Territory COVID 19 regulations on businesses will also apply.

QR Code data is not safe
Australian State and Territory governments have mandated attendance tracking by use of QR Codes, but have not taken responsibility for the privacy consequences of doing so. QR Code data is dangerous in two different ways: ID data; and location/attendance data.

The combination of ID data collected (usually full name, phone and email) is excessive for the purpose, and is ‘gold standard’ data for anyone in the private sector compiling databases for personalised marketing, political purposes, or identity theft.

The location data of event/venue attendance may be very attractive to Police, ASIO, or other investigators, including to a wide range of government agencies, who may want to determine where a particular person was at a specific time (and the type of venue they attended), and who else was there at the same time. This information will sometimes allow inferences of very sensitive information (for example, attendance at medical premises, religious venues, sex-related venues or gambling-related venues).  It may be collected many times daily for some people. Australia has never before had compulsory location surveillance with the capacity to create such intensive profiles of a person’s movements and activities, either by attendance tracking or of other types of location surveillance.

The sole justification for the mandatory collection of QR Code data is to assist COVID-19 contact tracing. However, the data collected is vulnerable to non-contact-tracing uses, because:

1.     Online forms from QR Providers may appear to require that individuals consent to uses other than contact tracing by the QR Provider or the business on whose behalf they act. Purported consent may be obtained by check-boxes about marketing appearing before the QR data can be submitted, or by a check box whereby the user agrees that they have ‘read and agreed to’ the Provider’s privacy policy.  The legality of such ‘consent’ is dubious, but the question is complex.[5] Merely being a breach of the Privacy Act may, in any event, be an inadequate deterrent.

2.     Such consents may even allow disclosure of the data overseas (under APP 6, Privacy Act, or intra-company transfers) to jurisdictions without data privacy laws (e.g., the USA).

3.     A person may disclose their details to numerous QR Providers in Australia, but a data breach at even one of them may open data to misuse, including ID theft.

4.     If a person’s data is abused, they might see the result (from intrusive marketing to ID theft), but they probably will not be able to pinpoint the cause, so any potential legal remedies will be useless.

5.     Government-provided QR Code apps may reduce some of these dangers, but they introduce a new problem which may be just as dangerous. If multiple QR Code uses are collected in one centralised government location, even if only for 28 days, then the value of the data to other government agencies, and consequently the privacy risk, will increase.

6.     In relation to both private QR Providers, and government QR Code apps, there are numerous exceptions in the Privacy Act 1988, and in State and Territory, privacy laws,[6] by which Police, security agencies, lawyers in divorce proceedings, etc. can request and in many cases require disclosures from those holding QR Code data. No matter in whose hands it is held – venues or event organisers, private sector QR Providers, government QR providers, or government health agencies – QR Code data is susceptible to compulsory disclosure, and even discretionary voluntary disclosure, to a very wide range of entities, for purposes that have nothing to do with contact tracing.[7]

State and Territory governments, having created these various problems through the way in which they have outsourced a data collection task, for public benefit, now need to take responsibility for remedying the privacy problems they have created.

Legislation needed to create trust in QR Code use
If people suspect that their information may be misused for purposes other than contact tracing, compliance will be replaced with false names, false email addresses and false phone numbers. Long-term measures are needed, to assure Australians that they can use the QR Code systems for venue/event entry without fear of misuse of the data collected.

All States and Territories are providing a government-run QR Code app, and allowing private sector QR Providers to supply alternative apps. It is therefore probably too late to introduce a system with no data collection, such as New Zealand’s ‘digital diary’ system. Private sector provision involves risks to privacy because of multiple points at which security breaches (or other misuse) can occur. Public sector provision has the opposite problem: centralised collection of all QR data creates a ‘honey pot’ which is attractive both to unauthorised access, and to authorised access under exceptions to privacy legislation. The best answer may be the status quo of a mixed system of public and private QR providers. The strict conditions proposed below are likely to see many private QR Providers leave the market because it will involve more risk (and eliminate opportunities for marketing uses), leaving only in-house providers from large companies, and a few large third party providers. However, their continued operation will reduce the ‘honey pot’ dangers of government providers alone.

The necessary response is legislation which provides protections equivalent to those in the COVIDSafe Act, and mandates all protections that both private and government QR providers must adopt.  The legislative goal should be: ‘This information is collected solely for contract tracing, and is prohibited from being used for anything else’.

Specific protections (with equivalent legislative protections in the COVIDSafe Act indicated) should include:

  1. No required collection of any data beyond the minimum necessary for contact tracing. This is: first name or alias; phone number or email address (but optional to provide both); times of entry and (if possible) exit.  This should only be required of one person in a party.
  2. Collection of QR data forbidden to be combined with collection for any other purposes.
  3. All access to and use of QR data forbidden, except for access and uses strictly necessary for contact tracing. It would be a serious offence to make any other use or disclosure of the data (s. 94D), including by QR Providers (private or public).
  4. Encryption of collected data, at least by QR Providers; and storage within Australia (s. 94F). Secure storage required by businesses and agencies.
  5. Deletion of all QR data after 28 days (s. 94K), unless Contact Tracers request extension.
  6. In addition to offences, a private right of action (s. 94R) under Commonwealth, State and Territory privacy laws, so that individuals can obtain compensation for any breaches of the legislation, including for any offences.
  7. Legislative provisions making any ‘function creep’ impossible except by explicit subsequent primary legislation (s. 94ZD).
  8. Periodic publication (at least every six months) required in each State and Territory, of  the extent to which the use of QR data in contact tracing has resulted in successful tracing which would not otherwise have occurred.
  9. A ‘sunset clause’ (s. 94Y) when all QR data collection stops, to be assessed at least every 6 months by the chief health officers in each State or Territory, to be based on whether the QR Code system is necessary and proportionate to counter COVID-19. The underlying principle should be that surveillance systems should not be permanent.

The sections numbers in parentheses make it clear that, on most important issues, the COVIDSafe Act already provides protections analogous to those needed in QR Code legislation. The only effective way to deal with the private sector is through an amendment to the federal Privacy Act (perhaps a new Part VIIIB). Where State and Territory governments provide their own apps, they will need to enact parallel protections in their own privacy legislation.

Australia: A poor model for QR data ‘attendance tracking’
A new form of location surveillance, ‘attendance tracking’ has developed in Australia, with few parallels elsewhere. The current Australian systems pose many unnecessary and unacceptable dangers to data privacy. They can and should be remedied by legislation modelled on the strict data privacy protections in Australia’s COVIDSafe Act. Other jurisdictions considering introducing attendance tracking systems should take note of these dangers, and aim to avoid them occurring.

Graham Greenleaf is a Professor of Law & Information Systems at UNSW Sydney.

This article was submitted on 11 December 2020 and is extracted from a longer paper which is available from my SSRN page. Thanks to Katharine Kemp, Nigel Waters and Anna Johnston for valuable comments, but all responsibility for content remains with the author.

[1] For an explanation, see G. Greenleaf, and K. Kemp, ‘Australia’s COVIDSafe Experiment, Phase III: Legislation for Trust in Contact Tracing’ (May 15, 2020) UNSW Law Research Series <https://ssrn.com/abstract=3601730>.
[2] ibid
[3] Privacy Commissioner (Australia) COVIDSafe Report May-November 2020 <http://oaic.gov.au/covidsafe-report-may-nov-2020>.
[4] This is due to a combined technical and organisational failure, resulting in uptake, confidence in and use of the app declining, and is not due to the COVIDSafe Act.
[5] See discussion in the longer version of this paper, and in Flight Centre Travel Group (Privacy) [2020] AICmr 67 (25 November 2020) <https://www.austlii.edu.au/ au/cases/cth/AICmr/2020/57.html.>
[6] For example, the data held by the NSW government which is collected via the Service NSW app could be lawfully disclosed, at the discretion of Service NSW under twelve distinct provisions in the Privacy and Personal Information Protection Act 1998 (NSW). Justifications for discretionary disclosures include ‘law enforcement purposes’, tracing missing persons, ‘protection of the public revenue’, ‘to ASIO’, and to assist in answering correspondence from politicians. Disclosures are however mandatory where they fall under ‘as … required by subpoena or by search warrant or other statutory instrument’.
[7] For justification, see discussion in the longer version of this paper.

This was written exclusively for Digital Asia Hub as part of an on-going series ‘When The Music’s Over’ where we parse and reimagine the evolving post-COVID19 landscape. The series is in partnership with the Global Network of Internet & Society Centers and Konrad-Adenauer-Stiftung.  

For permission to republish or for interviews with the author please contact Dev Lewis

Graham Greenleaf

Graham Greenleaf

Professor of Law & Information Systems at UNSW Sydney
Graham Greenleaf AM is Professor of Law & Information Systems at UNSW Australia in Sydney, where he researches and teaches the relationships between information technology and law. He has been involved in privacy issues since the mid-1970s. His 2014 book, Asian Data Privacy Laws analyses data privacy laws in all 28 countries in Asia. He is Asia-Pacific Editor for Privacy Laws & Business International Report, and publishes regular surveys of the world’s privacy laws. He has completed numerous consultancy projects for the European Commission on data privacy in Asia-Pacific countries. He was an invited speaker at the ‘launch’ of the EU’s General Data Protection Regulation (GDPR) on 25 May 2018. He represents the Australian Privacy Foundation as an Observer on the Consultative Committee of data protection Convention 108."
Graham Greenleaf

Latest posts by Graham Greenleaf (see all)