Federal Government Agency Issues Warning About QR Codes

Information on this page was reviewed by a specialist defence lawyer before being published. Click to read more.
QR Code

Quick Response (QR) codes have become ingrained into our everyday lives.

They were introduced across New South Wales in 2020 as part of the State Government’s response to Covid-19, offering a simple, effective way for business to collect information from patrons and to also enable health authorities to be able to conduct tracing easily.

In November 2020, digital collection of patron data became mandatory for most NSW businesses including cafes, pubs, function centres, amusement centres and entertainment venues. Because data must be collected digitally (not via pen and paper), many of these venues began using QR codes.

But there are legitimate concerns about the use of QR codes, and here’s why.

Anyone can generate a QR code

QR codes are similar to barcodes. They contain information that can be read by the camera or another app on your smartphone, triggering your smartphone to perform an action such as: visiting a website or an app, amongst other things.

The problem is that anyone can generate a QR code for free online, and businesses can then use these to link customers to online forms and databases to register their details.

Therefore, there is a legitimate risk that businesses could be collecting data that you might not otherwise consent to them having, or for your data to be sold to… who knows where.

In fact, the Federal Government’s Australian Signals Directorate has warned that:

“Scanning a QR code which directs you to a non-government website requesting your name, phone number and email address, could result in your personal contact information being used for marketing or criminal purposes”.

Where does your data go?

In New South Wales, businesses are being encouraged to use a specific QR code that links to the Services NSW app, where data is collected and stored, and then deleted after 28 days. And can only be accessed by health professionals for the purposes of contract tracing.

If you’ve checked into a business that is not using the Services NSW  app, and which has instead directed you to a website or another app, then you should be asking questions about where your data goes. It’s been reported that a significant number of eateries in Sydney are using HungryPanda’s check-in service defaulted to the app’s standard terms and conditions, which allow the company to share customer details with “partners for marketing or promotions”.

Remember though, without checking in, you can be refused entry.

Security is never guaranteed

While there are reasonable security assurances around the Services NSW app, which is a government product, no system is completely infallible.

Last year, more than 50,000 Australian driver licence holders had their personal data uploaded to, and left exposed in open cloud storage.

The licences were discovered by a Ukranian security consultant who stumbled across the folder, which he said was both easily discoverable and easily downloadable from the Amazon cloud storage where it was found, revealing personal information such as names, photos, dates of birth and addresses of drivers, which can be used together create false identities and commit identity fraud.

It’s not clear how long the file was online, or who had access to it, but it was a timely reminder that no matter how good cyber security is, data is still vulnerable occasionally to an error leading to a security breach, malicious data fraud, or hackers.

A national approach is needed

The other problem with the QR code system as it currently stands, is that it is not national. While most states have developed their own check in systems, or are currently in the process of doing so, these don’t equate to a national approach.

Australian states and territories have different rules for what data is collected: Queensland requires businesses to keep the email address and mobile number of guests and staff for 56 days, while NSW only requires the phone or the email address for half that time. There are also inconsistencies around the types of venues required to collect data.

Mid-last year the Federal Government unveiled the COVIDSafe app, which promised an automated, centralised contact tracing service. In the weeks after its initial rollout there was a litany of problems including: hoaxmessages accidentally sent to users which the AFP was called into investigate, a revelation from Victorian Health Authorities that they had stopped using the app for a period of time, even when the virus was hitting its peak, a period of time where the app incorrectly informed a handful of people they had ‘tested positive’, along with compatibility problems with Apple smartphones.

What about the CovidSafe App?

COVIDSafe is many times more sophisticated than any QR code check-in system; using a phone’s bluetooth to continually trace a user’s exposure to other users, but it would seem, given the fact it’s disappeared from headlines, that it could have been a multi-million dollar failure. Numbers suggest that it has been downloaded about seven million times, but it’s unclear how many of these downloads are active users.

Other nations, such as the UK and New Zealand have developed national check in systems using QR codes.  For both systems, the information is stored locally on a person’s device and only accessed if the person tests positive to COVID-19.

In such a case, authorities issue a public health alert about that person’s movements, which other users can then, through the app, check against their own ‘diary’ of locations.

Under this decentralised model, authorities don’t have access to the sensitive personal data (unless a person tests test positive).

While it is the data that health authorities rely on in order to minimise community transmission, ideally, Australia would have a national approach which would standardise what information is collected by QR code check-ins, how it is stored, and how it can be accessed by contact tracers.

What about privacy laws?

It’s also worth noting that in New South Wales, the Privacy and Personal Information Protection Act 1998 (PPIP Act) only applies to NSW public sector agencies, including local councils and universities.

The Health Records Information Privacy Act 2002 (HRIP Act)  applies to:

  • NSW public sector agencies, including local councils and universities
  • Public and private sector health organisations – e.g. a private or public hospital or medical centre
  • Health service providers – e.g. your GP, dentist, therapist, physiotherapist, chiropractor, optometrist
  • A larger-sized business with a turnover of over $3 million that holds health information – e.g. an insurance company.

The NSW Information and Privacy commission website states: “Organisations not covered by these laws (e.g. banks, real estate agents, shops or other private sector organisations) may be covered by the federal Privacy Act. Contact the Office of the Australian Privacy Commissioner on 1300 363 992 or visit their website – www.oaic.gov.au.”

However, Federal privacy laws are under review but currently only cover private entities if they have an annual turnover of $3 million or more, making many small businesses, bars, cafes and restaurants exempt.

Last updated on

Receive all of our articles weekly


Sonia Hickey

Sonia Hickey is a freelance writer, magazine journalist, and owner of 'Woman with Words'. She has a strong interest in social justice and is a member of the Sydney Criminal Lawyers® content team. Sonia is the winner of the Mondaq Thought Leadership Awards, Spring 2022.

Your Opinion Matters