OAIC releases draft QR code guidelines to address concerns of privacy, security

A QR code check-in system is used to view a cafe menu. Picture: Matt Loxton
A QR code check-in system is used to view a cafe menu. Picture: Matt Loxton

The year 2020 has been full of surprises and one of those has been the recent rise of QR codes to manage COVID-19 restrictions.

But lax rules around how the data is captured and used have raised privacy concerns and the country's privacy watchdog is looking to fix that.

The Office of the Australian Information Commissioner (OAIC) has released draft guidelines for how providers should capture and store the data collected when patrons use a QR code check-in system.

The draft guidelines, which are open for consultation until the first week of December, suggest personal information collected under the check-in system should only be used for contact tracing purposes, should be stored securely and should be deleted after 30 days.

Commissioner Angelene Falk said it was important these guidelines were followed in order to maintain trust among the public.

"Protecting personal information is central to maintaining public trust and promoting compliance with health orders and contact tracing processes," Ms Falk said.

"It is important then that only the minimum amount of personal information necessary for contact tracing is collected, limited to contact tracing purposes, kept secure and permanently deleted."


While QR codes are more widely used than the federal government contact tracing app, COVIDSafe, concerns have been raised over whether the private providers offering restaurants and cafes the service are selling off that data to third parties.

Most small businesses with an annual turnover of less than $3 million are not covered under the Privacy Act. This limits the privacy watchdog's power to investigate and determine an outcome if the act is breached.

Ms Falk said it was important to address the different state and territory requirements across the country regarding check-ins and to make sure businesses were complying with privacy laws where possible.

"From my perspective there are two main areas to address: harmonising the different state and territory requirements for the collection of information from venues, and ensuring that those businesses providing digital check-in services are covered by and are complying with the Privacy Act, so that the public's rights are protected," Ms Falk said.

"Achieving this will help promote and maintain confidence in the system, so that people are sharing the accurate personal information that's needed for contact tracing. It will also support businesses and venues to develop solutions that meet the requirements across jurisdictions."

The OAIC is now looking for external input on the draft guidelines, which used COVIDSafe agreements as a basis for privacy requirements.

"We are seeking feedback on the draft guidelines from Chief Medical Officers and Chief Health Officers, health departments, digital check-in providers, businesses and venues, and the community, so we can continue to effectively contain COVID-19 and make the most of the tools at our disposal while protecting privacy," Ms Falk said.

The consultation period for comments will close on December 4.

This story QR code concerns: Call for businesses to comply with guidelines first appeared on The Canberra Times.