The Times Australia
The Times World News

.

Police access to COVID check-in data is an affront to our privacy. We need stronger and more consistent rules in place

  • Written by Graham Greenleaf, Professor of Law and Information Systems, UNSW

The Australian Information Commissioner this week called for a ban on police[1] accessing QR code check-in data, unless for COVID-19 contact tracing purposes.

State police have already accessed this data on at least six occasions for unrelated criminal investigations, including in Queensland and Western Australia — the latter of which has now banned this. Victorian police also attempted access at least three times, according to reports[2], but were unsuccessful.

The ACT is considering[3] a law preventing police from engaging in such activity, but the position is different in every state and territory.

We need cooperation and clarity regarding how COVID surveillance data is handled, to protect people’s privacy and maintain public trust in surveillance measures. There is currently no consistent, overarching law that governs these various measures — which range from QR code check-ins to vaccine certificates.

Read more: Australia has all but abandoned the COVIDSafe app in favour of QR codes (so make sure you check in)[4]

Last week the Office of the Australian Information Commissioner released a set of five national COVID-19 privacy principles[5] as a guide to “best practice” for governments and businesses handling personal COVID surveillance data.

But we believe these principles are vague and fail to address a range of issues, including whether or not police can access our data. We propose[6] more detailed and consistent laws to be enacted throughout Australia, covering all COVID surveillance.

Multiple surveillance tools are being used

There are multiple COVID surveillance tools currently in use in Australia.

Proximity tracking through the COVIDSafe app has been available since last year, aiming to identify individuals who have come into contact with an infected person. But despite costing millions[7] to develop, the app has reportedly disclosed[8] only 17 unique unknown cases.

Over the past year we’ve also seen widespread attendance tracking via QR codes, now required by every state and territory government. This is probably the most extensive surveillance operation Australia has ever seen, with millions of check-ins each week. Fake apps[9] have even emerged in an effort to bypass contact tracing.

In addition, COVID status certificates showing vaccination status are now available on MyGov (subject to problems of registration failure[10] and forgery[11]). They don’t yet display COVID test results or COVID recovery status (as they do in countries in the European Union).

It’s unclear exactly where Australian residents will need to show COVID status certificates, but this will likely include for travel between states or local government areas, attendance at events (such as sport events and funerals) and hospitality venues, and in some “no jab no job”[12] workplaces.

Police access to COVID check-in data is an affront to our privacy. We need stronger and more consistent rules in place As a possible substitute for hotel quarantine, South Australia is currently testing precise location tracking to enable home quarantine. This combines geolocation tracking of phones with facial recognition of the person answering the phone. Shutterstock

The proposed principles don’t go far enough

The vague privacy principles[13] proposed by Australia’s privacy watchdogs are completely inadequate in the face of this complexity. They are mostly “privacy 101” requirements of existing privacy laws.

Here they are summarised, with some weaknesses noted.

  1. Data minimisation. The personal information collected should be limited to the minimum necessary to achieve a legitimate purpose.

  2. Purpose limitation. Information collected to mitigate COVID-19 risks “should generally not be used for other purposes”. The term “generally” is undefined, and police are not specifically excluded.

  3. Security. “Reasonable steps” should be taken to protect this data. Data localisation (storing it in Australia) is mentioned in the principles, but data encryption is not.

  4. Data retention/deletion. The data should be deleted once no longer needed for the purpose for which it was collected. But there is no mention of a “sunset clause” requiring whole surveillance systems to also be dismantled when no longer needed.

  5. Regulation under privacy law. The data should be protected by “an enforceable privacy law to ensure individuals have redress if their information is mishandled”. The implied call for South Australia and Western Australia to enact privacy laws is welcome.

A proposal for detailed and consistent laws

Since COVID-19 surveillance requirements are justified as “emergency[14] measures[15]”, they also require emergency quality protections.

Last year, the federal COVIDSafe Act provided the strongest privacy protections[16] for any category of personal information collected in Australia. Although the app was a dud, the Act was not.

The EU has enacted thorough legislation for EU COVID digital certificates[17], which are being used across EU country borders. We can learn from this and establish principles that apply to all types of COVID surveillance in Australia. Here’s what we recommend:

  1. Legislation, not regulations, of “emergency quality”. Regulations can be changed at will by the responsible minister, whereas changes in legislation require parliamentary approval. Regarding COVID surveillance data, a separate act in each jurisdiction should state the main rules and there should be no exceptions to these — not even for police or ASIO.

  2. Prevent unjustifiable discrimination. This would include preventing discrimination against those who are unable to get vaccinated such as for health reasons, or those without access to digital technology such as mobile phones. In the EU, it’s free to obtain a paper certificate[18] and these must be accepted.

  3. Prohibit and penalise unauthorised use of data. Permitted uses of surveillance data should be limited, with no exceptions for police or intelligence. COVID status certificates may be abused by employers or venues that decide to grant certain rights privileges based on them, without authorisation by law.

  4. Give individuals the right to sue. If anyone breaches the acts we propose above for each state, individuals concerned should be able to sue in the courts for compensation for an interference with privacy.

  5. Prevent surveillance creep. The law should make it as difficult as possible for any extra uses of the data to be authorised, say for marketing or town planning.

  6. Minimise data collection. The minimum data necessary should be collected, and not collected with other data. If data is only needed for inspection, it should not be retained.

  7. Ongoing data deletion. Data must be deleted periodically once it is no longer needed for pandemic purposes. In the EU, COVID certificate data inspected for border crossings is not recorded or retained.

  8. A “sunset clause” for the whole system. Emergency measures should provide for their own termination. The law requires the COVIDSafe app to be terminated when it’s no longer required or effective, along with its data. A similar plan should be in place for QR-code data and COVID status certificates.

  9. Active supervision and reports. Privacy authorities should have clear obligations to report on COVID surveillance operations, and express views on termination of the system.

  10. Transparency. Overarching all of these principles should be requirements for transparency. This should include publicly releasing medical/epidemiological advice on necessary measures, open-source software in all cases of digital COVID surveillance, initial privacy impact assessments and sunset clause recommendations.

COVID-19 has necessitated the most pervasive surveillance most of us have ever experienced. But such surveillance is really only justifiable as an emergency measure. It must not become a permanent part of state surveillance.

Read more: Coronavirus: digital contact tracing doesn't have to sacrifice privacy[19]

References

  1. ^ called for a ban on police (www.smh.com.au)
  2. ^ reports (www.smh.com.au)
  3. ^ ACT is considering (www.legislation.act.gov.au)
  4. ^ Australia has all but abandoned the COVIDSafe app in favour of QR codes (so make sure you check in) (theconversation.com)
  5. ^ national COVID-19 privacy principles (www.oaic.gov.au)
  6. ^ We propose (papers.ssrn.com)
  7. ^ millions (www.abc.net.au)
  8. ^ reportedly disclosed (www.theguardian.com)
  9. ^ Fake apps (www.theguardian.com)
  10. ^ registration failure (www.theguardian.com)
  11. ^ forgery (www.theguardian.com)
  12. ^ “no jab no job” (www.smh.com.au)
  13. ^ privacy principles (www.oaic.gov.au)
  14. ^ emergency (www.health.gov.au)
  15. ^ measures (www.legislation.vic.gov.au)
  16. ^ COVIDSafe Act provided the strongest privacy protections (papers.ssrn.com)
  17. ^ EU COVID digital certificates (ec.europa.eu)
  18. ^ obtain a paper certificate (ec.europa.eu)
  19. ^ Coronavirus: digital contact tracing doesn't have to sacrifice privacy (theconversation.com)

Read more https://theconversation.com/police-access-to-covid-check-in-data-is-an-affront-to-our-privacy-we-need-stronger-and-more-consistent-rules-in-place-167360

Times Magazine

Headless CMS in Digital Twins and 3D Product Experiences

Image by freepik As the metaverse becomes more advanced and accessible, it's clear that multiple sectors will use digital twins and 3D product experiences to visualize, connect, and streamline efforts better. A digital twin is a virtual replica of ...

The Decline of Hyper-Casual: How Mid-Core Mobile Games Took Over in 2025

In recent years, the mobile gaming landscape has undergone a significant transformation, with mid-core mobile games emerging as the dominant force in app stores by 2025. This shift is underpinned by changing user habits and evolving monetization tr...

Understanding ITIL 4 and PRINCE2 Project Management Synergy

Key Highlights ITIL 4 focuses on IT service management, emphasising continual improvement and value creation through modern digital transformation approaches. PRINCE2 project management supports systematic planning and execution of projects wit...

What AI Adoption Means for the Future of Workplace Risk Management

Image by freepik As industrial operations become more complex and fast-paced, the risks faced by workers and employers alike continue to grow. Traditional safety models—reliant on manual oversight, reactive investigations, and standardised checklist...

From Beach Bops to Alpine Anthems: Your Sonos Survival Guide for a Long Weekend Escape

Alright, fellow adventurers and relaxation enthusiasts! So, you've packed your bags, charged your devices, and mentally prepared for that glorious King's Birthday long weekend. But hold on, are you really ready? Because a true long weekend warrior kn...

Effective Commercial Pest Control Solutions for a Safer Workplace

Keeping a workplace clean, safe, and free from pests is essential for maintaining productivity, protecting employee health, and upholding a company's reputation. Pests pose health risks, can cause structural damage, and can lead to serious legal an...

The Times Features

Prefab’s Second Life: Why Australia’s Backyard Boom Needs a Circular Makeover

The humble granny flat is being reimagined not just as a fix for housing shortages, but as a cornerstone of circular, factory-built architecture. But are our systems ready to s...

Melbourne’s Burglary Boom: Break-Ins Surge Nearly 25%

Victorian homeowners are being warned to act now, as rising break-ins and falling arrest rates paint a worrying picture for suburban safety. Melbourne residents are facing an ...

Exploring the Curriculum at a Modern Junior School in Melbourne

Key Highlights The curriculum at junior schools emphasises whole-person development, catering to children’s physical, emotional, and intellectual needs. It ensures early year...

Distressed by all the bad news? Here’s how to stay informed but still look after yourself

If you’re feeling like the news is particularly bad at the moment, you’re not alone. But many of us can’t look away – and don’t want to. Engaging with news can help us make ...

The Role of Your GP in Creating a Chronic Disease Management Plan That Works

Living with a long-term condition, whether that is diabetes, asthma, arthritis or heart disease, means making hundreds of small decisions every day. You plan your diet against m...

Troubleshooting Flickering Lights: A Comprehensive Guide for Homeowners

Image by rawpixel.com on Freepik Effectively addressing flickering lights in your home is more than just a matter of convenience; it's a pivotal aspect of both home safety and en...