Checking in on our Privacy: Australian Police using QR Check-In Data to Solve Crime

COVID QR Check-In systems in Australia don’t seem to be going anywhere anytime soon. With high case numbers in states like Victoria and NSW they will continue to play an integral role in contact tracing minimise the spread of COVID-19. Contact tracing apps have been available across the country since last year, with each State having their own COVIDSafe apps and tracking systems.

Over the course of the pandemic Australians have been checking in to venues to do their part in keeping the community safe and complying with health orders, but in doing so,have we put our privacy on the line for other covert uses? On multiple occasions, the information we were assured would only be shared with heath authorities, has in fact been used by Police for purposes other than COVID-19 tracing.

So far, State police have been provided QR check-in data on at least 6 occasions for criminal investigations.

For example, when theSafeWA contact tracing app was made compulsory by Premier Mark McGowan last December, he promised that personal data would only be used by health authorities. However, WA Police accessed QR check-in data, not once, but twice, for two high-profile criminal cases. Thankfully, the WA Government has since passed a law mandating the data from the SafeWA app to only be used for contact tracing, after WA Police refused to agree to stop using it for other purposes.

Similarly, Queensland Police have used QR code check-in data when investigating the theft of a Police pistol and taser. After the Police had success the with the data they obtained, successfully retrieving the Police pistol (the taser is still at large), they admitted they will continue to access such data and will only seek pre-approval from a Court (i.e. a search warrant) in “exceptional circumstances”, whatever that means.

Some states have been better in managing would-be privacy breaches. In Victoria, for example, the Government rejected three formal requests for access to QR check-in data from Victorian Police. They, did however indicate they would comply with any Court warrants to be issued. Service NSW have confirmed that data from check-ins would only be used for contact tracing and is destroyed after 28 days, and NSW police have asserted at least that such data has not been accessed or used for any other purpose.

South Australian Police are not known to have accessed any data from the mySA GOV app either, and it’s nice to see that the app’s privacy disclaimer affirms that check-in information is to be used solely by SA Health for contact tracing purposes. Likewise, the Tasmanian Police are not known to have used the data from the Check-In TAS App, although their Department of Health did say that it would “comply with legal obligations”. Similarly, The Territory Check-In app’s privacy statement states that the data collected will only be used for contact tracing, technical support and given to third parties “as authorise or required by law” which may indicate compliance with the police. Lastly, the ACT check-in will only be used for contact tracing purposes and in response to legal requests like a Court order.

Essentially, what we are hearing is ‘your COVID QR check-in data is kept private until it’s not’. The lack of clarity and substantiation of promises regarding our privacy is simply not good enough.

What is most concerning is that we still don’t have any information from Australian Federal Police on whether they have accessed any data from the States.

Cooperation and clarity regarding how COVID surveillance data is handled, to protect people’s privacy and maintain public trust in surveillance measures is a MUST. There is currently no consistent, overarching law that governs these various measures – which range from QR Code check-ins to vaccine certificates.

Australia’s privacy watchdogs recently proposed vague and basic principles, which are inadequate in the face of modern technology. They don’t really address the complexity of data collection and mostly restate existing laws, so its seems like they’ll have little effect.

Below are these principles outlined:

Data minimisation

The collection of personal information, including sensitive information such as health information, should always be limited to the minimum information reasonably necessary to achieve a legitimate purpose. This includes considering alternative solutions which achieve the same purpose and do not require personal information to be collected into a record.

Purpose limitation

Information that is required to be collected for a specific purpose related to mitigating the risks of COVID-19 should generally not be used for other purposes. This is particularly important to ensure that Australians can have trust and confidence that their personal information is protected so they can continue to support the public health response to COVID-19.


Reasonable steps must be taken to protect Australians’ personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure. In line with community expectations, personal information should be stored in Australia.  


Personal information should be destroyed once it is no longer needed for the purpose for which it was collected. The Australian community expects that the information they provide to support the COVID-19 public health response will not be retained indefinitely and should be deleted as soon as it is no longer needed.

Regulation under privacy law

Australians’ personal information should be protected by an enforceable privacy law to ensure that individuals have redress if their information is mishandled, either the Privacy Act 1988 (Cth)[1] or a state or territory privacy law. This extends rights and protections to all Australians where their information is being shared for public health purposes. 

While we are all for protecting the community, this needs to be balanced and weighed against the individual’s privacy and autonomy, and we need to be able to trust the promises of Government, and that law enforcement itself is not breaking the law. The rule of law must apply equally to all.

Let us know what you think of the laws and regulations around check in data and how you feel about such information being used in criminal investigations.


Have us in your corner. We have the knowledge and experience to get you the outcomes you deserve