Out of App Record Keeping.
Reported At: Monday, January 1, 0001
Resolved At: Monday, January 1, 0001
Case Number:

Issues relating to how the Australian Government Federal, State and Local are endorsing / compelling citizens to record information outside the COVIDSafe application.

The Biosecurity Act received amendments which provide legal constraints of how information is stored during COVID and specifically its disposal. There is no such legislation in place to cover the same conditions of collection and disposal outside the COVIDSafe Application context.

15th May 2020

  • Queensland relaxes lockdown constraints to enable Restaurants, Cafes, Pubs, Clubs, RSL clubs and Hotels to open doors for up to maximum 10 customers per venue. A detailed checklist provided to ensure any of the business mentioned above types must abide by before opening for trade (https://www.covid19.qld.gov.au/__data/assets/pdf_file/0020/127235/COVID-Safe-Checklist-RestCafes.pdf).

  • Queensland business required to keep records of customers before trade commences, specifically they are required to ask customers for their name, address and mobile phone number of a person at each table.

  • No current legislation beyond Privacy Act 1988 provides any legal coverage as to what business is required to do with the information gathered during the COVID outbreak, specifically with regards to the checklist.

  • Businesses are less likely to provide visible terms and conditions of privacy before patrons entering the above business types, mainly, they are less likely to demonstrate to patrons how their information is likely to be used once requested.

  • Queensland's checklist has no relationship to COVIDSafe application, moreover should a patron have the application installed they are still required to give the same information again, despite such information existing inside the applications registration process (effectively reducing the value proposition of the COVIDSafe application).

  • COVIDSafe application has had an amendment (https://www.legislation.gov.au/Details/F2020L00480) to the Biosecurity Act to provide specific coverage for how privacy and use of such data are to be used however it is also worth noting that such coverage limited to the application only. Out of Application record-keeping (using the same information as the COVIDSafe app) has no such coverage or legal constraints, effectively ensuring duplication of data lives under two sets of legal constraints.

  • Queensland Checklist provides no legal recourse should a business choose to use the records outside the COVID period, mainly if a business were to use such information for marketing, statistical or other reasons.

  • No verification or validation of a customer's records are in place; specifically if a customer were to provide fake information, there is no explicit legal action that could be taken against the said customer(s).

  • New Zealand has used a similar process by way of asking businesses to record customer information. Recently, a Subway worker found to have abused the records of a female customer by using such records to stalk her (https://nakedsecurity.sophos.com/2020/05/14/woman-stalked-by-sandwich-server-via-her-covid-19-contact-tracing-info/).

  • Unclear specifically if law enforcement may or may not compel a business to provide information retained by businesses.

  • Business are requested to store customers in a secure manner, but no specific governance or guidance is provided on what is considered reasonably secure - Hand written records stored on a notepad, excel spreadsheet of customer information on a open terminal etc.

Note: Queensland Attorney-General and Minister for Justice / Shadow Minister(s) have been notified formally for response to these set of issues.