Using a QR code for COVID-safe check-in to your business premises? Five tips for staying privacy safe, too
While the world waits for a vaccine, employers and organisations are focussed on their COVID-19 safe plans in an attempt to protect staff, customers and visitors from infection and to stop the spread of COVID-19. For the aged care sector, hard-hit hospitality sector and other COVID exposed businesses, this means collecting the required contact information from visitors and staff for the purposes of contact tracing. A number of other businesses not technically required under a direction or order to keep contact information are, in any event, using contactless check-in as part of their COVID risk management plan. As we have seen during this pandemic, it is often mobile technology that is used to help with data collection and contact-tracing. The latest example of this is the proliferation of the use of QR codes for contactless check-in.
A broad range of businesses have adopted QR codes (and a third party mobile app or online service) for contactless check-in to premises and work places, particularly the health care sector and other businesses looking after vulnerable people. But for those businesses bound by the Privacy Act and considering using a QR code and third party service for contactless check-in, there are important questions to ask first to make sure you comply with the Australian Privacy Principles.
QR codes and health information
A QR code is, effectively, a bar code that is read by a smartphone camera or QR reader app. Once scanned, the QR code takes the user to either an online form (or an app installed on the user's phone) which records the date and time of the user's visit to the premises and, in most cases, the user is asked to provide their contact details and answer a questionnaire. The collected information is then used to identify a visitor or staff member that may have a connection to a COVID hot spot and, on request, disclosed to State health authorities for contact tracing purposes. For businesses required to collect contact information, the fields for the questionnaire will depend on the applicable government direction or order. For example, in Queensland the required information is limited to the date and duration of visit, name, phone number and email address.
But anyone who has been asked to scan a QR code for contactless check-in in response to COVID-19 will know that often the information requested is not limited to basic contact details. The questionnaire will often also ask for yes/no answers in response to the usual COVID Safe questions ("have you got a temperature", "have you been in contact with anyone diagnosed with COVID-19" and "have you recently travelled overseas"). In some cases, the questionnaire further extends to date of birth and other profiling information, and a direct marketing "opt-in", all under the guise of being for "COVID safe purposes".
It is important to remember that any information or opinion relating to the health of customers, visitors and staff is sensitive information under the Privacy Act and attracts additional privacy obligations and protections, compared to other personal information.
Generally for businesses bound by the Privacy Act this means that health information must only be collected with the consent of the individual and must be reasonably necessary for the businesses functions or activities (although there are some important exceptions to this general rule). It is not correct to assume that because the business is required to collect contact details as part of a COVID Safe Plan (or otherwise under a government direction or order) that this is sufficient to comply with the business' obligations under the Privacy Act and that the questionnaire may be used to collect personal information for other purposes, such as direct marketing.
Five tips for privacy compliance
While businesses (and employers) have made many changes to information handling practices, working arrangements, systems and processes in response to COVID-19, this doesn’t need to come at the expense of privacy. We can both look after our staff, our businesses and community, and protect the personal information that we hold.
Before using a QR code (and app or third party service) for contactless check-in to your premises, ask yourself these questions:
Do I really need to collect this personal information?
When setting the questionnaire fields, ensure you are only collecting the personal information that you are required to collect under a government direction or order, or if you are not required to collect contact information under a direction or order, that you are only collecting personal information you need for the purposes of your functions and activities. The key point is to ensure that you are not over-collecting personal information. For example, there is no need for a restaurant to collect a diner's date of birth as part of the COVID-19 contactless check-in.
If you want to use check-in as a touch point to collect additional personal information, or use the collected personal information for a different purposes, such as direct marketing, then make sure this personal information is collected separately and in compliance with the Australian Privacy Principles (APPs). This will help with your spam compliance, too.
What happens to the data?
Businesses collecting personal information using a QR code and check-in app (or other software or service) will need to take reasonable steps to ensure that the personal information is stored securely. To do this, you will need to know where and how the data collected is stored. It is also important to ensure that only staff with a need-to-know this personal information have access to the portal or database used to store it and that the database has appropriate access permissions and controls. You should also consider storing this data separately from your CRM database and other databases, as this will assist you with ensuring the data is only used for the (limited) purpose and that you can more easily destroy this data once it is no longer needed (see Tip 5 below). You will also need to make sure that your data breach response plan includes the personal information collected through the QR code and check-in app (or services).
You will also need to know any proposed disclosures of the collected personal information:
- If you are collecting the personal information under a government direction or order for the purposes of contact tracing, then you should only disclose this information to the relevant government health authority when requested for contact tracing purposes. It should not be disclosed to any other person.
- If you are collecting the personal information for the purposes of limiting access to premises to those person who do not present a risk of infection (for example, a doctor's surgery or aged care facility), then any disclosure will need to be strictly controlled and in accordance with your obligations under the APPs.
What information do you need to provide to persons scanning the QR code?
APP 5 requires a business to take reasonable steps to notify the individual of the collection of personal information and to provide certain information, at the time of collection or as soon as practicable after. Depending on the technical solution used for the QR code contactless check-in, the notice can be incorporated into the web-form or application and a link to the business' privacy policy included. Alternatively, you can display a collection notice at your premises.
The main information to be provided in the notice is details of the purpose of the collection (ie. to assist with COVID-19 contact tracing), the consequences of not providing the personal information (ie. potential denial of entry, depending on the venue) and whether the personal information will be disclosed to others.
Using a third party QR code app or service? Important things to check in the contract
We have seen good (and not so good) examples of the terms of service for QR code and contactless check-in apps and services. The key privacy clauses to ensure are included in any contract with your service provider are commitments to data security (including identification of server locations - i.e. offshore based and data hosting arrangements) and an obligation to return (or destroy) data collected through the app or service at an agreed frequency or at your direction. The service provider should not be permitted to use any of the data collected from your customers, visitors or staff through the app or service for its own purposes. Pay particular attention to any "data analytics" clauses, even if they refer to de-identified or aggregated data.
Due diligence is also an important part of selecting the right QR code service provider. Ideally, a privacy impact assessment and vendor security assessment would be completed prior to contract.
Don’t set and forget
Once you have collected personal information as part of a COVID contactless check-in process, you will have continuing obligations under the Privacy Act.
A key obligation to remember is under APP 11.2, which requires businesses to take reasonable steps to destroy personal information, or ensure that it is de-identified, once it is no longer needed for the purpose for which it may be used or disclosed.
Regularly review the data you collect using a QR code service and ensure you have a clear (and enforced) data retention policy in place. For personal information collected using the QR code for contact tracing purposes, this means the data should be destroyed after the period specified in the applicable government direction or order (for example, in Queensland this is after 56 days). For businesses not subject to a direction or order (but bound by the Privacy Act), a reasonable period is about 30 days. Any privacy impact assessments should also be kept up-to-date (or conducted if not already).
Dealing with personal information in this manner will also act as a measure to prevent the "mixing" or "blending" of personal information collected for COVID purposes with other personal information holdings of the organisation. A failure to keep these types of information holdings separate could give rise to a range of compliance risks under the APPs with the rectification of this risk and the separation of these personal information holdings being operationally and practically difficult to implement.
Further government guidance on check-in and contact-tracing
The Office of the Australian Information Commissioner (OAIC) published guidance for businesses collecting personal information for contact-tracing purposes earlier this year. You can access this guidance here. The OAIC also published clear guidance for organisations and agencies bound by the Privacy Act on how to properly collect health information from staff in response to COVID-19.
Most State Governments have also published information and guidance on the use of QR codes for check-in and contact tracing, including Queensland and New South Wales.