Tens of thousands of small and medium Australian businesses that rushed to outsource the management of their COVID check-in obligations could find themselves snared in a looming data privacy calamity.
At stake are the personal details of millions of Australians who have visited cafes, restaurants and pubs or attended places of worship, wedding and funeral venues since rules designed to help manage the spread of the virus were introduced earlier this year.
These regulations, which operate in most states and territories, require customers and visitors to provide their name and contact details so that they can be traced in the event there’s a potential virus transmission risk.
However, many of these electronic check-ins are outsourced to registration platforms that are often owned by companies that deal in collecting data, some operating under opaque rules about how that information is stored and used.
Privacy and cybersecurity experts are warning that the lack of due diligence in vetting providers has left the system and the “gold standard” personal data it manages vulnerable to exploitation.
“Governments have made collection compulsory, without exercising supervision about how it is carried out,” said Graham Greenleaf, a professor of law and information systems at the University of New South Wales (UNSW).Read our full coverage of the coronavirus pandemic
The problem is set to be compounded as thousands more venues in Victoria open for business again after a strict three-month lockdown.
The kind of information being collected is a highly prized commodity with the data broking industry, giving users of that data direct access to a person’s inbox and their mobile handset.
And there are concerns that the data could potentially be resold, used for identity fraud or to track a person’s location and social groups, and employed in micro-targeted advertising for misinformation campaigns.
Justin Warren, from privacy and digital rights group Electronic Frontier Australia (EFA), said while some appeared to be doing the right thing, he had also observed the hallmarks of a “marketing surveillance” operation.
He said the abundance of smaller companies collecting and storing the data had also created a “honeypot” for cyber criminals.
“We have a lot of people whose primary business is running a cafe, they’re not technical experts,” Mr Warren said.
“[These] conditions really lend to mistakes that people will regret later on. With privacy, once you’ve lost it, it’s kind of gone forever.”
While some venues offer patrons a pen and paper solution, the majority use a contactless technology based on scannable QR (quick response) codes.
The characteristic black squares are essentially a barcode, which when scanned with a smartphone, converts its geometric patterns into readable text — usually a website address.
The customer types their name and contact details into a form on the web page before submitting the details and receiving a confirmation, often displayed as a big green tick.
But the ABC found some companies did not have specific COVID privacy policies, as recommended by the federal privacy commissioner.
Other companies, such as UberEats rival HungryPanda, didn’t appear to make any distinctions between COVID-related data and information it harvested from customers pre-pandemic.
At least 50 Asian eateries in NSW, many located in Sydney’s CBD, using HungryPanda’s check-in service defaulted to the app’s standard terms and conditions.
Those policies allow the company to share customer details with “partners for marketing or promotions”.
Company spokeswoman Tina Sun said there was no intention to collect the COVID check-in data for purposes other than contact tracing.
“We can’t access the data because we didn’t want to take the risk,” she said.
Ms Sun said it was up to each business to manage their COVID data and said HungryPanda would again “remind the restaurants” about their privacy obligations.
There are no available figures around how many private entities are managing the digital check-in process, nor the volume of check-in data that has been generated.
The four companies willing to disclose their check-in figures — MyGuestList (MGL), BGL Corporate Solutions, NCH Software and ImpactData — have managed upwards of 28 million COVID registrations since the start of the pandemic.
MGL, which labels itself as “Australia’s Most Powerful Marketing Platform”, has stored over 20 million COVID check-ins across over 20,000 locations in its servers in Canada and backups in the United States.
An MGL spokesperson said the data was only used for contact tracing and was protected under Canada’s more robust privacy laws.
Please use this form to get in contact with the ABC Investigations team, or if you require more secure communication, please choose an option on the confidential tips page.
NSW so far has the strictest compulsory registrations, with gyms, hospitality venues, funeral homes, and places of public worship all required to collect the names and phone numbers of all patrons.
But the NSW Government’s visitor registration feature that is integrated into the ServiceNSW app is not widely accepted and has only had 1.1 million check-ins since it launched in September.
In June, the NSW Government said businesses unable to record visitor details would be forbidden from reopening after the COVID lockdown and that non-compliance would be punished with heavy fines.
“Guidance” around how that data should be collected and stored was established around the same time by the federal privacy watchdog, the Office of the Australian Information Commission (OAIC).
It said customers must be clearly informed about what information was being collected, that it should be stored securely, that it should not be used for purposes other than contact tracing and it should be destroyed once it was no longer needed.
In Queensland, the retention for the data is 56 days, while in other states it is 28 days.
An OAIC spokesperson said it had held regular consultations with business groups to advise about “best privacy practice” and how to incorporate privacy principles into the design of registration systems.
However, some companies were found to be falling short.
“Some of these applications are asking for a lot more information than they actually need to,” EFA’s Mr Warren said.
“The regulations are pretty prescriptive, so they say here in Victoria it’s just a first name and a contact number.
“But some of these applications are asking for a lot more information than that including things like last name, email address and other things they could use to potentially track you.”