What Happens to Your Check-in Data After You Scan the QR Code?

What Happens to Your Check-in Data After You Scan the QR Code?
Image: Service NSW

New South Wales has hit its 70 per cent double-dose vaccination target, so that means from Monday, residents in the state will have life return to somewhat normal. We can go to the gym or the pub, sit down for a meal and even enter someone else’s home. But there are a few things that are going to be different to the normal we knew back in 2019, one of which is providing your data to contact tracers by checking in to venues using a QR code and the Service NSW app.

But this isn’t new, we’ve been scanning QR codes and entering our data for a year now.

In an effort to establish better contact tracing, the NSW government set up QR code check-ins via the Service NSW app back in August 2020. It then made them mandatory in all venues across the state, rolling the directive out from late November.

When a business or organisation registers as COVID Safe, they’re given a unique QR code to display.

There have now been more than 835 million check-ins since the system launched and almost seven million unique customers checking in at least once. Good effort, NSW.

But what if you don’t have a smartphone?

Good question (and this answer also applies when the app is down).

There are a number of check-in options, including a COVID-19 check-in card, which is a hard-copy card with a unique QR code that contains your registered data, such as contact info.

But, if you can’t scan the QR code or there is an outage, the business can gather customer data using the Service NSW business online form or collect your deets by other means. This could be a piece of paper or a more modern Excel spreadsheet.

After collecting the visitor’s contact details, the business must electronically record the details within 12 hours.

So what happens to your QR code data after check-in?

Service NSW tells us that customer information is securely stored in a Service NSW database for the purpose of contact tracing by NSW Health. The agency’s spokesperson didn’t want to tell me where it’s stored, or with what provider, but they want you to know it’s secure.

Check-in information is not shared with any third parties and is deleted after 28 days, they said.

What about that piece of paper or Excel doc?

Well, under the Public Health Orders, businesses are required to “take reasonable steps” to make sure everyone checks in somehow. They’re also required to destroy paper copies of check-in info and completely delete any Excel docs containing personal data at the 28-day mark.

The state government has responsibility to destroy the Service NSW data (be that info collected via the app or its webform) within 28 days, but a venue collecting info in another fashion has the responsibility to make sure it’s destroyed.

Service NSW did not provide an answer to Gizmodo Australia’s question asking how they confirm a business is correctly destroying the information.

Best use the app if you can, folks. And stay safe out there.