Australia: A Poor Model for QR Data ‘Attendance Tracking’

Digital Asia Hub series ‘When The Music’s Over’, 6 January 2021

UNSW Law Research

5 Pages Posted: 4 Feb 2021

See all articles by Graham Greenleaf

Graham Greenleaf

University of New South Wales, Faculty of Law

Date Written: December 12, 2020


In Australia, two main technologies have been used for COVID-19 contact tracing: a Bluetooth-based proximity tracking app; and QR Codes to assist tracking of those attending venues or events. They take radically different approaches to the protection of privacy, including that the first is voluntary, the second is (in effect) compulsory. Effective contact tracing is one of the highest priorities for countries like Australia that have had good success to date in limiting the number of COVID-19 infections and resulting deaths. Few jurisdictions appear to have utilised QR Codes for attendance tracking in a way similar to the compulsion used in Australia.

This article is about the risks to privacy, to public trust, and to effective contact tracing, if QR Codes are implemented without sufficient privacy protections. It contrasts protections given to the app, and recommends that a similar approach be taken to QR Code data.

The protections against misuse of the COVIDSafe app included in ‘COVIDSafe Act’, a new Part VIIIA of the federal Privacy Act 1988, are first discussed. The use of QR Codes in all eight States and Territories to facilitate this contact tracing by requiring venues/events to keep records of attendees, by use of QR Codes or other electronic means is then set out. QR Code data is dangerous in two different ways: ID data; and location/attendance data. These are explained, differentiating the dangers of provision by private sector providers and government providers. The need for legislative protections against misuse of QR Codes is then detailed, based largely on protections in the COVIDSafe Act.

The article concludes that a new form of location surveillance, ‘attendance tracking’ has developed in Australia, with few parallels elsewhere. The current Australian systems pose many unnecessary and unacceptable dangers to data privacy. They can and should be remedied by legislation modelled on the strict data privacy protections in Australia’s COVIDSafe Act. Other jurisdictions considering introducing attendance tracking systems should take note of these dangers, and aim to avoid them occurring.

Keywords: Australia; data protection; privacy; QR Codes, attendance tracking, COVID-19

Suggested Citation

Greenleaf, Graham, Australia: A Poor Model for QR Data ‘Attendance Tracking’ (December 12, 2020). Digital Asia Hub series ‘When The Music’s Over’, 6 January 2021, UNSW Law Research, Available at SSRN:

Graham Greenleaf (Contact Author)

University of New South Wales, Faculty of Law ( email )

Sydney, New South Wales 2052
+61 2 9385 2233 (Phone)
+61 2 9385 1175 (Fax)


Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics