28 Jan
As Australia continues its emergence out of the COVID-19 lockdown and towards a ‘new normal’, there is one thing we’re all becoming very familiar with.
QR codes.
The use of QR codes has been commonplace across the country as we search for effective contact tracing solutions in recent months and will only increase as Victoria continues to reopen after the state’s prolonged shutdown. NSW made QR codes for hospitality businesses compulsory in November last year.
It’s a movement that has been described as the revival of the QR code (Quick Response code), a technology which has been used intermittently (and often without much lasting success) for the best part of the last decade.
The way in which this venue data can be used to contact trace individuals who might have been exposed to COVID-19 is an example of how data can be used to solve real-world problems.
What data is being collected?
But what actually happens after you scan the black and white QR code and get the ‘green tick’ for entry to these venues?
More often than not, the business will securely store the data and only hand it over to government authorities if there is the need to alert customers of potential exposure to an active COVID-19 case.
As we know, the venues typically ask for basic contact information – and personally identifiable data – including mobile number, email, name and time of visit.
While this data collection is obvious to patrons at these venues, the QR codes being used are also collecting data ‘behind the scenes’. According to the myguestlist (an app that is used to power QR code check-ins) privacy policy, “behaviour and usage” data including browsing patterns and click streams are collected. Technical ID data, including IP addresses and browser type, is also collected. The privacy policy also stipulates that this data is “only used if required for rapid contact tracing”.
The way this data is stored will also vary, depending on the business. For example, the Service NSW app – which has been downloaded over 3 million times – will only retain customer information for 28 days (which is also the minimum amount of time NSW venues must store this data) and stores all data in a separate, encrypted database.
Privacy vs privacy risk
Much of the data collected through these customer check-ins – particularly all health information – is also protected under the Privacy Act. For businesses bound by the Privacy Act, all health information collected must only be collected with the consent of the individual.
The Privacy Act also stipulates that businesses can not assume that just because it has to collect contact details as part of a COVID Safe Plan, it can use this personal information for other purposes, such as marketing.
Despite these protections, the revitalisation has still seen concerns raised by various privacy advocates. UNSW professor of law Graham Greenleaf said the data collected by these QR codes – which includes full name, email, phone number, date and time of entry – is “solid gold” for data aggregators.
The commercial use of QR codes shows that privacy risks are always present. There is always a chance – albeit a small one – that this data could end up in the wrong hands and user privacy will be compromised.
For most users, however, the risk associated with using these QR codes is outweighed by the upside – the opportunity to eat, drink and socialise.
The fact is, in a digitally connected society, privacy risks are unavoidable. The best thing we can do is minimise these risks through strong data protection frameworks, encourage greater consumer awareness of data ownership and an ethical approach to data sharing.
Use of QR codes going forward?
So are QR codes back for good? We are already seeing the technology be used more prevalently in marketing campaigns and ecommerce. Given smartphones no longer require users to download an app to scan QR codes (as they used to) it is more than likely the hype will continue.
However, in order to ensure the technology is scaled in a privacy-focused way, developers will have to include transparency controls to show exactly what data is being collected. One possible solution here could be the use of data labels, which have emerged in recent times as a way to show exactly what data is contained within audience data segments.
At smrtr, we work to ensure we are compliant with all privacy regulations and help our partners create ethical and privacy-focused data strategies.
To find out more about smrtr contact us and we’ll be in touch within the next business day.
By Steve Millward, General Manager – Commercial at smrtr
