AFP, Vic Police and Illion requested Victorian QR code data

The Australian Federal Police (AFP), Victoria Police and credit checking firm Illion requested QR code check-in data from the Victorian Health Department, according to documents released to iTnews through a Freedom of Information (FoI) request.

The Health Department rejected the police and the data analytics firm’s requests, but it is unclear if some were obtained through warrants.

A Department of Health spokesperson said no QR code data had been provided to law enforcement or private companies.

“QR code data is only used in the event of an outbreak to help contact tracers quickly identify any close contacts and prevent further transmission," the spokesperson said.

It was revealed in June that Victoria Police made three unsuccessful attempts to access QR code data in December 2020: two requests to the Department of Health and one to Services Victoria.

iTnews can now reveal a number of additional attempts to access the check-in data.

The AFP made a request to the Department of Health “seeking detail on person of interest”, on June 24, 2021.

An AFP spokesperson said it had “not applied for a warrant or subpoena to obtain Covid-19 contract tracing data."

iTnews understands that the informal request may have been either a hypothetical enquiry about what they would need to do to acquire the data, or what would be required to get details on a specific person of interest to investigators.

Illion, a data firm best known for running credit checks, made a “request via DPC [Department of Premier and Cabinet] for business name, industry and address to cross‐reference their data on actively trading businesses in Victoria,” on May 20 this year. A spokesperson for the company declined to comment.

Victoria Police made a request to know "who checked into Shell Coles Express Mildura 2035". A spokesperson would not confirm if a warrant for this data was made, or why they needed it.

Check-in data access laws

The Victorian government hasn't followed other jurisdictions such as Western Australia in passing laws banning the police from making requests to access the data.

The WA legislation came in response to police successfully accessing QR code data twice to assist criminal investigations.

In Victoria, police can still request the data through applying for a warrant. However, a pandemic management bill, which gained royal assent on December 7, has narrowed the circumstances in which access can be granted. 

“Our new pandemic laws ... enshrine a person’s right to privacy with the new framework making it an offence to use information obtained through contact tracing for non-public health purposes,” a government spokesperson said.

Section 165CD of the pandemic bill [pdf] permits disclosures of contact-tracing data “for the purpose of addressing an imminent threat to life, health, safety or welfare" or for certain investigations, such as illegal use or disclosure of contact-tracing data and other information.

“It would then be incumbent on the court, on the judge...to consider and take into account the balancing of the human rights aspect or the necessity and the justification [of the request]”, Victoria Police commissioner Shane Patton told a parliamentary inquiry in June.

The Office of the Australian Information Commissioner released non-binding guidelines for states’ check-in data management in September warning against allowing QR Code data being used for reasons other than contact-tracing.

“Health orders that expressly prohibit access to contact tracing data for law enforcement purposes protect personal information and increase community trust and confidence in using QR codes," the OAIC wrote.

Public confidence undermined

Gregor Husper, principal lawyer at the Police Accountability Project, run out of Flemington & Kensington Community Legal Centre, said that attempts by police to access QR codes is a further example of police overreach and intrusion in response to the Covid public health crisis.

“Over-policing of Covid has already caused very real distrust and fear of police in affected communities," Husper said.

"Police should not use individual QR code compliance as a means of surveillance.

"To do so undermines confidence in the health system, and highlights Australia’s failure as the only democracy in the world without a human rights charter or bill of rights.”

Electronic Frontiers Association Australia chair Justin Warren said the "threat that police might access [check-in] data undermines people's willingness to give up their privacy to help with the public health effort."

"No enforcement agency should have access to contact tracing data under any circumstances," Warren told iTnews.

"Police have demonstrated on numerous occasions that they cannot be trusted to stay away from this data unless they are forced to, so that is what we must do."

Warren added that a "private firm like Illion has no business being anywhere near this data."

"It is well past time governments listened to people's demands for greater privacy protections and passed robust privacy laws that protect us from having our private information bought and sold," he said.