Note: this is an opinion blog at a point in time. Readers are always advised to follow any official health or law enforcement advice which may change or be updated at any time.
The arrival of the highly contagious COVID Delta strain has put Queensland and Australia under further pressure of testing and contact tracing.
In our business of assisting with privacy and cyber security in healthcare operators e.g. Clinical Psychologists, we are often asked “Are we required or should we be using the Queensland COVID QR code check-in feature for contact tracing at our practice?”
For such a simple question, it requires quite a complex response. Why – because there is a crossing over and blurring of State (Queensland) and Commonwealth (Federal) laws, regulations, and guidance. These State and Federal laws are notoriously known for not easily working well with each other. We will try to attempt to unpack this.
First of all, those in private practice are mandatorily required to comply with the federal Australian Privacy Act 1988 and the associated Australian Privacy Principles.
Secondly The Queensland COVID QR App is a Queensland Government owned app and is regulated and governed by the state privacy legislation being the Queensland Information Privacy Act 2009.
Where things get complicated is that Queensland State Government agencies and initiatives are excluded from requiring to comply with the federal Privacy Act which kind of leaves Queensland private practices squished in the middle.
So, what would all this mean in practical reality on a day-to-day basis for those in private practice in Queensland?
Practices need to follow all official directives from the Queensland Government including directions from the Queensland Chief Health Officer in using the Queensland COVID check-in app.
At the time of writing, there is no definitive direction for private health care practices to use the check-in app, however some of the directions by the Chief Health Officer are vague enough that it could be interpreted that Private Practice are included.
So this raises the question – what to do if it is vague? Well, the Queensland Coroner when handing down his ruling in the recent tragic Dreamworld findings makes this great statement:
“It was agreed by the experts, and became obvious during the inquest hearing,
that best practice for the TRRR was not followed by Dreamworld, particularly in
relation to compliance with introduced Australian Standards designed to ensure
the safety of devices. Whether these requirements are mandatory or not is
largely irrelevant. Those Standards are the minimum practice that is required. It
is the responsibility of those that own and operate high risk plant to ensure that
the most up to date safety standards, risks and requirements known to the
industry are considered and instituted if possible, to ensure the safety of staff
In our opinion, the use of the Queensland QR code check-in facility is definitely best practice for contact tracing in Queensland and therefore should be strongly considered for use regardless of whether it is mandatory or not. If a tragic incident was to occur with the involvement of a practice, scrutiny would undoubtedly be made as to what that practice could or could not have done to avoid the incident.
Maintaining compliance with the Federal Australian Privacy Act. Australian Privacy Principles 3 and 6 which cover the collection and use of personal information do not apply when used in a permitted health situation. It could be argued that COVID compliance could be one of those scenarios.
• A transparent declaration the check-in app is used at their location
• That the check-in app is optional, however if it is not used, other means such as written contract tracing may be required to be taken.
• That the cyber security of the Check-In app is hosted in Microsoft Azure (rated to ISO27001) and has undergone security testing before being made available to the public.
• It could also be helpful to disclose that check-in data from the app is deleted after 56 days, covering a practitioner’s duty to implement good data deletion policies under APP 11.2.
Additionally, for a practice to maintain good cyber security in compliance with Australian Privacy Principle 11, it is strongly recommended that good physical controls are maintained around any QR code posters. QR codes should be placed in areas that are easily visible and are constantly monitored by staff. They should not be placed or available in unsupervised areas or in areas left overnight with unlimited access. The reason for this is that fake or malicious QR codes can be placed over the top of the real codes (kind of like a credit card skimmer), resulting in data loss. This vulnerability should not deter practitioners from using the COVID Check-in app, they simply should be aware of it and implement good practices and policies to limit this vulnerability being taken advantage of.
The COVID challenges faced by all business, including those in private practice, are not always easy to navigate however we do not face them alone. Stay in constant contact with your trusted peers and advisors to ascertain and implement what is best practice for your location.