CHOICE membership

Covid safe check in procedures

Having a dumb phone, not a smart phone, I cannot comment on privacy concerns folk have when using the latter when shopping or visiting commercial premises.
But there are concerns for dumb phone users, many of whom use or will use (say NSW) government issued check in cards.
The card comes with a QR code and the user’s first name.
So far that seems reasonably protective of privacy I thought. Once the card is scanned by say a supermarket employee, my personal data would be uploaded to the state’s coronavirus database.
My details would not be revealed to the supermarket employee.
Again, so far so good.
So I was very much surprised when yesterday in a supermarket, the employee scanned the QR code
and then asked me to reveal my full name, date of birth and phone number. The employee wanted to ensure that the card was mine and I wasn’t “borrowing” someone else’s.
He did not say what other information he could see on his iPad after scanning my QR code.

Question: can’t the check in card be more protective of a person’s privacy? Surely it is not an employee’s business to know my business. It is his business to upload, without necessarily viewing, my details.
If any enterprise is worried that such cards may be “borrowed” from others, a simply fix would be to include a photo alongside the QR code. Photos can easily by imported from the database used say for driving licenses.
A card with a photo and QR code and nothing else visible (other than perhaps an expiry date) would be an improvement, no?

2 Likes

The Tasmanian QR business app mandated for use doesn’t provide any information. The only data is that provided by a person at the time of check-in (name and contact phone number). When the person is checked in, there is no way to go back and see who has checked in or any of their details (and I have tried as I was chasing someone’s name). Tassie doesn’t have a check-in card. It raises the question…

Where they a supermarket employee and where they using the NSW QR Check-in App?

I wonder if the card prefills the cells in the app which then allows the employee to then check-in the person. It may have been a quick check of name and phone number to confirm the details on the screen were correct before checking in. It doesn’t seem to have details on how it works on the NSW government website, but it appears a plausible answer.

Prior to using the card, I could
(a) by hand write my name and number in a booklet supplied at the store entrance or
(b) I could give my name, first & last and phone number to an employee who’d type it into a tablet.

That is, I provided three pieces of information to a stranger. How many pieces are needed for ID theft?

Note: if anyone wants to keep that data all they need is to take a screenshot of the data as it is being collected by the store employee

A friend’s sister, 91 year old woman, has no interest in revealing more than her QR code when visiting businesses eg hairdressers, but in today’s The Australian there is a photo of NSW Minister for Services and the Digital Economy showing all the details a smart phone will provide when checking in. First name, surname, address and if I am not mistaken, date of birth and vaccination ID number.

Again: isn’t the only relevant data the QR code and vaccination status (eg confirmed by a big green tick or the absence of the green tick indicating both vaccinations have not been received). Are all the other bits of data, available to be viewed by the employee checking in, really necessary?

From the NSW Govt COVID-Safe-Check-Customers FAQs:

What is the COVID-19 check-in card?

The COVID-19 check-in card provides a quicker, alternative electronic check-in method for customers without a smartphone.

The COVID-19 check-in card is a hard copy card with a unique QR code that contains a customer’s registered contact details. Customers can present their card for scanning at participating businesses to electronically check in.

How does the COVID-19 check-in card work?

A customer can present their COVID-19 check-in card and have it scanned by a business as an alternative electronic check-in method.

When a business scans the QR code on the card, the customer’s registered contact details automatically populate in the Service NSW business online webform.

The customer’s check-in information is directly available for NSW Health’s contact tracing team in the event of a positive COVID-19 case.

You will see that your registered contact details are provided to the business’s webform. If you do not provide the information:

What if I don’t want to provide my details?

Some businesses are required to record customers’ contact details under the Public Health Order, to assist with any contact tracing that may be necessary. Under the Order, you’re required to provide your details upon entry to these businesses. If you choose not to provide your details, you’ll be refused entry.

If you don’t provide the data, don’t go in. But if you do provide your data, there is nothing there about a business needing to validate your data.

5 Likes

Thanks for the post.
Ok, so the card is a substitute for manually completing an online form (by staff).

I get that this information is needed by the various Departments of Health and are transmitted via the QR code.

What I don’t get is what business is it of the person checking one’s card. Surely it is sufficient to scan the QR, send it to NSW Health and have the Dept of Health confirm receipt of the data.
Must a stranger be made aware of one’s details?

Of more concern is the photo on The Australian’s website can be believed, when signing in with a smart phone, shows more than the above basic data. It shows one’s address and vaccination number.
Again, must this be shared with strangers?

A business will need to know those checking in are who they say they are. This is to protect their staff and other customers in the event of outbreaks.

For example, if someone uses another persons card to checkin, and the person checking in had Covid, there is no record of where that person has been or that a close contact has occurred. Other customers and employees would not be aware of their exposure risk and unknowingly get the infection and spread it to others who could also be infected…and all would suffer the consequences of the infection. This promotes the spread rather than containment.

Checking or verifying cards wouldn’t be needed if everyone was honest.

They must have a good memory. Yes, they can take a screenshot of every checkin, manually look at the screenshot and then type up the details into some sort of database. Laborious, and easier to use commonly available contact information databases to get the information.

1 Like

Here in shakey, rioting Melbourne, businesses are required to record for contact tracing purposes the customers name, and a phone number. That is all.
Those with a suitable smart phone can do it themselves with the Gov QR system.
Alternatives are a staff member checks you in, or you write it down on a sheet for a staff member to do it later.

If I was asked for details other than my name and phone number I would ask why they were not following the health and safety orders.

My method is to have a few paper cards with my name and phone number on them, and just hand one to a staff member if asked. I have done my part. Now it is up to the business.

1 Like

It seems to vary by state?

Qld requires your name, phone number and email address.
I recollect that if you do not have email, your residential address is required?

In looking to NSW which only requires name and phone number, there is the alternative of a coded ‘check-in card’. Same details, although Services NSW indicated acceptance of the cards by a business is not mandatory.

1 Like

NSW (and Tassie where we live) only requires name and phone number.

There could be confusion over information needed to apply for a Check-in card and what data is collected at check-in. While more extensive data is required for the issuing of a card, the same data isn’t loaded into a Check-in QR app on check-in using the app/webform. As outlined above, NSW only requires date of check-in, name of person checking in, contact phone number and time of check-in.

If one happened to glance at the check-in screen on check-in, they would see a date and might think it is the date if birth if a DoB was provided in the card application. It isn’t the date of birth, but date of check-in.

1 Like

As I said above, there is no requirement for a business to verify the data provided. Perhaps the person was just over zealous?

As background information of what the Federal Government requirements in relation to data collection by businesses, have a look at Guidance for digital check-in providers collecting personal information for contact tracing

More specifically, have a look at the section on NSW in this Federal Government web site: QR code system to support COVID-19 contact tracing. It says -
"What data is collected?

Full name, phone number, email (where possible), check-in date and time, check-out date and time (if possible), and location."

Could you please provide a link to this article in The Australian? After looking at the links above, it sounds like it is just a mocked up artist’s rendition designed to elicit the emotional political response that seems to be the Rupert Murdoch press’s raison d’être?

2 Likes

When I set out to apply for one on line it only asked for my name and mobile number. On providing these it offered an option to email or post the card, so Services NSW does have that as a seperate record.

You might like to try?

1 Like

What’s to stop someone from using another person’s phone? What would the motive be to use another person’s card? I’m curious to know if the employee was following government instructions or was just being overzealous?

The reason these checkin systems exist is to aid in contact tracing if an infection occurs at a business, or someone visiting a business.
There are no controls at all to verify name or phone details given.
It is just trust that people will do the right thing, to help the businesses, and help the community.

2 Likes

I regret that I cannot find that article online. I recall the photo was included in the website story but not the hard copy story.

1 Like

Speaking of “controls”, in the last week, three times when checking in with the card - some staff were quite intrigued by the card as it is not common, far more folk claim they prefer to record their names on sheets of paper - I was asked to verify my name and phone number which appears on the iPad screen once the QR code has been scanned.
I don’t get the point of that. If I use another person’s card surely I would be smart enough to memorise his mobile number in case I am grilled.
I remain convinced that the check-in folk don’t need to know most of my data. What they need to know is if the card carrier has been vaccinated twice.
All the rest of the data should go to say NSW Health (or its interstate equivalents) for the purpose of contact tracing and the check-in staff should not see any data when scanning the QR code.

As for limiting “borrowing” of cards between friends, as my letter to a newspaper that remains unpublished mentioned, all that the card should have is either

(a) The QR code plus a photo or
(b) The QR code plus photo plus first name

No state or territory, nor Fed Gov has any checkin requirement for vaccination status.

From Medicare you can get a PDF of your vax status, if you want.

According to one young woman checking me in to a supermarket, her responsibility is to see that the fields appearing on her screen (name first and last) and phone number are populated once the QR is scanned.

According to a guy in another branch of the same supermarket, his job is as per the above PLUS to confirm the details being populated by asking me to recite the phone number attached to the card.

1 Like

True at the moment. ServiceNSW currently is clubbing together its app with one’s vaccine status which it will download from Services Australia, so that when NSW opens up and only the vaccinated can attend certain venues, folk with smart phones will need only the ServiceNSW app to check in.
Presumably the check in card will be similarly updated.

1 Like

No, they don’t need to know that you are who you say you are. If you use the perfectly acceptable method of writing your name & details on a list, they don’t check that what you have written is correct, so why check the digital data you are giving them. It is not their responsibility.

It is and each state is different. For example in Victoria:

Business can also require proof of identity as a requirement of their conditions of entry. It is already done for hotels/liscenced premises, accommodation providers etc. It is a businesses responsibility to protect the health and safety of their staff and visitors to the business. It could be seen as reasonable to confirm identity of those entering a business in the event at a person entering is later found to have a Covid infection. Someone using fake or another persons identification could pose a risk to a business in such case.

If one does not provide proof when requested under state requirements or condition of entry, a business could refuse entry to the person.

3 Likes