COVID-19: Information for Citizens

Agency Processing of GIPA Applications

As each agency activates its individual business continuity plan in response to COVID-19, the arrangements in place may vary according to the agency’s role, services and resources.

The IPC has encouraged all agencies to take proactive steps to initiate communications and put in place arrangements with applicants about how their applications will be dealt with, including whether a request for an extension of time will be necessary.

It is important in this time of rapid change, to also recognise that access to government information and the preservation of the right to access government information under GIPA continues. This is also true for the responsibilities required of agencies in complying with information protection principles and the health information principles under the PPIP and HRIP Acts.

The IPC is encouraging agencies to  liaise with citizens to enable these rights to continue to be preserved, including by taking steps to communicate with citizens on timeframes and revision to those timeframes. Wherever possible, extensions of time should be actioned to positively promote and advance the rights available to citizens under the legislation.

Citizens who have current matters with an agency should consult the agency’s website and or contact the agency for more specific information about how the Agency is progressing the application.

Current external reviews under the GIPA Act

Our services are continuing, however in these rapidly changing times we may need to engage with citizens to seek an extension under section 92A(2) of the GIPA Act to the timeframe for the Information Commissioner to complete her external review under the GIPA Act. Under section 92A(2) of the GIPA Act, an applicant may agree to an extension of time for the Information Commissioner to complete her external review. While an applicant does not have to agree to an extension, an inability for the Information Commissioner to complete her review in the current circumstances and in the absence of an agreed extension will mean that the Information Commissioner will be deemed to have made no recommendations.

The IPC will continue to make every effort to ensure that we meet the statutory timeframes established by the GIPA Act and communicate with you effectively and fairly. Applicants who may be affected by the need for an extension will be contacted directly, about the need for an extension.

Current complaints under the GIIC Act

The IPC is continuing to progress all complaints and will continue to engage with complainants and agencies. Agencies and complainants may not be able  to meet timeframes set by the IPC. If the agency advises the IPC that they need more time we will endeavour to advise complainants as soon as possible. Complainants are also asked to advise the IPC if they are unable to meet any timeframes by contacting their case officer prior to the due date to request an extension of time:

• Telephone 1800 472 679
• Email: ipcinfo@ipc.nsw.gov.au

The IPC has established this dedicated page on its website to provide updates to clients and agencies as circumstances unfold. You are encouraged to continue to review our website for updates.

NSW QR Code and Privacy

The IPC has complied the following information to assist people to understand the privacy aspects of the Service NSW QR Code and check-in process. The information is of a general nature only. For more detailed information about the NSW Public Health Orders and operational aspects of the check-in process, please refer to the links at the end of this page.

NSW Public Health Order

Following the outbreak of the Covid-19 pandemic in March 2020, the NSW Government introduced a number of measures to respond to the pandemic and promote the health and safety of the NSW community.

These measures are given effect through the NSW Public Health Order, which is regularly updated to respond to changing circumstances during the pandemic. The legal basis for the Public Health Order is the Public Health Act 2010.

The Public Health Order requires that people entering certain premises are directed to provide their contact details to staff of the premises by electronically registering (via the QR Code) with Service NSW. There is provision in the Order for a person to complete the electronic registration on someone’s behalf, if they cannot complete the registration themselves.

From 12^th July 2021, the mandate under the Public Health Order for the use of the QR code will be expanded to supermarkets, retail businesses and individual stores, universities, TAFE,  gyms and offices.

The purpose of this measure is to ensure the contact tracing team at NSW Health have real time access to QR code data  to begin contact tracing, should there be a case of COVID-19 identified. The tool has provided significant assistance in cases where COVID-19 has appeared in the community, by enabling the NSW Health contact tracing team to more rapidly identify and prevent further spread of the virus into the community.  

Service NSW Check-in Tool/QR Code

In 2020, Service NSW developed an electronic Check-in tool and QR Code to assist with recording contact information for contact tracing purposes.

The Service NSW check-in tool is included in the Service NSW app and can be downloaded on a mobile phone. People can enter their details into a webform if they do not have the Service NSW app. See https://www.service.nsw.gov.au/transaction/covid-safe-check for details.  

The tool collects the person’s first name, surname, email address and phone number, as well as the details of the venue they are visiting and the time of check-in. There is also a facility to add the time of check out when a person leaves a venue, but this is discretionary.

Service NSW consulted with the Privacy Commissioner during the development of the tool to ensure the privacy risks associated with the tool were identified and mitigated.

A Privacy Impact Assessment (PIA) was undertaken for the check-in process and a summary of the PIA has been uploaded to the Service NSW website: https://www.service.nsw.gov.au/privacy-impact-assessment-covid-safe-check

The website also contains the Privacy Collection Statement for the check-in tool and web check-in: https://www.service.nsw.gov.au/covid-safe-check-privacy-collection-stat…

The privacy features of the tool include that the information collected by the tool is encrypted and held securely. It is transferred securely to NSW Health if required for contact tracing.

Information not required for contact tracing is deleted after 28 days.

The NSW Public Health Order requires that information collected by the tool is to be used for contact tracing only. It is important from a privacy and health perspective that people are able to trust the collection of their information by the tool will only be used for contact tracing and not for other purposes.

FAQs

Are venues required to ensure I sign in using a QR Code?

Yes – venues are legally required under the NSW Public Order to ensure all patrons have checked in using an electronic registration method via the code or webform.

Am I legally required to check in using the QR code?

Yes – the NSW Public Health Order requires all people checking into certain venues to check in using an electronic registration method via the code or webform. NSW privacy law requires that personal information collected during the check-in process is appropriately managed and protected.

Is it a breach of privacy law to require the use of the QR code?

No – the Public Health Act 2010 allows the Government to make Public Health Orders in order to ensure the safety of the community during the current health emergency caused by the COVID-19 pandemic.

These Orders mandate the use of an electronic registration method via the code or webform for people entering certain premises.

Strict privacy protections apply to contact information obtained by the check-in process, as detailed on this page.

How is my privacy protected when I use the QR code to check in to a venue?

The QR code collects contact information for contact tracing purposes.

The information collected by the tool is encrypted and held securely. It is transferred securely to Health only if it is required for contact tracing purposes.

Information not required for contact tracing is deleted after 28 days.

The NSW Public Health Order requires that information collected by the tool is to be used for contact tracing only.

Can I refuse to check in via the QR Code?

No – the Public Health Order directs you to check into certain premises using an electronic method. Another person may complete the registration for you if you are unable to do it yourself.

Links and Resources

• NSW Public Health Orders: https://legislation.nsw.gov.au/information/covid19-legislation
• NSW Public Health Act: https://legislation.nsw.gov.au/view/html/inforce/current/act-2010-127
• Service NSW Information about COVID Safe Check-in: 
  • https://www.service.nsw.gov.au/transaction/covid-safe-check
  • https://www.service.nsw.gov.au/covid-safe-check-customers-faqs

Current complaints under the HRIP or PPIP Act

The IPC is continuing to progress all complaints and will continue to engage with complainants and agencies. Agencies and complainants may not be able  to meet timeframes set by the IPC. If the agency advises the IPC that they need more time we will endeavour to advise complainants as soon as possible. Complainants are also asked to advise the IPC if they are unable to meet any timeframes by contacting their case officer prior to the due date to request an extension of time:

• Telephone 1800 472 679
• Email: ipcinfo@ipc.nsw.gov.au

The IPC has established this dedicated page on its website to provide updates to clients and agencies as circumstances unfold. You are encouraged to continue to review our website for updates.

Privacy response by Australian Privacy Regulators

Australian privacy regulators have convened a National COVID-19 Privacy Team between the Office of the Australian Commissioner (OAIC) and states and territories with privacy laws to respond to proposals with national implications. 

Read the COVID-19 response from Australian privacy regulators

COVIDSafe legislation passed by Parliament

The Privacy Amendment (Public Health Contact Information) Bill was passed by Parliament on 14 May 2020, enforcing new privacy safeguards for COVIDSafe app data into the Privacy Act 1988. The Privacy Act is overseen by the Office of the Australian Information Commissioner (OAIC), read the full statement here: https://www.oaic.gov.au/updates/news-and-media/oaic-expands-oversight-role-as-privacy-safeguards-for-covidsafe-app-made-law/

Office of the Australian Information Commissioner public consultation

Please see the Office of the Australian Information Commissioner (OAIC) consultation page regarding draft guidelines to support a nationally consistent approach to requirements for businesses and venues to collect contact information.

https://www.oaic.gov.au/engage-with-us/consultations/requirements-to-co…