Privacy Commissioner Statement on COVID-Safe business registration venues data set


The Privacy Commissioner is aware of media reports suggesting a breach of the QR Code data set.

The data set which was published in September 2021 did not involve a compromise of the QR Code data set. Rather a decision had been made to make publicly available the list of businesses which had registered as COVID-Safe businesses. In publishing that list of addresses, the Department of Customer Service (DCS) also published in error addresses of businesses that were of a sensitive nature as the data set expanded.

The Privacy Commissioner was briefed by DCS on the incident, including the circumstances which resulted in the incident and was satisfied with the actions taken to contain, respond to and remediate the incident.

DCS undertook a review of the incident and the findings were shared with the Privacy Commissioner. The data set is no longer published. The Privacy Commissioner supported the decision to cease publication of the data set.

The QR Code Check-in app, developed and implemented to support the NSW response to the pandemic, was not a factor in the incident. Citizens should continue to follow the public health orders relating to the use of the QR Code Check-in app. Privacy safeguards, including concerning the use and sharing of the QR code data and its retention, were built into the design of the QR Code Check-in process. Most recently, legislative safeguards for personal and health information collected by the Check-in app were implemented, strengthening the Government’s commitment to robust privacy protections for this information.

The Privacy Commissioner continues to work with all agencies in implementing privacy positive practices.




For further information, please contact:

IPC media team on 0435 961 691 or email

For further information about the IPC visit our website at

About the NSW Privacy Commissioner

Samantha Gavel was appointed as NSW Privacy Commissioner on 4 September 2017. Her role is to promote public awareness and understanding of privacy rights in NSW, as well as provide information, support, advice and assistance to agencies and the general public.

About the Information and Privacy Commission:

The Information and Privacy Commission NSW (IPC) is an independent statutory authority that administers New South Wales’ legislation dealing with privacy and access to government information. The IPC supports the Information Commissioner and the Privacy Commissioner in fulfilling their legislative responsibilities and functions and to ensure individuals and agencies can access consistent information, guidance and coordinated training about information access and privacy matters.

Download the statement.