Person scanning QR Code in store to check-in

QR Codes and Your Privacy

Updated February 10th 2021

Quick Response (QR) codes have increased in popularity within the COVID-19 environment. They make it easy for customers to check-in when visiting a business and also help with contact tracing.

While QR codes may have gotten popular, using them does not come risk free. Hackers and cyber criminals have found ways to utilise QR codes to steal your data to put your privacy at risk.

What are QR codes?

QR codes are similar to barcodes, in the sense that they contain information which can be read by either your smartphone’s camera or another app.

When scanned, QR codes usually contain information which will allows you to perform the following actions:

  • Visit a website
  • Install and app
  • Join a network
  • Add someone’s contact details
  • Dial a specific number
  • SMS or email a specific recipient

The most common use for QR codes in the current pandemic environment is for linking to a website or app to submit your contact information. This makes it easier for contact tracing and is an alternative and contactless method.

In certain States and Territories throughout Australia, customer contact details are required to be collected upon entering businesses. QR codes have been proven to be an effective method to collect this data.

Some businesses have also opted to use QR codes to direct customers to online menus. This prevents the handling of physical menus on site.

Why are QR codes risky to use?

There is danger in downloading any unknown information digitally.

Scanning QR codes that direct you to non-government websites that requests your personal details can result to your personal contact information being used for marketing and criminal purposes.

QR codes are also extremely easy to generate. This makes it quick and easy for criminals to attempt to obtain your information. They can insert harmful websites, malicious apps and/or untrustworthy Wi-Fi networks.

Below is an example of how dangerous unknown QR codes can be:

A restaurant has a QR code for you to scan before entering. Someone pastes over the top a QR code they made with a virus to hack your phone. You scan it without noticing what the action of the code is. Your phone has now installed the virus.

How to use QR codes safely?

Tips for individuals

Depending on your State or Territory, businesses can use a government provided QR Code to help customers check-in. If the business does not have a government provided check-in code, ask them why not.

One benefit for government provided check-in codes is that the data is not stored by the business owner. The data is also readily available for the State or Territory Health departments to access if it becomes necessary (for example, when contact tracing is required).

If for some particular reason, where the business has not signed up to use government provided QR codes, for example, these apps are not provided in the State or Territory you are in, then you can follow the below cautionary tips to help you stay as safe as possible whilst scanning QR codes to check in or when performing another action:

  • Make sure that you only scan QR codes that are located in prominent positions at the business. This reduces the chances of scanning a malicious code, which may have been placed there by someone other than an employee or owner of the business.
  • While scanning the QR code, your smartphone camera will usually display a prompt indicating what actions the QR code will perform, such as what website it is linked to. If the prompts or URLs shown looks suspicious, do not proceed with the action and speak to a staff member (if you’re at a business premises).
  • Be prepared to cancel or terminate the action triggered by scanning the QR code if it’s unwanted and you accidentally had authorised it. For example, closing your web browser or hanging up if a call is initiated.
  • Before checking-in, you can also ask the business for their privacy policy in terms of retaining your personal contact information.
  • Make sure you only provide the minimum amount of personal contact information required by your State or Territory.
Guidance for businesses

If your State or Territory has a provides QR codes for businesses to use, sign up so that your customers can use it.

Make sure the government approved QR codes are located in a prominent place within your business.

If your State or Territory does not have government provided QR codes, you can follow the below tips to help protect your customers:

  • Follow the Office of the Australian Information Commissioner’s guidance in regards to collecting personal information for contact tracing. Ensure that your customer’s personal data is only used for contact tracing purposes.
  • If using a third party vendor to help collect personal customer information, ensure they are trusted providers. Be sure to validate the third party’s privacy agreements and measures for storing a customer’s personal information. Ensure it is compliant with your State or Territory’s data processing policies.
  • Only ask for the minimum amount of customer contact information required by your State or Territory government. Delete any stored information as soon as government rules allow.
  • Be transparent with customers with how their contact information is collected, stored, used and deleted.

When generating QR codes that directs to a website:

  • Avoid using services that shorten and obscure website addresses
  • Test the code before providing it to your customers
  • Provide a screenshot and description of the website. This is so that customers know what to expect when they action the QR Code.
  • Regularly check that your QR code hasn’t been replaced with a malicious one by someone else

For further information on QR code safety in a COVID-19 environment, please refer to this guide by the Australian Cyber Security Centre.

Want to know more about how to protect your business from cyber threats? Read our article here.