QR code data in South Australia secretly being backed up, report finds

South Australians’ personal data collected from QR codes has been secretly stored in its IT backup systems, a report by the chief auditor has found.

The review into the management of Covid-Safe QR check-in data confirmed The Department of the Premier and Cabinet automatically deleted the information from its production database after 28 days, as legally required.

But it revealed secure backup systems retained the data past four weeks.

According to the auditor-general’s report, the department intends to destroy these back ups once contact tracing is no longer required.

“Until this time, data restorations are possible, although controls exist to protect the data from any unauthorised restorations,” it said.

The report found that the backups were “vital” in the event of a disaster or system failure but put the department at risk of breaching the deletion requirements of the QR code data.

The DPC responded to the report by updating its backup restoration procedures, which was recommended by the Auditor-General.

It also included an additional requirement to verify that if the backup data needed to be restored from a possible failure, no data older than 28 days would exist.

The report also found that SA Health was holding onto a “subset” of the QR code data “indefinitely” under health legislation.

But this was “not consistent” with another order that required all check-in data be destroyed when no longer needed or when the pandemic ends.

“It would be helpful if SA Health’s public communications included advice that it retains all requested Covid-Safe check-in app data indefinitely,” the report read.

In SA Health’s response, it said it would review and document its data retention practices relating to contact tracing information and make sure the practises were aligned with all relevant legislation.

It said information would be provided on its websites and digital media that stated that is was legally allowed to keep the data.

The review into the management of Covid-Safe QR check-in data was requested by the state government after the system was introduced last December.

A spokesman from the Premier’s department said South Australians’ data beyond the 28 days needed for contact tracing purposes was not accessible.

“As the Auditor-General found, in the unlikely event that backup data needs to be restored, Covid-Safe Check-In data over 28 days is automatically deleted upon restoration,” they said.

A SA Health spokesman said: “QR check-in information is only released upon request to SA Health for official contact tracing purposes or for managing the Covid-19 pandemic.”

“Once the information is obtained for this purpose, it is managed as a confidential health record and protected under the Health Care Act 2008.”

Information on how the data is stored and protected can be found on online.