24 / 11 / 2021

Privacy and COVID Check-In Data

Can police use your COVID check-in data in criminal proceedings? The short answer is – maybe.

‘Unprecedented times’ is the catch phrase that aptly describes the last 18 months, and with those unprecedented times has come a new era of ‘check-ins’ and check-in data.

Check-in apps have been rolled out around the country to assist contract tracing services in identifying close and casual contacts of persons who may have been exposed to COVID-19. It has been an unrivalled source of information and data for contact tracing around the country. We all expected and assumed this data could not be used against us in criminal investigations but the picture may not be so rosy.

In various states and territories around the country, police have made attempts to access user check-in data to assist in criminal investigations.

In Western Australia and Queensland, police have accessed users’ check-in data and history for unrelated criminal investigations on at least six occasions.

In Victoria, police attempted to subpoena and obtain access to user check-in data as well, however, those attempts were denied by the Victorian government.

The ACT appears to be at the forefront of the nation in creating protections for users of check in apps, after proposing legislation and laws to legislate an exhaustive list of permitted uses for the data. This is contained in the COVID-19 Emergency Response (Check-in Information) Amendment Bill 2021, and states that data is only to be used for a ‘permitted purpose’.

  1. permitted purposemeans any of the following:
  2. (a) undertaking contact tracing;
  3. (b) assisting an entity administering a law of a State that provides for contact tracing to undertake contact tracing, including sharing information with the entity;
  4. (c) another purpose related to undertaking contact tracing;
  5. Examples
  6. to assess the integrity or security of check-in information
  7. to provide support services in relation to the Check In CBR app
  8. (d) a purpose mentioned in section 2F (2);
  9. (e) deriving statistical or summary information.


Under the current privacy framework, ACT Health would be required to disclose personal information and data that has been collected through the app, if compelled by a court or tribunal. For example: if a subpoena or warrant was issued by police. The Bill is in response to the potential for intelligence organisations and/or police to request and gain access to that data.

In the proposed bill, data would only be stored for a period of 28 days (unless it satisfies one of the exemptions) and can only be used for contract tracing and contract tracing compliance purposes.

It is certainly hoped that the Bill will pass shortly, with other states and territories to follow suit and offer protection for our personal check in data.  However, at this stage, nothing is concrete.

It seems that we are  in this for the long-haul with COVID-19, and the implications that come from check-in data are an interesting and concerning space to keep an eye on.

Stephanie Beckedahl, Senior Lawyer