Every time you scanned a QR code at a cafe or shop in NSW, you were told it was for contact tracing only. Deleted after 28 days. Then NSW Police helped themselves to the data for criminal investigations. The government had to pass emergency legislation to stop the cops — which means the cops had already done it. Every promise on that QR code screen was a lie. 186,000 documents leaked. Drivers licences. Medicare cards. Tax records. Handwritten notes with personal details staff had typed into emails. 104,000 people exposed because Service NSW staff email accounts had no multi-factor authentication. The Auditor-General called their cybersecurity "inadequate." These are the people asking you to store your digital licence.
What they claim: Digital Driver Licence promoted as a convenient replacement for physical cards
What we found: The Service NSW app requires location services, camera, biometric data, and persistent background connections to verify digital licence authenticity. Unlike a physical licence, the digital version creates a record every time it is presented, enabling the government to build a log of when, where, and why you showed ID.
What they claim: Service NSW states tracking data "does not contain information that identifies users" and is used only for "tracking advertising performance."
What we found: Service NSW uses the Facebook Pixel, Twitter/X Pixel, and LinkedIn Insight Tags on its website and services. While Service NSW claims the data is "aggregated and anonymous," the collected data is "saved and processed by Facebook, LinkedIn, and Twitter and used in accordance with their respective Data Use Policies." Meta and LinkedIn can correlate this government service usage with logged-in user profiles. The OAIC has warned that tracking pixels on websites frequently collect sensitive information that "standard privacy assessments miss."
What they claim: Service NSW says it uses analytics to "help analyse and provide reporting on how customers use their website and improve the user experience."
What we found: Service NSW feeds citizen interaction data into Google Analytics and Mixpanel — both US-based commercial analytics platforms. Google Analytics data is processed on Google's infrastructure subject to US law (including FISA Section 702). Australian citizens interacting with their state government are having their behaviour patterns analysed by American corporations, with no opt-out mechanism for accessing essential government services.
What they claim: Service NSW privacy policy states personal information is handled in accordance with the Privacy and Personal Information Protection Act 1998
What we found: The Service NSW app integrates Google Analytics, Firebase, and Salesforce tracking. App network analysis shows connections to Google, Amazon AWS, and Salesforce servers on launch, before any user interaction. Telemetry includes device model, OS version, screen resolution, and session duration.
What they claim: Service NSW stated COVID check-in data would only be used for contact tracing and deleted after 28 days
What we found: NSW Police accessed QR check-in data collected through the Service NSW app for criminal investigations, violating the stated purpose limitation. The NSW Government was forced to pass emergency legislation in 2021 to prevent further police access, confirming the breach had already occurred.
What they claim: Service NSW promotes secure digital identity and document storage
What we found: A 2020 data breach exposed 186,000 documents belonging to 104,000 Service NSW customers, including drivers licences, Medicare cards, tax records, and handwritten notes. The breach occurred through compromised staff email accounts. The NSW Auditor-General found Service NSW had "inadequate" cybersecurity controls.
What they claim: Service NSW promises data is "protected by advanced access control mechanisms" and "strong data encryption mechanisms."
What we found: In March 2020, a phishing attack compromised 47 staff email accounts. 730GB of data was exfiltrated — 3.8 million documents affecting up to 186,000 customers (revised to 104,000). Stolen data included drivers licences, birth certificates, passports, firearms registrations, working with children checks, credit card details, and medical records. The breach cost exceeded $30 million to remediate.
What they claim: Service NSW claims to maintain robust privacy management and meet all privacy obligations.
What we found: The NSW Auditor-General found that Service NSW had identified the risk of staff emailing personal information before the breach but "failed to effectively mitigate the risk." A 2015 privacy impact assessment recommended multi-factor authentication and customer access history — neither was implemented by the time of the 2020 breach. The Auditor-General concluded Service NSW is "not effectively handling personal customer and business information to ensure its privacy."
What they claim: Service NSW claims to meet its privacy obligations and has a Privacy Management Plan.
What we found: The NSW Auditor-General found Service NSW "does not publish privacy impact assessments even though the Information and Privacy Commission (IPC) states that this is good practice." Multiple of Service NSW's own internal privacy impact assessments recommended publication, but the agency ignored its own recommendations. Citizens cannot assess the privacy risks of using government services because the assessments are hidden.
What they claim: Service NSW states personal information is protected by "advanced access control mechanisms."
What we found: The Auditor-General found "weaknesses in the general IT and security controls implemented by Service NSW over its Salesforce CRM system, including deficiencies in governance of role-based access, monitoring and audit of staff access, and partitioning of program-specific transaction information." Staff could access customer records beyond their role requirements, and access was not properly audited.