The Advertiser exclusively revealed on Tuesday that the state’s chief auditor found that personal data collected from QR codes is not destroyed as legally required.

The seven-month review, tabled in state parliament on Tuesday, also laid bare SA Health’s data “shortcomings” in poor control of Covid-19 records.

Mr Stevens defended the QR system, and said the “sinister” perspective on data storing was disappointing.

“It’s disappointing that this sort of, what’s the word, sinister perspective has been placed on how the data is being managed,” Mr Stevens told ABC Radio’s Ali Clarke.

“I am absolutely confident that the intent and commitment that was made to destroy data is being honoured.”

Authorities say that in any rare restoration, data older than 28 days is automatically deleted.

Mr Stevens said data is deleted every 28 to 35 days, to keep a buffer in case there is a system crash.

“Every 28 days, within seven days of a 28-day period, so within 35 days, the data is gone,” he said.

“Nobody can access that data after that period of time.

“It’s a natural requirement for any complex IT system that they backup the data, so if there’s a catastrophic system failure, they can retrieve the data and restore the system when that data is retrieved from the backup,” Mr Stevens said.

“We’ve probably got the best QR system in Australia and it’s been very well managed.”

Earlier, The Advertiser revealed the state’s chief auditor has found that personal data collected from QR codes is not destroyed as legally required, while SA Health’s poor control of Covid-19 records risks “compromising” sensitive details.

Despite repeated state government assurances electronic contact tracing records are deleted after 28 days, an official review found check-in details are secretly backed up.

While Auditor-General Andrew Richardson said this was “vital” to help recover critical information after any disaster, or systems failure, the government has never publicly disclosed such a requirement.

The seven-month review, tabled in state parliament on Tuesday, also laid bare SA Health’s data “shortcomings”.

Mr Richardson, whose review was revealed by The Advertiser in April, praised the quick Covid-Safe app launch in December last year after six weeks work using “industry best practice”.

He said “reasonable controls” protected user records, including phone numbers, data purging and user vetting appropriate while technology encryption was also secure.

Authorities say QR codes are vital to quickly track contacts in any Covid outbreak.

The Department of Premier and Cabinet said all back-up data will be destroyed when contact tracing is not needed.

Latest figures show almost 430 million check ins at 90,200 public locations.

More than 375.4 million records have been purged from the database and then stored.

Raising concerns at “inherent risks” with the database, investigators made 21 findings – 13 critical – including failures to formally conduct risk checks.

The 44-page report found 28 SA Health staff used personal email addresses to access confidential records while 345 agency users had “inappropriate” data permission including 28 administrators.

This “increases the risk” for data breaches or illegal use, it said. “This could compromise the confidentiality, integrity or availability of sensitive information,” it stated.

No breaches were found.

SA Health’s decision to keep QR code data “indefinitely” was “not consistent” with State Records laws while a small business unit can access records despite claims it was solely for contact tracers.

Officials say various reviews will overhaul the system in line with its findings.

An SA Health spokeswoman said check-in data was like a confidential health record and protected under state law.

“QR check-in information is only released upon request to SA Health for official contact tracing purposes or for managing the Covid-19 pandemic,” she said.

“Once the information is obtained for this purpose, it is managed as a confidential health record and protected under the Health Care Act 2008.”

Police Commissioner and state co-ordinator Grant Stevens told the inquiry all 11 recommendations would be acted on.

Officials say DPC securely backs up all critical systems, including the Covid-Safe Check-In system.

A DPC spokesman said: “The State Government assures South Australians their check-in data beyond the 28 day period required for contact tracing purposes is not accessible.”

But Labor health spokesman Chris Picton accused the government of a “breach of trust”.

“During this pandemic, South Australians have done the right thing, they have checked in and provided their data to the government in good faith, on the promise their data would only be used for contact-tracing purposes and then destroyed after 28 days,” he said.

“There are … serious questions about whether South Australians’ data has been secure.”