Legal Insights

Privacy Perspectives: Collection of COVID-19 vaccine status and the expansion of the Consumer Data Right

By Katherine Armytage, Indi PrickettOlivia Crisp

• 17 March 2021 • 6 min read
  • Share

It has already been a busy year from a privacy perspective. Read our latest publication to find out more about:

  • new guidance from the Office of the Australian Information Commissioner (OAIC) about the collection of COVID-19 ‘vaccine status information’ from employees;
  • a major review by the OAIC of its guidance about security of personal information; and
  • changes to the scope of products covered by the Consumer Data Right regime.

Privacy guidance for employers in respect of the collection of employees’ vaccine status information

On 23 February 2021, the OAIC published guidance which is intended to help employers understand their obligations when collecting, using, storing, and disclosing employee health information related to the COVID-19 vaccine. This guidance complements the OAIC’s COVID‑19 guidance for employers which provides more general information about employers’ privacy obligations in the context of the COVID-19 pandemic.

Key takeaways

  • employers will only be able to collect information about their employees' vaccination status in very limited circumstances;
  • only the minimum amount of personal information reasonably necessary to maintain a safe workplace should be collected, used or disclosed, which is consistent with the ‘data minimisation principle’;
  • employers must only collect vaccination information of an employee if the employee consents to the collection, and it is reasonably necessary for the employer’s functions and activities (or an exception under APP 3 applies – e.g. the collection is required or authorised by law);
  • if employers do collect vaccine status information, they must advise their employees about how this information will be handled;
  • vaccine status information should be used and disclosed only on a ‘need to know’ basis;
  • employers are required to take reasonable steps to keep employee vaccination status and related health information secure; and
  • if you are an Australian Government Employer and you are deciding whether to collect vaccine status information, you should undertake a threshold assessment to see if you need to complete a Privacy Impact Assessment. In particular, any PIA should consider:
    • whether the collection of vaccination status information is necessary for your functions and activities;
    • how you can be transparent with employees and take reasonable steps to notify employees of the APP 5.2 matters;
    • how you can accurately record the information that you collect and ensure that it is complete and kept up-to-date;
    • how you can collect information securely and ensure that it is stored securely; and
    • how you can limit the use and disclosure of employee vaccination status information to what is necessary to prevent and manage COVID-19.

If you have questions about whether you can, or should, collect your employees’ vaccine status information, please contact us to discuss your privacy obligations. We can assist you with the preparation of privacy threshold assessments and privacy impact assessments.

Additionally, we have had a number of clients contact Maddocks to ask whether their handling of vaccine status information will be required or authorised by law (such that it is permitted by APPs 3 and 6) if it is necessary to help the client meet their work health and safety duties. We note that before assuming that your handling of vaccine status information is required or authorised by law, you need to carefully analyse current health advice (noting that this may change) and undertake a proper risk assessment. As an employer, you also need to consult pursuant to your work health and safety consultation requirements. If you do have any questions about how the handling of vaccine status information may relate to your work health and safety obligations, please contact Catherine Dunlop.

The OAIC is undertaking a major review of its Guide to Securing Personal Information

The OAIC’s Guide to Securing Personal Information (Guide) provides advice on the reasonable steps that entities are required to take under the Privacy Act to protect personal information from misuse, interference and loss, and from unauthorised access, modification or disclosure.

The OAIC sought submissions until 12 March 2021 from interested stakeholders to understand:

  • how the Guide could be improved;
  • whether the Guide provides adequate information about the technical issues relating to information security; and
  • whether the Guide should address any other topics or areas.

Don’t panic if you didn't have time to make a submission! You will also have an opportunity in late 2021 to review and provide feedback on the updated Guide before it is finalised by the OAIC. Please contact us if you have any questions about the Guide, or if you would like assistance with a submission.

New account data available under the Consumer Data Right

From February 2021, individuals and sole traders who are customers of the ‘major 4 banks’ (ANZ, Westpac, Commonwealth Bank and NAB) can give an accredited data recipient access to their data relating to their overdrafts, business finance, investment loans, lines of credit, asset finance, cash management accounts, farm management accounts, pensioner deeming and retirement savings accounts, trust accounts, foreign currency accounts and consumer leases.

This means that consumers can access and manage disclosure of a broader range of their data under the Consumer Data Right regime.

If you are in the banking and financial services sector, keep abreast of your obligations under the Consumer Data Right regime. Please contact us should you require any assistance with understanding your obligations under the regime.

Need for more information about the guide and understanding your privacy obligations?

Contact our Commonwealth team

By Katherine Armytage, Indi PrickettOlivia Crisp

  • Share

Recent articles

Online Access