In brief

Information about an individual’s vaccination status is ‘health information’, which is a type of ‘personal information’ that is generally afforded a higher level of protection under the Privacy Act 1988 (Cth) (Privacy Act) and relevant state and territory laws.

For businesses that have been considering and planning their approach towards mandating COVID-19 vaccinations among staff and visitors to their premises, we reinforce the importance of assessing the entire life cycle of COVID-19 vaccination status information, beyond asking for and collecting it.

1. Collection

Should you sight COVID-19 vaccination status information instead of recording it?

In accordance with the Privacy Act, the collection of personal information only occurs if it is included in a record, meaning sighting the COVID-19 vaccination status of an individual would not be classified as a collection and therefore minimises privacy risks for an organisation.

Sighting, rather than collecting, the COVID-19 vaccination status of an individual may be appropriate where there are restrictions on the entry of a customer or visitor onto an organisation’s premises based on their vaccination status, but there is no law requiring such information to be collected. Further, there may be no practical reason for the organisation to collect this information (such as where a client attends a one-off business meeting in a supplier’s office). In this case, it would be helpful to collect information about the person’s attendance at the office (if it may be needed for contact tracing purposes), rather than collecting their health information.

Can you clearly justify why you need to collect this information?

We recommend against collecting COVID-19 vaccination status information simply because it is ‘nice to have’ or ‘just in case’. The collection must be necessary in light of the organisation’s functions and activities (unless an exception such as a legal requirement applies, mandating collection).

Do you need consent?

Collecting health information ordinarily requires consent. Organisations must ensure the consent is adequately informed, voluntary, current and specific, and be obtained from a person who has capacity. Consent may however be expressed or implied, and where expressed, may be verbal or written. This will be supported by providing the individual with a privacy notice or collection statement in accordance with Australian Privacy Principle (APP) 5 at the time of or before collection, rather than afterwards. Such a notice tells the individual who is collecting the health information, why it is being collected, details on how this information will be used or disclosed, as well as information about how they can access their information, correct it or make a complaint.

In some circumstances, consent is not required, such as where the collection is ‘required or authorised by or under an Australian law or a court/tribunal order’. ^[1] State and territory public health orders or directions are clear examples of this. For example, in Victoria, the COVID-19 Mandatory Vaccination (Specified Facilities) Directions legally require that operators of residential aged care facilities, construction sites, healthcare facilities and education facilities collect, record and hold vaccination status information as part of their obligation to take all reasonable steps to ensure that a worker who is unvaccinated does not enter, or remain on, the premises of the facilities. However, this does not mean that the organisation is exempt from providing the information in a collection statement, at the time of collection, as noted above.

What should you collect?

We recommend that organisations minimise any collection to what is reasonably necessary for their particular objective and exercise caution about collecting whole copies of vaccination certificates, which may contain sensitive information such as healthcare identifiers.

How should this information be collected?

We recommend that organisations use a secure method of collection. For example, a representative may sight the COVID-19 vaccination certificate in-person or virtually and record this in a secure file, or the individual may log into a secure portal where they can input the information themselves. We recommend against using emails for collection, as this is not a secure form of communication.

2. Storage

What should you do with the COVID-19 vaccination status information you hold?

In accordance with APP 11, an organisation must take reasonable steps to protect the personal information it holds from misuse, interference, loss and unauthorised access, modification or disclosure. The more sensitive the information held, the higher the level of security required to achieve this. This may be achieved by storing the information in a secure location (such as a business-grade cloud storage service, rather than in emails or shared drives on the network) and restricting access to those people in the organisation on a ‘need-to-know’ basis.

3. Use and disclosure

What can you use and disclose COVID-19 vaccination status information for?

The general rule is that an organisation can only use COVID-19 vaccination status information for the primary purpose for which it was collected, or for a purpose that is directly related to the primary purpose (unless it is required by law or there is some other exception). The use will generally be to maintain the safety of the workplace, identify any risks and ensure that the organisation can take steps to keep staff and visitors or customers safe.

4. Destruction

How long should you keep COVID-19 vaccination status information?

Privacy laws require that information which is no longer needed be destroyed. The COVID-19 vaccination status information should therefore only be held as long as it is needed and destroyed once it is no longer needed. If there is a legal retention period (such as in a public health order or direction), continue to hold the information until that period expires and then assess whether it is still needed.

We recommend implementing internal processes for ensuring the retention and destruction of this information is regularly reviewed. Holding personal information for longer than necessary is not only non-compliant with APP 11, but it increases the risk of a serious data breach.

How should you destroy this information?

Secure methods of destruction should be used to ensure COVID-19 vaccination status information can no longer be retrieved or is put ‘beyond use’.^[2]

Key takeaways

• Sighting vaccination status information is preferable to collecting the record and storing it.
• Collection is allowed if it is:
  • reasonably necessary for one or more of the entity’s functions or activities and the individual has consented, or
  • required or authorised by law (e.g. a public health order or direction).
• Provide individuals with a Privacy Notice in accordance with APP 5 to inform them about the information being collected and how it will be handled.
• Securely store the information only for as long as it is reasonably necessary for the purpose for which it was collected, then securely destroy the information.

^{[1] APP 3.4(a).}

^{[2] See the Office of the Australian Information Commissioner’s Guide to securing personal information: https://www.oaic.gov.au/privacy/guidance-and-advice/guide-to-securing-personal-information.}