No matter what legal obligations apply to your business, vaccination information will be considered sensitive data by your staff and customers, and you should ensure you collect, use and store that information with an appropriate level of security and respect.  

A person’s COVID-19 vaccination status and unique Individual Healthcare Identifiers (IHI) number are considered sensitive health information for the purposes of the Privacy Act 1988 (Cth) (Privacy Act). This means stricter measures apply to collecting, disclosing and storing this information so that misuse and unauthorised access is prevented. 

Businesses should tread carefully in this space as there are substantial penalties and compensation payable for interference with an individual’s privacy and for data breaches. In some circumstances, where covered by the Privacy Act, businesses will have a positive obligation to report certain data breaches to the Office of the Australian Information Commissioner, and to notify impacted individuals in line with the mandatory notifiable data breach requirements of the Privacy Act.   

The Victorian Chamber has prepared some tips to get your business on the front foot in dealing with vaccination information.   

#1: Only request an individual’s COVID-19 vaccination status where it is reasonably necessary

Consider if obtaining someone’s vaccination status is necessary for your workplace functions and activities. If you can perform your functions and activities without collecting the information you should strongly consider not requesting it.

It may however be necessary to collect a person’s vaccination status to comply with a public health order or direction, or to provide a safe workplace for staff by preventing or managing COVID-19.

Unless required by a direction or order, avoid collecting vaccination information from persons other than employees (e.g., contractors, visitors and customers). In these instances, you may be able to comply with applicable public health orders or directives by simply sighting a COVID-19 vaccine certificate rather than collecting and recording this information. Once you record a person’s vaccination status, you become the custodian of sensitive health information and may need to comply with the Privacy Act and Health Records Act 2001 (Vic) when handling such data.

Businesses should ensure they comply with all relevant obligations under the Privacy Act, including the obligations under the Australian Privacy Principles (APP). Some key APPs to note  include:

• APP 1. This requires businesses to be open and transparent about how personal information is collected, used and disclosed.  
• APP 5. This is about notifying individuals of certain things before (or as soon as reasonably practicable after) collecting their personal information. 

#2: Keep data secure

APP 11 requires organisations covered by the Privacy Act to take reasonable steps to protect personal information from misuse, interference and loss, as well as unauthorised access, modification or disclosure. What steps are reasonable will depend on a range of factors like the sensitivity of the information stored, and the resources available to your business.

Practically, you should ensure you keep COVID-19 vaccine certificates in a secure location. Some ways of doing this might include:   

• Having a dedicated HR representative to collect COVID-19 vaccine certificates and requesting that staff redact the IHI number on their COVID-19 vaccine certificate before sending  
• Storing the certificate on the employee’s file where similar data is kept and can only be accesses by a limited number of appropriate employees, such as the HR Manager
• If you receive certificates or other information by email, save the email in an appropriate and secure location and then delete the email
• Ensure your organisation has an appropriate level of information security protection and training (such as appropriate firewalls and training for staff on how to detect phishing and other scams).  

You should ensure that only those who “need to know" have access to COVID-19 vaccine certificates.

#3: Keep storage to a minimum

You should note that the Privacy Act says you must destroy or permanently deidentify personal information when you no longer need it for any purpose permitted by the Privacy Act.

Only keep a COVID-19 vaccine certificate on file for the period necessary to achieve its purpose. This may be for as long as the State or Federal Governments have vaccination requirements in place.

If COVID-19 vaccine certificates are no longer valid or required, securely and permanently destroy the data.

#4: Develop a process and inform your staff

Be proactive and open and advise staff and customers why you are collecting the information, how you will use the information and the process you have implemented to collect, store and secure COVID-19 vaccine certificates.  

Where no health orders are in place, and your business chooses to collect vaccination information about staff/patrons, you should ensure you are complying with all applicable requirements of the Privacy Act (including the obligation to provide a “collection statement” under APP 5.

You might want to inform your staff of the following:   

• Preference for employee to redact the IHI number before it comes to you  
• Your preferred method of receiving the COVID-19 vaccine certificate (e.g., via email and not through an instant messaging platform)  
• The nominated HR representative to receive the COVID-19 vaccine certificate, noting that others should not be copied on the email to limit potential use and disclosure  
• Where you will store the COVID-19 certificate and what security measures you have in place to protect their information
• Their responsibility to help keep their information current and accurate
• Contact details of your organisation that people can use if they have a question or complaint. 

Privacy law in Australia is complex, and VCCI recommends businesses seek advice if they have any questions or doubts about what they need to do when collecting, using, storing or disclosing COVID-19 vaccine information. 

The content in this article should not be relied on as legal advice and is for information purposes only. It is intended to provide an overview of an area of public interest, but no representation is made as to the accuracy or usefulness of the information on this page. In navigating through this topic, you should consider your own circumstances and seek legal or other professional advice as necessary.