What are the privacy considerations when storing Covid-19 vaccination data?

What are the privacy considerations when storing Covid-19 vaccination data?

Employers must comply with strict privacy requirements when collecting and storing employee health information

As Australian states and territories increasingly embrace Covid-19 vaccinations, businesses are grappling with how best to open safely. Many businesses are currently confronted with the difficulties involved in upholding vaccine mandates in the workplace. Particularly in New South Wales and Victoria, with Queensland shortly to follow, businesses will be required to check whether employees and customers are vaccinated before they may enter the premises. This presents new challenges for storing Covid-19 vaccination data. 

What legislation regulates the storage of Covid-19 vaccination data?

It is important to note that the Federal Government’s digital vaccine certificates include Individual Healthcare Identifiers (IHI), which is a unique identifying number primarily used to assist healthcare providers in communicating and accessing records. Because of the sensitive nature of IHIs, such information is subject to a higher standard of data security requirements. 

Most employers would be aware that information about an individual’s vaccination status is considered sensitive personal information. This information is regulated by the Privacy Act and the Australian Privacy Principles (APPs). However, employers should also be aware of their additional compliance obligations under the Healthcare Identifiers Act (HI Act). This Act  regulates the use of IHIs and imposes strict criminal and civil penalties, including imprisonment, if such data is mishandled. 

To comply with public health orders, many businesses are required to collect vaccine certificates that contain IHIs. The collection of such information is captured by the HI Act and requires compliance with stringent privacy obligations. This is in addition to the compliance obligations under the Privacy Act.

What are the obligations under the Privacy Act?

Under the Privacy Act, vaccination status of an individual is considered sensitive information and is afforded significant protection. Generally, information about vaccination status may only be collected when:

  • The information is necessary for one or more of the business’s functions or activities; and
  • The individual has consented

However, consent will not be required if:

  • The collection is required or authorised under Australian law; or
  • The information is necessary to prevent or lessen a serious threat to the life, health, safety or welfare of any individual or to public health or safety (and it is impracticable to obtain consent)

Therefore, in certain sectors where vaccination is mandated by a public health order, the collection of such information arguably does not require consent. An example of this is a worker included under the Covid-19 Mandatory Vaccination (Workers) Directions (Directions).

However, vaccination information that an employer is required or authorised to collect under the Directions does not necessarily authorise that employer to collect and store a copy of the employee’s vaccine certificate or statement. The requirement under the Directions to collect vaccination information can potentially be satisfied by sighting vaccination information derived from such a certificate or statement and making a record of it. 

Therefore, it would be prudent for an employer to obtain the employee’s valid and informed consent prior to collecting the employee’s vaccine certificate.  

At the time of collecting such information, or as soon as possible afterwards, businesses are required to issue a collection notice under AAP 5. The notice should set out:

  • Why the information has been collected;
  • How it will be used;
  • Who will have access to it;
  • Whether the collection was required or authorised by law; and
  • Whether the information will be disclosed overseas 

What are the obligations under the HI Act?

The handling of IHIs is regulated by the HI Act and Regulations and the Privacy Act. They provide that IHIs may only be accessed, used, and disclosed for limited purposes. 

If a person uses or discloses an IHI in circumstances that are not permitted under the HI Act, the person will not only be subject to criminal and civil penalties under the HI Act, but will also be in breach of the Privacy Act.

A business must take reasonable steps to protect IHIs from misuse, loss and unauthorised access, modification or disclosure. This can be achieved by implementing IT systems that incorporate minimum standards such as:

  • Security features
  • Audit trails of individual staff access to IHIs in the system
  • Encryption 

However, for most businesses, this kind of system is impractical and expensive. A simple solution could be to ask employees and customers to redact their IHI number from their vaccine certificate before providing a copy to the employer. Businesses could also sight vaccine certificates (instead of storing them), and record the time, date, and staff member who sighted it. In any event, businesses must ensure that the relevant approach they take to collecting, recording and holding vaccination information complies with the requirements under the public health order that mandates vaccinations.

Businesses should also be aware of the impending rollout of services apps such as vaccine passports, particularly in New South Wales, Victoria and Queensland. If such apps require any kind of storage of certificates, the obligations under the HI Act may apply. 

The Final Word

The mandate for employers to collect Covid-19 vaccination data from employees comes with strict compliance obligations for privacy and health information. Contact us for more information about storing Covid-19 vaccination data. 

This article was written by Evelyn Zeglinas & Alexandra Shaw