Some versions of the COVID-19 digital certificate contain an Individual Healthcare Identifier (IHI).
This is a 16 digit number that identifies an individual for healthcare purposes.
On 3 March 2022, the Office of the Australian Information Commissioner published new guidelines titled ‘Privacy guidance regarding Individual Healthcare Identifiers (IHIs) on COVID-19 digital vaccination certificates’ (New Guidelines). The New Guidelines set out privacy obligations for organisations and individuals who collect COVID-19 digital certificates that contain an IHI.
The New Guidelines make it clear that if an entity keeps a copy of an individual’s Covid-19 Certificate containing an IHI, the entity is required to comply with both the Australian Privacy Principles (set out in the Privacy Act (Cth)) and the Healthcare Identifiers Act (Cth) (Legislation). Failure to meet these obligations may attract civil or criminal penalties.
Key takeaways for those collecting COVID-19 Certificates
- If it is not required, do not collect a COVID-19 digital certificate. Where possible, sight a COVID-19 digital certificate to confirm vaccination instead.
- If it is necessary to collect a copy of a COVID-19 digital certificate, ask for proof it does not contain an IHI, such as a COVID-19 certificate downloaded to a digital wallet. If this is not possible, ask the individual you are collecting it from to redact the IHI, or do it yourself.
- For certificates already collected and stored in a record, consider removing or redacting the IHI from the certificate. APP entities are required to ensure personal information held is ‘accurate, up to date, complete and relevant’, and an IHI may not be relevant if the APP is not providing a healthcare service.
If you have any questions about your privacy obligations, please contact Scott Chapman or Chelsea Gordon.
This article was written by Scott Chapman, Partner, Chelsea Gordon, Senior Associate, and Romy Sirtes, Solicitor.