The Office of the Australian Information Commission (OAIC) has recommended organisations sight vaccination status rather than collect and retain it.
This advice is part of OAIC’s new guidelines released on 12 November 2021 to help businesses regulated by the Privacy Act 1988 (Cth) understand their obligations when handling COVID-19 vaccination information. This article summarises the new guidelines.
Vaccination status is classified as ‘sensitive health information’ under the Privacy Act and attracts stricter privacy protection than other types of personal information. The OAIC recommends that organisations only sight COVID-19 vaccination status and do not ‘collect it’, unless:
- collection of that information is required or authorised by an Australian law; or
- collection is reasonably necessary for one or more of the organisation’s functions and individual consents to the collection. Consent must be informed, free and voluntary.
The guidelines confirm organisations should collect the minimum amount of information reasonably necessary to confirm vaccination status.
If you do collect an individual’s vaccination status information, you should be open and transparent about why the information is being collected, and how you will use it. This includes notifying the individual of:
- the reason for the collection;
- whether collection is required by law;
- the consequences of refusing to consent to collection;
- if and how you will use or disclose the information; and
- that your APP privacy policy contains information about how customers and visitors may access their personal information, seek correction of their information, make a complaint about breach of the APPs and how you will deal with the complaint.
COVID-19 vaccination status must be collected and stored in a secure manner, separate to other business information. Organisations also must take reasonable steps to protect the information from misuse, interference or loss, as well as any unauthorised access, modification or disclosure. Staff should only be able to access the information if it is necessary. A plan must also be put in place to destroy the vaccination status information once it is no longer needed. The OAIC guidelines recommend that if the information is retained for more than 28 days, the necessity of the retention of the information should be regularly reviewed.
If you have any questions about your privacy obligations or need assistance preparing a Privacy Policy, please contact Karen Keogh or Chelsea Gordon.
This article was written by Karen Keogh, Partner, Chelsea Gordon, Associate and Ursula Paetzholdt, Law Clerk.