Collection, retention, and destruction of vaccination status information: Important privacy considerations as many COVID-19 vaccine mandates are removed

Related expertise

Early this month (April 2022) the Government announced that some COVID-19 vaccine mandates for workers have been removed. Vaccine mandates now apply only to workplaces that support vulnerable populations (such as health and disability sector workers, prison and border/MIQ staff), or work in high-risk environments where there is a high likelihood of exposure to and/or transmission of new COVID-19 variants.

Changes to the “traffic light system” also mean that many businesses and organisations that have previously required proof of vaccination from customers and visitors can no longer do so.

When vaccine mandates came into force in 2021, businesses, organisations, and workplaces (all agencies as defined in the Privacy Act 2020) increasingly required information about vaccination status and/or proof of vaccination by way of a vaccine pass. Many people simply showed their vaccine pass for scanning using the digital “My Vaccine Pass” on their mobile phone, while others preferred to download a pdf copy or even print a physical copy.

In a variety of circumstances, agencies have received digital and/or hard copies of individuals’ vaccine passes and held them in their information storage systems – for example within an email server, electronic file system, or on a physical file. Agencies may also have stored information about vaccination status in some form or other to suit their internal processes.

Who can collect and hold vaccination status information now?

Specific workplaces covered by ongoing vaccine mandates will continue to be need to collect and hold vaccination status information.

With the removal of vaccine mandates, some agencies may continue to require proof of vaccination from employees and/or visitors, when this is supported by their health and safety risk assessment.

However, most other agencies will no longer have a legitimate basis for collecting, using, or storing any personal information relating to vaccination status.

What are the implications of collecting and holding vaccination status information?

An individual’s vaccination status is their personal information. Vaccine passes include key pieces of personal information relating to an identifiable individual, such as full name and date of birth – and therefore also key information that could be used to impersonate a vaccinated individual if received into the wrong hands.

Whenever any agency collects personal information, they must consider their privacy obligations, especially whether vaccination status information needs to be collected, if so in what format, and where and how it will be stored safely and securely.

Under the Privacy Act, personal information must be protected by such security safeguards that are reasonable in the circumstances, to prevent against loss, unauthorised access, use, disclosure, or other misuse. What is reasonable will depend on the circumstances. In the context of vaccination status information and vaccine passes, reasonable safeguards may include considerations such as whether there is any justification for holding a hard copy, how the information can be accessed and by whom, and what security protections are in place in an agency’s IT system.

Not everyone will be concerned about people knowing about their vaccination status, and may be happy to share it themselves, but for some people it is information that they will want to keep close.

Best practice is to treat vaccination information as “sensitive information” and apply a higher standard of protection to it than might be applied to less sensitive or more standard personal information. Sensitive information is not defined in the Privacy Act, and what is considered sensitive may vary between individuals (for example, information relating to children should always be considered more sensitive because of their increased vulnerability).

What should be done with personal information when it’s no longer required?

When personal information can no longer be lawfully used for the purpose for which it was collected, an agency cannot hold onto it. It must be securely destroyed or deleted. How that is achieved will depend on the way in which it was collected and held.

In some circumstances, personal information can be de-identified or anonymised into aggregated data, but that is less likely to be possible, or appropriate, for most agencies in relation to vaccination status information. It is perhaps conceivable that large agencies may want to hold onto statistics such as percentages of vaccinated and unvaccinated people within a group, but care should be taken to ensure that this does not involve retaining any personal information beyond the time when it should have been destroyed.

Failing to protect personal information can result in a privacy breach which, if considered notifiable (i.e. has or is likely to result in serious harm), will need to be reported to the Office of the Privacy Commissioner and to the affected individuals. Failing to report a notifiable privacy breach can result in a fine of up to $10,000. More so, a privacy breach can cause significant reputational harm for the agency involved.

So, what should agencies be doing now?

Agencies that are no longer subject to or operating under COVID-19 vaccine mandates will need to carefully review what vaccination status information they are holding as a matter of priority.

In almost all circumstances, there will be no lawful justification for continuing to collect that information. There may also be no justification for retaining copies of vaccine passes (whether electronic or in hard copy) and vaccine status information, although agencies should turn their minds to other legal obligations that may apply which require them to hold onto specific information for particular periods of time. Agencies must therefore comply with their privacy obligations to delete or destroy vaccination status information promptly once it can no longer be lawfully retained. Failure to do so could result in financial and/or reputational consequences down the line.
This article has been prepared by Senior Associate Louisa Joblin. For advice about the privacy implications of the COVID-19 vaccine mandates, and how these apply to your business, organisation, or workplace, please contact our data protection and privacy team.

Disclaimer: The content of this article is general in nature and not intended as a substitute for specific professional advice on any matter and should not be relied upon for that purpose.

Related insights

Find an expert