7 September 2021

An article by Australian Information Commissioner and Privacy Commissioner Angelene Falk, published by The Australian on 15 August 2021.

As millions of Australians remain in lockdown due to the COVID-19 Delta variant, a range of strategies and options are being debated for the future, including whether there will be a role for vaccination certificates to be used as ‘vaccine passports’.

Throughout the pandemic, the use of personal information has been central to the public health response, while government release of timely and accurate information has helped citizens around the world respond and support containment efforts.

Overseas, a growing number of governments are introducing a form of vaccine passport for travel and access to large gatherings and major facilities, among other uses.

In Australia, there is also discussion about the use of vaccination status to facilitate increased mobility in the future, particularly international travel. There are suggestions by some that a vaccination certificate could have a role in domestic journeys, entry to large venues and events, and some businesses and workplaces.

The debate is fast moving and raises intersecting issues across workplace and other laws. It requires consideration of medical evidence, input from experts, business, employees and the community, and an assessment of risk. It also raises privacy issues.

While the path forward is yet to unfold, what we know is that Australians value their privacy and are concerned about its protection. Our Australian Community Attitudes to Privacy Survey last year found seven in 10 Australians see privacy as a major concern in their life. It also found that while Australians support some privacy concessions to combat COVID-19, 60% don’t want them to be permanent.

We’ve seen these deeply held privacy concerns play out in the public response to QR code check-in apps, an area where most state and territory governments have now stepped in to mandate use of a secure and privacy-protective system. Importantly, with the development of the COVIDSafe app, community concerns were addressed through a thorough and public privacy impact assessment, and strong privacy safeguards were legislated.

So as part of any debate on the use of vaccination certificates for travel, work or access to premises, privacy needs to be considered upfront.

This was recognised early on by the Global Privacy Assembly of international data protection authorities, which advised that trust and confidence in processing health data for travel purposes will rely on assurances to individuals that “their data is handled securely; the data demanded of them is not excessive; they have clear and accessible information to understand how their data will be used; there is a specific purpose for the processing; their data will be retained for no longer than is necessary.”

These privacy principles are universal and should inform any policy consideration in Australia.

A privacy-by-design approach is the first step forward, including privacy impact assessments that identify and address risks and build in protections from the ground up. The strongest privacy protections are those mandated by legislation and parliamentary oversight, with clear accountabilities.

Embedded in this approach is the need to assess whether a measure is in fact necessary – is there a less intrusive way to achieve the same goal? Is the solution reasonable in the circumstances? And is the response proportionate to the risk?

Data minimisation is a key principle: the less data that is collected from people, the less risk there is of their personal information being caught up in a data breach. Indeed, the starting point is whether personal information needs to be collected at all - could a vaccination certificate simply be sighted where necessary?

Any organisation that collects Australians’ sensitive health information must be able to take reasonable steps to secure it from loss, theft, or unauthorised access or disclosure. At a time when we are still seeing some manual collection of check-in information, the community has strongly signalled its expectation that their contact details are not visible to every employee, or to the next customer who signs in.

While large organisations and health service providers have existing obligations under the Privacy Act 1988 to respect and protect personal information, not all employers or businesses are covered by this privacy law, and private sector employee records are exempt. But the community expects any collection of their personal health information to be limited to where it is objectively necessary, and that it will be safeguarded.

A nationally harmonised approach to the handling of vaccine passports can provide clarity for those who need to apply the rules, and build community confidence in measures that seek to protect our health, our economy and our privacy.

Australia has an opportunity to heed the privacy lessons of the pandemic and ensure this sensitive information is clearly protected by law – from the start.

Angelene Falk is the Australian Information Commissioner and Privacy Commissioner, and sits on the Executive Committee of the Global Privacy Assembly.