Privacy guidance for businesses collecting COVID-19 vaccination information

12 November 2021

This privacy guidance is intended to help businesses regulated by the Privacy Act 1988 (Cth) and the Australian Privacy Principles to understand their obligations when collecting, using, storing, and disclosing (‘handling’) information about customers’ and visitors' COVID-19 vaccination status. You can find specific information regarding vaccinations in the workplace and your privacy obligations to your staff  on the OAIC website.

Vaccination information is sensitive health information under the Privacy Act and attracts higher privacy protections.

The following 9 step process will assist businesses to determine:

  • whether they can ask their customers/visitors to show evidence of vaccination
  • if they are able to collect this information and
  • their privacy obligations when handling the information.

Businesses can undertake a privacy impact assessment to identify and mitigate the risks associated with the collection of vaccination status information from customers and visitors. In addition to these steps, businesses should have regard to the Australian Human Rights Commission’s guidance on COVID-19 vaccinations to facilitate compliance with Australia’s anti-discrimination laws.

Key points

  • Sighting vaccination status information instead of collecting information and storing it in a record is a preferable and more privacy protective approach.
  • You can collect vaccination status information from customers and visitors if you are required or authorised by a law to collect this information (for example, if a public health order or direction requires or authorises you to collect evidence that you have verified that a customer or visitor is vaccinated before permitting them entry to your premises).
  • If there is no law requiring or authorising the collection, you can only collect vaccination status information if it is reasonably necessary for your business’s functions and activities and you have obtained the customer or visitor’s consent.
  • You should only collect, use and disclose the minimum amount of vaccination status information from customers and visitors necessary to achieve your purpose.
  • You must be transparent with your customers and visitors and provide them with information about why their vaccination status information is being collected and how it will be handled.
  • You must ensure that you take reasonable steps to keep customer and visitor vaccination status information secure and destroy the information once it is no longer reasonably necessary for the purpose for which you collected it.

1. Consider whether you can sight evidence of vaccination status instead of collecting it

Businesses should carefully consider why they are seeking to collect vaccination status information from customers. Is there a law, such as a public health order or direction that requires or authorises you to only allow entry to your premises to vaccinated customers and visitors? Is vaccination a condition of entry for your premises?

Under the Privacy Act, a business ‘collects’ personal information only if they collect the information for inclusion in their records. It is preferable and more privacy protective for businesses to sight evidence of vaccination status from customers and visitors rather than collect and store this information. You should consider if you can achieve your objective by asking customers to show evidence of their vaccination status without retaining the information in a record.

If there is a law that requires or authorises you to only allow entry to vaccinated customers or visitors, you should consider the specific terms of the law and whether you can satisfy its requirements by sighting evidence of vaccination instead of collecting this information in a record.

If you determine that it is necessary for you to collect customer vaccination status information, you must only collect this information if you are satisfied that the collection is permitted under Australian Privacy Principle (APP) 3.

Vaccination status information is sensitive health information under the Privacy Act and attracts higher privacy protections. You should only collect this information if the customer consents and the collection is reasonably necessary for your functions or activities. There may be instances where consent is not required, such as when an exception applies. Find out more about this in the steps below.

2. Determine if there is a law requiring or authorising you to collect vaccination status information from customers and visitors

If an Australian law, such as a public health order or direction, requires or authorises you to collect vaccination status information from customers and visitors, you do not need to obtain consent to collect sensitive health information. An Australian law includes:

  • an Act of the Commonwealth or of a state or territory, or
  • regulations or any other instrument made under such an Act, including public health orders or directions.

You should carefully consider the terms of any applicable public health orders and directions before collecting vaccination status information. For example, if a public health order does not specifically require you to collect and keep a record of vaccination status information, but it does authorise you to undertake reasonable steps to ensure that only vaccinated individuals enter the premises, you should consider whether it is sufficient to sight information rather than collect it and store it in a record.

State and territory public health orders are frequently updated and you should monitor these developments and any specific requirements relating to the collection of vaccination status information.

You must handle this information in accordance with any requirements or privacy protections set out in the relevant public health order or direction. You must also handle this information in accordance with other relevant APPs, such those as those governing use and disclosure and security.

3. If there is no relevant law, consider whether vaccination status information is reasonably necessary for your functions or activities

You can only collect customer and visitor vaccination status information if the customer or visitor consents to this collection and the information is reasonably necessary for one or more of your functions or activities.

You must have clear and justifiable reasons for collecting this information and be able to show that there are no reasonable alternatives to achieving your objectives without collecting this information. If you have no immediate and specific use for the information, or you are recording it on a ‘just in case’ basis, the collection would not be considered reasonably necessary.

If you are collecting vaccination status information to facilitate vaccination incentives, you should consider if it is reasonably necessary for you to collect the information or if you can facilitate incentives by sighting the information without collecting and storing it.

4. If there is no relevant law, obtain consent

If you are not legally required to collect customer and visitor vaccination status information, you must obtain consent from customers and visitors to collect this information.

Consent must be freely given and constitute valid consent. Valid consent can be express or implied and includes when an individual:

  • is adequately informed before giving consent
  • gives consent voluntarily
  • gives consent that is current and specific and
  • has capacity to understand and communicate their consent.

You must provide your customers and visitors with adequate information to understand what personal information you will be collecting, why you need to collect it, what you will use it for, and give them a genuine opportunity to provide or withhold consent.

5. Identify the amount of information you should collect

If you have determined that you can collect vaccination status information from customers and visitors, you should only collect the minimum amount of information that is reasonably necessary to verify vaccination status.

In most instances, businesses will only need to confirm that an individual has been vaccinated. The type of vaccination received by an individual, their Medicare number and their date of birth, for example, would not be considered necessary to verify an individual’s vaccination status and so should not be collected from customers or visitors.

6. Ensure you notify customers and visitors about why you are collecting their information and how you will use it

If you are satisfied that you can collect customer and visitor vaccination status information in accordance with APP 3, you must be open and transparent with your customers and visitors about why this information is being collected and how it will be used.

In most cases, businesses will only be sighting customer and visitor vaccination status information as the preferable and more privacy protective approach. If you decide to collect this information, the APPs will apply.

Before you collect customer vaccination status information, or if that is not practicable, as soon as practicable after collection, you must take reasonable steps to notify your customers of the following matters:

  • the purpose of collection
  • whether the collection is required or authorised by law
  • the consequences if customers refuse to consent to the collection
  • how you will use or disclose information about customer’s and visitors’ vaccination status, including if you will disclose the information to an overseas entity
  • that your APP privacy policy contains information about how customers and visitors may access their personal information, seek correction of their personal information, make a complaint about a breach of the APPs and how you will deal with such a complaint.

You may need to update your privacy policy and prepare some additional privacy notices for your customers and visitors so they can understand why you are collecting this personal information, and how it will be handled and protected.

7. Determine how you will secure the information

Vaccination status information must be collected and stored in a secure manner. Vaccination status information should not be collected or stored in a manner that allows other customers or visitors to see the information of previous customers and visitors. You must take reasonable steps to protect this information from misuse, interference and loss, and from unauthorised access, modification or disclosure.

You should restrict access to the information to only those staff in your business who need to see it. It is preferable that you store this information in a separate record or database from other business information. This will assist in restricting access and allow you to more easily destroy the information once you no longer require it.

In line with community expectations, the information should be stored in Australia.

8. Consider restrictions on using and disclosing vaccination information

If you are collecting vaccination status information in accordance with a public health order or direction, you should not use or disclose the information in a way that is contrary to the manner specified in the public health order or direction.

If you are collecting vaccination status information with consent, you should not use or disclose this information for any purpose other than the one for which you collected it, unless required by law. For example, you should not use customer and visitor vaccination status information for direct marketing purposes or for commercial distribution.

You should not disclose customer and visitor vaccination status information to any entity that is overseas.

9. Make a plan to delete the information at the appropriate time

If you collect vaccination status information, it should be destroyed once it is no longer needed to verify the vaccination status of your customer or visitor. You should have internal systems and procedures in place to ensure that information is deleted at the appropriate time.

If you have collected customer and visitor vaccination status information in accordance with the requirements of a public health order or direction, you should comply with any provisions regarding retention periods for this information and, if there are none, destroy the information after a reasonable period of time. As a general measure, if you have retained information beyond 28 days, you should regularly review whether this is still reasonably necessary.