Queensland health agencies must deal with personal information1 in accordance with the privacy principles2. A health agency is the Department of Health and the Hospital and Health Services. If you are employed by a health agency this obligation applies to your personal information, including information about whether you have received a COVID-19 vaccination or your reasons for deciding not to be vaccinated.
This guideline3 is intended to assist health agency employees to understand their privacy rights in relation to their COVID-19 vaccination status information. Employees of other agencies should refer to COVID-19 – Vaccination and my privacy rights as a Queensland public sector employee.
For more general information on your privacy rights in the context of managing COVID-19, see Privacy and public service employees in the pandemic.
Can my employer require me to disclose my vaccination status information?
Vaccination status information
Vaccination status information in this guideline includes whether you have been vaccinated, any decision to not receive the vaccine, and any reasons for that decision.
Your employer can only ask for your vaccination status information in limited circumstances. Health agencies4 must have a clear and justifiable reason for collecting it that relates to their functions or activities, which can include preventing or managing COVID-19.
Specific health and safety risks in your workplace and applicable workplace laws can affect whether the collection of your vaccination status information is necessary for your employer’s activities or functions.
If your employer can achieve their purpose without collecting your vaccination status information, or is asking for it for an unspecified or possible future purpose, it will be difficult for them to establish that the collection is necessary.
Whether you have been vaccinated or not is health information. Your decision not to have the COVID-19 vaccination and, if based on medical reasons, any medical evidence related to your choice is also health information.
Health information can only be collected in specific circumstances.5 These include where you have consented to its collection or its collection is authorised or required by law.6 If the health agency wants to rely on consent, it must be informed, freely given and valid,7 which means the health agency is not allowed to pressure or intimidate you into providing information about your vaccination status.
If your decision not to get the vaccine is based on something other than medical reasons, then your reasons for not getting it will not be health information.
What if the collection is authorised or required by law?
Health agencies can collect your vaccination status information if a law authorises or requires it. Law includes a Queensland Act or an Act of another jurisdiction, such as the Commonwealth, that applies in Queensland or regulations or any other instrument made under those Acts, including public health orders or directions. For example, the Designated COVID-19 Hospital Network Direction requires relevant employees to be vaccinated against COVID-19 and authorises public health emergency officers to direct relevant employees to provide evidence of vaccination.
Does my employer have to tell me why they are collecting my vaccination status information?
In most cases, yes, the health agency you work for must be transparent about why your information is being collected and how it will be used and disclosed.8 Your employer should give you this information before they collect your vaccination status information or, if this is not practicable, as soon as practicable after collection occurs.
The health agency must take reasonable steps to make you aware of: the identity of the health agency and how to contact it; the fact that you can get access to the information; the purpose of collection; any entity or entities it is the health agency's usual practice to disclose the information to; if the collection is required or authorised by law; and any consequences if you refuse to provide it.
A health agency does not have to give you this information if the collection of your vaccination status information is required under a statutory collection.9
If I give my vaccine status information to my employer, will it be protected?
Health agencies must protect your vaccine status information against unauthorised misuse, loss and unauthorised access, modification or disclosure.10 Reasonable steps must be taken by the health agency to ensure it is accurate, complete, up to date and not misleading. Once it is no longer required, the health agency must take reasonable steps to deidentify it.11
Your vaccination status information can only be used or disclosed in accordance with why it was collected, what you were told when your employer collected it, or as provided for in the privacy principles.12 See Basic guide to NPP 2 - Use and disclosure for more information.
Can I make a complaint if I think my employer is misusing my vaccination status information?
If you think your employer is misusing your vaccination status information, you should contact your employer in the first instance to try to resolve the issue. If it cannot be resolved informally, you should follow the health agency's complaint process and make a written privacy complaint to your employer.
If this complaint cannot be resolved within 45 business days, you can bring your complaint to the Office of the Information Commissioner. If it cannot be resolved by this Office, you will have the right to request it be referred to the Queensland Civil and Administrative Tribunal.
See How to make a privacy complaint and What to expect when you bring a privacy complaint to OIC for more information on making a privacy complaint.
- 1 Personal information is any information about an individual who can reasonably be identified; see section 12 of the IP Act for the full definition.
- 2 The privacy principles include the National Privacy Principles (NPPs), with which health agencies must comply,
- 3 This guideline is based on the Office of the Australian Information Commissioner's COVID-19: Vaccinations and my privacy rights as an employee.
- 4 Under NPP1, health agencies can only collect personal information necessary for their functions or activities and must collect it in a reasonably unobtrusive, lawful, and fair manner. See All agencies - Obligations when collecting personal information for more information.
- 5 The definition of sensitive information includes health information and health information includes vaccination status information.
- 6 For a list of all circumstances in which a health agency can collect health information, see Basic guide to NPP 9 - Collection of sensitive information.
- 7 See Key Privacy Concepts – agreement and consent for information about what constitutes valid consent.
- 8 As set out in NPP 1.
- 9 Statutory collection means collection under an Act requiring a person to give information to the health agency or a register or other personal information collection the health agency is authorised or required to maintain under an Act for monitoring public health issues.
- 10 NPP 4.
- 11 NPP 4, subject to Public Records obligations.
- 12 NPP 2 sets out when health agencies can use and disclose personal information.
Current as at: July 2, 2021