Queensland government agencies1 must deal with personal information2 in accordance with the privacy principles3 contained in the Information Privacy Act 2009 (Qld) (IP Act). This obligation applies to the personal information of their employees, including whether or not they have received a COVID-19 vaccination.
Non-government employers should refer to the Office of the Australian Information Commissioner website4 for guidance on handling information about their employees' vaccination status.
This guideline5 is intended to assist Queensland government agencies to understand their privacy obligations regarding their employees' COVID-19 vaccination status information. The guideline Managing privacy in a pandemic provides information about managing employee privacy generally in the context of COVID-19.
This guideline does not apply to health agencies, ie the Department of Health or Hospital and Health Services. Health agencies should refer to COVID-19 – Health agency privacy obligations and employee vaccination status.
Collecting employee vaccination status information
Vaccination status information
Vaccination status information in this guideline includes whether an employee has been vaccinated, any decision by an employee to not receive the vaccine, and any reasons for that decision.
Vaccination status information can only be collected where it is reasonably necessary for the agency's functions or activities. Agencies need clear and justifiable reasons for collecting it. When it can be collected, it must be collected in a way that does not unreasonably intrude on the employee's personal affairs and agencies must take steps to ensure it is accurate, complete, up to date and not misleading.6
Evidence of vaccination - sighting only
Where agencies can lawfully collect their employees’ vaccination status, agencies should sight evidence their vaccination status and make a record of this action, rather than retaining a copy of the evidence. This approach minimises the collection of personal information consistent with IPPs 1 and 3.
In the event an employee provides the agency with a copy of their vaccination status this should be sighted and recorded. Once that action is complete, the document should be disposed of (destroyed), provided this is consistent with your agency’s policy and procedure outlining the process which is followed to verify employee vaccination status.7
The same process should be applied if employees have a medical exemption from being required to be vaccinated.
It cannot be collected for an unspecified or possible future purpose or where the functions or activities of the agency can be undertaken without it. For example, it is unlikely that collecting vaccination status information for monitoring purposes only would be considered necessary.
Agencies should consider public health advice when determining whether it is reasonably necessary to collect vaccination status information. Workplace specific health and safety risks and relevant workplace laws can also affect whether it is necessary to collect vaccination status information.
If collection is required or authorised by law
Agencies can collect employee vaccination status information if it is required or authorised by law. Law includes a Queensland Act, an Act of another jurisdiction, such as the Commonwealth, that applies in Queensland, and regulations or other instrument made under those Acts, including public health orders or directions.
Relevant laws may require an agency to collect employee vaccination status information, require employees to be vaccinated, or both. Some examples are:
- the Designated COVID-19 Hospital Network Direction, which requires relevant employees to be vaccinated against COVID-19 and authorises public health emergency officers to direct those employees to provide evidence of vaccination.
- the COVID-19 Vaccination Requirements for Workers in a high-risk setting Direction, which requires workers in specified industries and ones entering designated high-risk settings to be vaccinated against COVID-19 and provide proof of vaccination.
No collection 'just in case'
Vaccination status information cannot be collected for an unspecified or possible future purpose or where the functions or activities of the agency can be undertaken safely without it. For example, it is unlikely that collecting vaccination status information for monitoring, or statistical, purposes would be considered necessary.
When determining whether it is reasonably necessary to collect vaccination status information, agencies should consider public health advice. Workplace health and safety obligations and risks, relevant workplace laws and workplace specific vaccine directives can also affect whether it is necessary to require vaccinations and/or collect vaccination status information.
Notification obligations when collecting vaccination status information
In most cases, the agency must be transparent about why it is collecting vaccine status information and how it will be used and disclosed.8 It must take reasonable steps to make its employees generally aware of why the information is being collected, any legal authority for the collection, anyone it is the agency's usual practice to disclose it to and any entity that they will disclose it to.9
This information must be provided before collecting the information or, if this is not practicable, as soon as practicable after collection occurs.
Obligations after employee vaccination status information is collected
Agencies must protect employee vaccine status information against unauthorised misuse, loss and unauthorised access, modification or disclosure.10 It must be appropriately secured and reasonable steps taken to ensure the information is accurate, complete, up to date and not misleading.11
Vaccination status information can only be used or disclosed in accordance with why it was collected, what employees were told when the information was collected, or as provided for in the privacy principles.12
Where collection was required by law
Where vaccine status information was collected under a public health direction or other law, that law may:
- impose specific storage and security requirements; and/or
- limit its use and/or disclosure.
In those circumstances, the secondary uses and/or disclosures permitted under the privacy principles will not apply.13
Privacy impact assessments
Agencies intending to collect their employees' vaccination status information should consider undertaking a Privacy Impact Assessment (PIA), even if the collection is authorised or required by law.
A PIA allows an agency to identify the privacy risks associated with the collection of vaccination status information and can assist the agency to:
- accurately record the information it collects and ensure it is complete and kept up-to-date
- meet its notification obligations, ie what an agency must communicate when collecting this information
- collect the information using a secure method and store it securely once collected; and
- limit the use and disclosure of employee vaccination status information to what is necessary to prevent and manage COVID-19.
A PIA will also assist an agency to be open and transparent about how it will deal with employee vaccination status information.
Refer to Overview of the Privacy Impact Assessment (PIA) process and Undertaking a Privacy Impact Assessment for more information.
- 1 In this guideline an agency includes a Minister.
- 2 Personal information is any information about an individual who can reasonably be identified; see section 12 of the IP Act for the full definition.
- 3 The privacy principles include the Information Privacy Principles (IPPs), with which all agencies except health agencies must comply.
- 4 Coronavirus (COVID-19) Vaccinations: Understanding your privacy obligations to your staff and Privacy guidance for businesses collecting COVID-19 vaccination information
- 5 This guideline is based on the Office of the Australian Information Commissioner's Coronavirus (COVID-19) Vaccinations: Understanding your privacy obligations to your staff
- 6 IPP 1 and IPP 3; see: All agencies - Obligations when collecting personal informationfor more information.
- 7 Where a policy states that vaccination certificates are to be sighted only, any copies of certificates received may be disposed of after business action has been completed under Disposal Authorisation 1273 of the General Retention and Disposal Schedule.
- 8 As set out in IPP 2; refer to All agencies – What to tell people when collecting personal information for more information.
- 9 Security requirements are set out in IPP 4; refer to Non-health agencies - Protection and security of personal information for more information.
- 10 IPP 4.
- 11 See the Security, accuracy and relevance guidelines for more information.
- 12 IPP 10 and 11 set out when agencies can use and disclose information. See the use and disclosure guidelines for more information.
- 13 Section 7(2) of the IP Act provides that the IP Act operates subject to other Acts relating to use and disclosure of personal information.
Current as at: December 16, 2021