Queensland health agencies must deal with personal information1 in accordance with the privacy principles2 contained in the Information Privacy Act 2009 (Qld) (IP Act).This obligation applies to the personal information of their employees, including whether or not they have received a COVID-19 vaccination.
Non-government employers should refer to the Office of the Australian Information Commissioner's website3 for guidance on handling information about their employees' vaccination status.
This guideline4 is intended to assist the Department of Health and Hospital and Health Services (health agencies) to meet their privacy obligations regarding their employees' COVID-19 vaccination status information. The guideline Managing privacy in a pandemic provides information about managing employee privacy generally in the context of COVID-19.
This guideline does not apply to non-health agencies. Non-health agencies should refer to COVID-19 – Agency privacy obligations and employee vaccination status.
Collecting employee vaccination status information
Vaccination status information
Vaccination status information in this guideline includes whether an employee has been vaccinated, any decision by an employee to not receive the vaccine, and any reasons for that decision.
Vaccine status information can only be collected if it is necessary for a health agencies' functions or activities; the health agency must have clear and justifiable reasons for collecting employees' vaccine status information and it must be collected in a reasonably unobtrusive, lawful, and fair manner.5
Whether an employee has been vaccinated or not is health information. Any decision by an employee not to have the COVID-19 vaccination and, if based on medical reasons, any medical evidence related to their decision is also health information. If the decision was based on something other than medical reasons those reasons will not be health information.
A health agency can only collect health information6 as set out in NPP 9.7 This includes where the individual has consented to its collection, or the collection is required by law. For a health agency to rely on employee consent, the consent must be valid, i.e. voluntary, informed, specific and current. Refer to Key privacy concepts: agreement and consent for more information.
For a full list of when a health agency can collect health information refer to Health agencies - collecting sensitive personal information.
Evidence of vaccination - sighting only
Where Health agencies can lawfully collect their employees’ vaccination status, health agencies should sight evidence of vaccination status, rather than taking a copy. This approach minimises the collection of health information consistent with NPP 1.
In the event an employee provides the agency with a copy of their vaccination status this should be sighted and recorded. Once that action is complete, the document should be disposed of (destroyed), provided this is consistent with your agency’s policy and procedure outlining the process which is followed to verify employee vaccination status.8
Mandatory collection and vaccination
Health agencies can collect employee vaccination status information if it is required or authorised by law.Law includes a Queensland Act, an Act of another jurisdiction, such as the Commonwealth, that applies in Queensland, and regulations or instruments made under those Acts, including public health orders or directions.
Relevant laws may require a health agency to collect employee vaccination status information, require employees to be vaccinated, or both. Some examples are:
- the Designated COVID-19 Hospital Network Direction, which requires relevant employees to be vaccinated against COVID-19 and authorises public health emergency officers to direct relevant employees to provide evidence of vaccination
- the COVID-19 Vaccination Requirements for Workers in a high-risk setting Direction, which requires workers in specified industries and ones entering designated high-risk settings to be vaccinated against COVID-19 and provide proof of vaccination.
Health agencies should consider public health advice when determining whether it is necessary to collect vaccination status information. Workplace health and safety obligations and risks and relevant workplace laws can also affect whether it is necessary to collect vaccination status information.
Notification obligations when collecting vaccination status information
In most cases, the health agency must be transparent about why it is collecting this information and how it will be used.9 This information must be provided before collecting the information or, if this is not practicable, as soon as practicable after collection occurs.
When collecting vaccine status information, health agencies must take reasonable steps to inform their employees of the following:
- the health agency's identity and how to contact it
- the fact that the employee can get access to the information, the purpose of collection
- any entity or entities it is the health agency's usual practice to disclose the information to
- if the collection is required or authorised by law; and
- and any consequences if the employee refuses to provide it.10
A health agency does not have to provide this information if the collection of employee vaccination status information is required under a statutory collection.11
Statutory collection means:
- collection under an Act requiring a person to give information to the health agency; or
- a register or other personal information collection the health agency is authorised or required to maintain under an Act for monitoring public health issues.
Obligations after employee vaccination status information is collected
Health agencies must protect employee vaccine status information against unauthorised misuse, loss and unauthorised access, modification or disclosure.12 Reasonable steps must be taken by the agency or health agency to ensure the information is accurate, complete, up to date and not misleading.13 Once it is no longer required, the health agency must take reasonable steps to deidentify it.14
Vaccination status information can only be used or disclosed in accordance with why it was collected and/or what employees were told when the information was collected or as provided for in the privacy principles.15
Where collection was required by law
Where vaccine status information was collected under a public health direction or other law, that law may:
- impose specific storage and security requirements; and/or
- limit its use and/or disclosure.
Privacy impact assessments
Health agencies intending to collect their employees' vaccination status information should consider undertaking a Privacy Impact Assessment (PIA), even if the collection is authorised or required by law.
A PIA allows a health agency to identify the privacy risks associated with the collection of vaccination status information and can assist the health agency to:
- accurately record the information it collects and ensure it is complete and kept up-to-date
- meet its notification obligations, ie what a health agency must communicate when collecting this information
- collect the information using a secure method and store it securely once collected; and
- limit the use and disclosure of employee vaccination status information to what is necessary to prevent and manage COVID-19.
A PIA will also assist a health agency to be open and transparent about how it will deal with employee vaccination status information.
Refer to Overview of the Privacy Impact Assessment (PIA) process and Undertaking a Privacy Impact Assessment for more information.
- 1 Personal information is any information about an individual who can reasonably be identified; see section 12 of the IP Act for the full definition.
- 2 The privacy principles include the National Privacy Principles.(NPPs), with which health agencies must comply,
- 3 Coronavirus (COVID-19) Vaccinations: Understanding your privacy obligations to your staff and Privacy guidance for businesses collecting COVID-19 vaccination information
- 4 This guideline is based on the Office of the Australian Information Commissioner's Coronavirus (COVID-19) Vaccinations: Understanding your privacy obligations to your staff
- 5 NPP 1; see All agencies - Obligations when collecting personal information for more information.
- 6 Health information is defined in schedule 5 of the IP Act.
- 7 Sensitive information is defined in schedule 5 of the IP Act and includes health information.
- 8 Where a policy states that vaccination certificates are to be sighted only, any copies of certificates received may be disposed of after business action has been completed under Disposal Authorisation 1273 of the General Retention and Disposal Schedule.
- 9 As set out in NPP 1; refer to All agencies – What to tell people when collecting personal information for more information.
- 10 NPP 1(3)
- 11 NPP 1(6)
- 12 NPP 4.
- 13 See the Security, accuracy and relevance guidelines for more information.
- 14 NPP 4, subject to Public Records obligations.
- 15 NPP 2 sets out when health agencies can use and disclose personal information. See Basic guide to NPP 2 - Use and disclosure and the use and disclosure guidelines for more information.
- 16 Section 7(2) of the IP Act provides that the IP Act operates subject to other Acts relating to use and disclosure of personal information.
Current as at: December 16, 2021