COVID-19 – Health agency privacy obligations and employee vaccination status

Queensland health agencies must deal with personal information1 in accordance with the privacy principles2 contained in the Information Privacy Act 2009 (Qld) (IP Act).This obligation applies to the personal information of their employees, including whether or not they have received a COVID-19 vaccination.

Non-government employers

Non-government employers should refer to the Office of the Australian Information Commissioner's website3 for guidance on handling information about their employees' vaccination status.

This guideline4 is intended to assist the Department of Health and Hospital and Health Services (health agencies) to meet their privacy obligations regarding their employees' COVID-19 vaccination status information. The guideline Managing privacy in a pandemic provides information about managing employee privacy generally in the context of COVID-19.

This guideline does not apply to non-health agencies. Non-health agencies should refer to COVID-19 – Agency privacy obligations and employee vaccination status.

Collecting employee vaccination status information

Vaccination status information

Vaccination status information in this guideline includes whether an employee has been vaccinated,  any decision by an employee to not receive the vaccine, and any reasons for that decision.

Vaccine status information can only be collected if it is necessary for a health agencies' functions or activities; the health agency must have clear and justifiable reasons for collecting employees' vaccine status information and it must be collected in a reasonably unobtrusive, lawful, and fair manner.5

Health information

Whether an employee has been vaccinated or not is health information. Any decision by an employee not to have the COVID-19 vaccination and, if based on medical reasons, any medical evidence related to their decision is also health information. If the decision was based on something other than medical reasons those reasons will not be health information.

A health agency can only collect health information6 as set out in NPP 9.7 This includes where the individual has consented to its collection, or the collection is required by law. For a health agency to rely on employee consent, the consent must be valid, i.e. voluntary, informed, specific and current. Refer to Key privacy concepts: agreement and consent for more information.

For a full list of when a health agency can collect health information refer to Health agencies - collecting sensitive personal information.

Evidence of vaccination - sighting only

Where Health agencies can lawfully collect their employees’ vaccination status, health agencies should sight evidence of vaccination status, rather than taking a copy. This approach minimises the collection of health information consistent with NPP 1.

In the event an employee provides the agency with a copy of their vaccination status this should be sighted and recorded. Once that action is complete, the document should be disposed of (destroyed), provided this is consistent with your agency’s policy and procedure outlining the process which is followed to verify employee vaccination status.8

Mandatory collection and vaccination

Health agencies can collect employee vaccination status information if it is required or authorised by law.Law includes a Queensland Act, an Act of another jurisdiction, such as the Commonwealth, that applies in Queensland, and regulations or instruments made under those Acts, including public health orders or directions.

Relevant laws may require a health agency to collect employee vaccination status information, require employees to be vaccinated, or both. Some examples are:

Health agencies should consider public health advice when determining whether it is necessary to collect vaccination status information. Workplace health and safety obligations and risks and relevant workplace laws can also affect whether it is necessary to collect vaccination status information.

More information

Refer to WorkSafe Queensland, the Fair Work Ombudsman and Safe Work Australia for more information on managing COVID-19 in the workplace.

Notification obligations when collecting vaccination status information

In most cases, the health agency must be transparent about why it is collecting this information and how it will be used.9 This information must be provided before collecting the information or, if this is not practicable, as soon as practicable after collection occurs.

When collecting vaccine status information, health agencies must take reasonable steps to inform their employees of the following:

  • the health agency's identity and how to contact it
  • the fact that the employee can get access to the information, the purpose of collection
  • any entity or entities it is the health agency's usual practice to disclose the information to
  • if the collection is required or authorised by law; and
  • and any consequences if the employee refuses to provide it.10


A health agency does not have to provide this information if the collection of employee vaccination status information is required under a statutory collection.11

Statutory collection means:

  • collection under an Act requiring a person to give information to the health agency; or
  • a register or other personal information collection the health agency is authorised or required to maintain under an Act for monitoring public health issues.

Obligations after employee vaccination status information is collected

Health agencies must protect employee vaccine status information against unauthorised misuse, loss and unauthorised access, modification or disclosure.12 Reasonable steps must be taken by the agency or health agency to ensure the information is accurate, complete, up to date and not misleading.13 Once it is no longer required, the health agency must take reasonable steps to deidentify it.14

Vaccination status information can only be used or disclosed in accordance with why it was collected and/or what employees were told when the information was collected or as provided for in the privacy principles.15

Where collection was required by law

Where vaccine status information was collected under a public health direction or other law, that law may:

  • impose specific storage and security requirements; and/or
  • limit its use and/or disclosure.

In those circumstances, the secondary uses and/or disclosures permitted under the privacy principles will not apply.16

Privacy impact assessments

Health agencies intending to collect their employees' vaccination status information should consider undertaking a Privacy Impact Assessment (PIA), even if the collection is authorised or required by law.

A PIA allows a health agency to identify the privacy risks associated with the collection of vaccination status information and can assist the health agency to:

  • accurately record the information it collects and ensure it is complete and kept up-to-date
  • meet its notification obligations, ie what a health agency must communicate when collecting this information
  • collect the information using a secure method and store it securely once collected; and
  • limit the use and disclosure of employee vaccination status information to what is necessary to prevent and manage COVID-19.

A PIA will also assist a health agency to be open and transparent about how it will deal with employee vaccination status information.

Refer to Overview of the Privacy Impact Assessment (PIA) process and Undertaking a Privacy Impact Assessment for more information.

Current as at: December 16, 2021