Queensland health agencies must deal with personal information1 in accordance with the privacy principles2 in the Information Privacy Act 2009 (Qld) (IP Act). A health agency is the Department of Health and the Hospital and Health Services. If you are employed by a health agency this obligation applies to your personal information, including information about whether you have received a COVID-19 vaccination or your reasons for deciding not to be vaccinated.
This guideline3 is intended to assist health agency employees to understand their privacy rights in relation to their COVID-19 vaccination status information. Employees of other agencies should refer to COVID-19 – Vaccination and my privacy rights as a Queensland public sector employee.
If you are a private sector employee, refer to the Office of the Australian Information Commissioner guidance: COVID-19: Vaccinations and my privacy rights as an employee.
For more general information on your privacy rights in the context of managing COVID-19, see Privacy and public service employees in the pandemic.
Vaccination status information in this guideline includes whether you have been vaccinated, any decision to not receive the vaccine, and any reasons for that decision.
Your employer can only ask for your vaccination status information in limited circumstances. Health agencies4 must have a clear and justifiable reason for collecting it that relates to their functions or activities, which can include preventing or managing COVID-19.
Health and safety obligations and risks in your workplace, and applicable workplace laws, can affect whether the collection of your vaccination status information is necessary for your employer’s activities or functions.
If your employer can achieve their purpose without collecting your vaccination status information, hasn't specified why they want it, or is collecting it because they might need it in the future, it will be difficult for them to establish that the collection is necessary.
In most circumstances, showing your employer your proof of vaccination is sufficient. If your employer asks for a copy they need to explain why a copy is necessary and what purpose having a copy fulfills over making a note that they have seen it.
Check your employer’s policies and procedures for your obligations in relation to providing evidence of vaccine status for further information.
Whether you have been vaccinated or not is health information. A decision not to have the COVID-19 vaccination is health information and, if that decision was based on medical reasons, any medical evidence related to that decision is also health information. If the decision was not based on medical reasons, then those reasons are not health information.
In addition to the general rules about collecting personal information, health agencies must follow specific rules about when they can collect health information.5 These include where you have consented to its collection or its collection is authorised or required by law.6 If the health agency wants to rely on your consent, that consent must be informed, freely given, and valid,7 which means the health agency is not allowed to pressure or intimidate you into providing information about your vaccination status.
Health agencies can collect your vaccination status information if a law authorises or requires it. Law includes a Queensland Act, an Act of another jurisdiction, such as the Commonwealth, that applies in Queensland, and regulations and instruments made under those Acts, including public health orders and directions.
Some examples are:
In most cases, yes, the health agency you work for must be transparent about why your information is being collected and how it will be used and disclosed.8 Your employer should give you this information before they collect your vaccination status information or, if this is not practicable, as soon as practicable after collection occurs.
The health agency must take reasonable steps to make you aware of: the identity of the health agency and how to contact it; the fact that you can get access to the information; the purpose of collection; any entity or entities it is the health agency's usual practice to disclose the information to; if the collection is required or authorised by law; and any consequences if you refuse to provide it.
A health agency does not have to give you this information if the collection of your vaccination status information is required under a statutory collection.9
Health agencies must protect your vaccine status information against unauthorised misuse, loss and unauthorised access, modification or disclosure.10 Reasonable steps must be taken by the health agency to ensure it is accurate, complete, up to date and not misleading. Once it is no longer required, the health agency must take reasonable steps to deidentify it.11
Your vaccination status information can only be used or disclosed in accordance with why it was collected, what you were told when your employer collected it, or as provided for in the privacy principles.12
If vaccine status information is collected under a public health direction or other law, that law may contain rules about how it must be stored, what it can be used for, or who it can be disclosed to.
If you think your employer is misusing your vaccination status information or improperly collecting it, you should contact your employer in the first instance to try to resolve the issue. If it cannot be resolved informally, you should follow the health agency's complaint process and make a written privacy complaint to your employer.
If this complaint cannot be resolved within 45 business days, you can bring your complaint to the Office of the Information Commissioner. If it cannot be resolved by this Office, you will have the right to request it be referred to the Queensland Civil and Administrative Tribunal.
See How to make a privacy complaint and What to expect when you bring a privacy complaint to OIC for more information on making a privacy complaint.
Current as at: December 16, 2021