COVID-19 – Vaccination and my privacy rights as a Queensland health employee

Queensland health agencies must deal with personal information1 in accordance with the privacy principles2 in the Information Privacy Act 2009 (Qld) (IP Act). A health agency is the Department of Health and the Hospital and Health Services. If you are employed by a health agency this obligation applies to your personal information, including information about whether you have received a COVID-19 vaccination or your reasons for deciding not to be vaccinated.

This guideline3 is intended to assist health agency employees to understand their privacy rights in relation to their COVID-19 vaccination status information. Employees of other agencies should refer to COVID-19 – Vaccination and my privacy rights as a Queensland public sector employee.

Non-Queensland government employees

If you are a private sector employee, refer to the Office of the Australian Information Commissioner guidance: COVID-19: Vaccinations and my privacy rights as an employee.

For more general information on your privacy rights in the context of managing COVID-19, see Privacy and public service employees in the pandemic.

Can my employer require me to disclose my vaccination status information?

Vaccination status information

Vaccination status information in this guideline includes whether you have been vaccinated, any decision to not receive the vaccine, and any reasons for that decision.

Your employer can only ask for your vaccination status information in limited circumstances. Health agencies4 must have a clear and justifiable reason for collecting it that relates to their functions or activities, which can include preventing or managing COVID-19.

Health and safety obligations and risks in your workplace, and applicable workplace laws, can affect whether the collection of your vaccination status information is necessary for your employer’s activities or functions.

More information

Refer to WorkSafe Queensland, the Fair Work Ombudsman and Safe Work Australia for information on workplace COVID-19 management.

If your employer can achieve their purpose without collecting your vaccination status information, hasn't specified why they want it, or is collecting it because they might need it in the future, it will be difficult for them to establish that the collection is necessary.

Viewing proof of vaccination

In most circumstances, showing your employer your proof of vaccination is sufficient. If your employer asks for a copy they need to explain why a copy is necessary and what purpose having a copy fulfills over making a note that they have seen it.

Check your employer’s policies and procedures for your obligations in relation to providing evidence of vaccine status for further information.

Health information

Whether you have been vaccinated or not is health information. A decision not to have the COVID-19 vaccination is health information and, if that decision was based on medical reasons, any medical evidence related to that decision is also health information. If the decision was not based on medical reasons, then those reasons are not health information.

In addition to the general rules about collecting personal information, health agencies must follow specific rules about when they can collect health information.5 These include where you have consented to its collection or its collection is authorised or required by law.6 If the health agency wants to rely on your consent, that consent must be informed, freely given, and valid,7 which means the health agency is not allowed to pressure or intimidate you into providing information about your vaccination status.

What if the collection is authorised or required by law?

Health agencies can collect your vaccination status information if a law authorises or requires it. Law includes a Queensland Act, an Act of another jurisdiction, such as the Commonwealth, that applies in Queensland, and regulations and instruments made under those Acts, including public health orders and directions.

Some examples are:

Does my employer have to tell me why they are collecting my vaccination status information?

In most cases, yes, the health agency you work for must be transparent about why your information is being collected and how it will be used and disclosed.8 Your employer should give you this information before they collect your vaccination status information or, if this is not practicable, as soon as practicable after collection occurs.

The health agency must take reasonable steps to make you aware of: the identity of the health agency and how to contact it; the fact that you can get access to the information; the purpose of collection; any entity or entities it is the health agency's usual practice to disclose the information to; if the collection is required or authorised by law; and any consequences if you refuse to provide it.


A health agency does not have to give you this information if the collection of your vaccination status information is required under a statutory collection.9

If I give my vaccine status information to my employer, will it be protected?

Health agencies must protect your vaccine status information against unauthorised misuse, loss and unauthorised access, modification or disclosure.10 Reasonable steps must be taken by the health agency to ensure it is accurate, complete, up to date and not misleading. Once it is no longer required, the health agency must take reasonable steps to deidentify it.11

Your vaccination status information can only be used or disclosed in accordance with why it was collected, what you were told when your employer collected it, or as provided for in the privacy principles.12

Limited by law

If vaccine status information is collected under a public health direction or other law, that law may contain rules about how it must be stored, what it can be used for, or who it can be disclosed to.

Can I make a complaint if I think my employer is misusing my vaccination status information?

If you think your employer is misusing your vaccination status information or improperly collecting it, you should contact your employer in the first instance to try to resolve the issue. If it cannot be resolved informally, you should follow the health agency's complaint process and make a written privacy complaint to your employer.

If this complaint cannot be resolved within 45 business days, you can bring your complaint to the Office of the Information Commissioner. If it cannot be resolved by this Office, you will have the right to request it be referred to the Queensland Civil and Administrative Tribunal.

See How to make a privacy complaint and What to expect when you bring a privacy complaint to OIC for more information on making a privacy complaint.

  • 1 Personal information is any information about an individual who can reasonably be identified; see section 12 of the IP Act for the full definition.
  • 2 The privacy principles include the National Privacy Principles (NPPs), with which health agencies must comply,
  • 3 This guideline is based on the Office of the Australian Information Commissioner's COVID-19: Vaccinations and my privacy rights as an employee.
  • 4 Under NPP1, health agencies can only collect personal information necessary for their functions or activities and must collect it in a reasonably unobtrusive, lawful, and fair manner. See All agencies - Obligations when collecting personal information for more information.
  • 5 The definition of sensitive information includes health information and health information includes vaccination status information.
  • 6 For a list of all circumstances in which a health agency can collect health information, see Basic guide to NPP 9 - Collection of sensitive information.
  • 7 See Key Privacy Concepts – agreement and consent for information about what constitutes valid consent.
  • 8 As set out in NPP 1.
  • 9 Statutory collection means collection under an Act requiring a person to give information to the health agency or a register or other personal information collection the health agency is authorised or required to maintain under an Act for monitoring public health issues.
  • 10 NPP 4.
  • 11 NPP 4, subject to Public Records obligations.
  • 12 NPP 2 sets out when health agencies can use and disclose personal information. See Basic guide to NPP 2 - Use and disclosure.

Current as at: December 16, 2021