Queensland government agencies1 must deal with personal information2 in accordance with the privacy principles3 in the Information Privacy Act 2009 (Qld) (IP Act). If you are employed by a Queensland government agency this obligation applies to your personal information, including information about whether you have received a COVID-19 vaccination or your reasons for deciding not to be vaccinated.
This guideline4 is intended to assist Queensland public sector employees to understand their privacy rights in relation to their COVID-19 vaccination status information. It does not apply to employees of health agencies, ie the Department of Health and Hospital and Health Services. Health agency employees should refer to COVID-19 – Vaccination and my privacy rights as a Queensland health employee.
For general information on your privacy rights in the context of managing COVID-19, see Privacy and public service employees in the pandemic.
Non-Queensland government employees
If you are a private sector employee, refer to the Office of the Australian Information Commissioner guidance: COVID-19: Vaccinations and my privacy rights as an employee.
Can my employer require me to disclose my vaccination status information?
Vaccination status information
Vaccination status information in this guideline includes whether you have been vaccinated, any decision to not receive the vaccine, and any reasons for that decision.
Your employer can only ask for your vaccination status information in limited circumstances and they must have a clear and justifiable reason for collecting it. The agency must be asking for it because the agency needs it for a lawful purpose directly related to its functions or activities, which can include preventing or managing COVID-19. It must not be collected in an unlawful or unfair way and when collecting it, the agency must not intrude unreasonably into your personal affairs.5
If an agency can perform its functions and activities without collecting your vaccination status information, hasn't specified why they want it, it will be difficult for them to establish that the collection is necessary.
Collecting the information only because they might need it in the future is not a valid reason to collect your personal information.
Viewing proof of vaccination
In most circumstances, showing your employer your proof of vaccination is sufficient. If your employer asks for a copy, or want to take a copy, they need to explain why a copy is necessary and what purpose having a copy fulfills over noting that they have sighted it.
Check your employer’s policies and procedures about providing evidence of vaccine status for further information.
Health and safety obligations and risks in your workplace and applicable workplace laws can affect whether the collection of your vaccination status information is necessary for your employer’s activities or functions.
What if the collection is authorised or required by law?
Agencies can collect your vaccination status information if a law authorises or requires it. Law includes a Queensland Act, an Act of another jurisdiction, such as the Commonwealth, that applies in Queensland, and regulations or other instruments made under those Acts, including public health orders and directions. Some examples are:
- the Designated COVID-19 Hospital Network Direction, which requires relevant employees to be vaccinated against COVID-19 and authorises public health emergency officers to direct relevant employees to provide evidence of vaccination
- the COVID-19 Vaccination Requirements for Workers in a high-risk setting Direction, which requires workers in specified industries and ones entering designated high-risk settings to be vaccinated against COVID-19 and provide proof of vaccination.
Does my employer have to tell me why they are collecting my vaccination status information?
In most cases, yes, the agency you work for must be transparent about why your information is being collected and how it will be used.6 The agency must take reasonable steps to let you know why the information is being collected, any legal authority for the collection, anyone it is the agency's usual practice to disclose it to and any entity that they will disclose it to.
Your employer should give you this information before they collect your vaccination status information or, if this is not practicable, as soon as practicable after collection occurs.
If I give my vaccine status information to my employer, will it be protected?
Agencies must protect your vaccine status information against unauthorised misuse, loss and unauthorised access, modification or disclosure and must ensure it is appropriately secured.7 Reasonable steps must be taken by the agency to ensure it is accurate, complete, up to date and not misleading.8
It can only be used or disclosed in accordance with why it was collected, what you were told when your employer collected it, or as provided for in the privacy principles.9
Limited by law
If vaccine status information is collected under a public health direction or other law, that law may contain rules about how it must be stored, what it can be used for, or who it can be disclosed to.
Can I make a complaint if I think my employer is misusing my vaccination status information?
If you think your employer is misusing your vaccination status information or improperly collecting it, you should contact your employer in the first instance to try to resolve the issue. If it cannot be resolved informally, you should follow the agency's complaint process and make a written privacy complaint to your employer.
If this complaint cannot be resolved within 45 business days, you can bring your complaint to the Office of the Information Commissioner. If it cannot be resolved by this Office, you will have the right to request it be referred to the Queensland Civil and Administrative Tribunal.
- 1 In this guideline an agency includes a Minister.
- 2 Personal information is any information about an individual who can reasonably be identified; see section 12 of the IP Act for the full definition.
- 3 The privacy principles include the Information Privacy Principles (IPPs), with which all agencies except health agencies must comply.
- 4 This guideline is based on the Office of the Australian Information Commissioner's COVID-19: Vaccinations and my privacy rights as an employee.
- 5 IPP 1 and IPP 3; see: All agencies - Obligations when collecting personal information for more information.
- 6 As set out in IPP 2.
- 7 IPP 4.
- 8 IPP 7 and 8.
- 9 IPP 10 and 11 set out when agencies can use and disclose information. See Basic guide to IPPs 8-11 - Use and disclosure for more information.
Current as at: December 16, 2021