COVID-19 – Vaccination and my privacy rights as a Queensland public sector employee

Queensland government agencies1 must deal with personal information2 in accordance with the privacy principles3. If you are employed by a Queensland government agency this obligation applies to your personal information, including information about whether you have received a COVID-19 vaccination or your reasons for deciding not to be vaccinated.

This guideline4 is intended to assist Queensland public sector employees to understand their privacy rights in relation to their COVID-19 vaccination status information. It does not apply to employees of health agencies, ie the Department of Health and Hospital and Health Services. Health agency employees should refer to COVID-19 – Vaccination and my privacy rights as a Queensland health employee.

For general information on your privacy rights in the context of managing COVID-19, see Privacy and public service employees in the pandemic.

Can my employer require me to disclose my vaccination status information?

Vaccination status information

Vaccination status information in this guideline includes whether you have been vaccinated, any decision to not receive the vaccine, and any reasons for that decision.

Your employer can only ask for your vaccination status information in limited circumstances and they must have a clear and justifiable reason for collecting it.

The agency must be asking for your vaccine status information because the agency needs it for a lawful purpose directly related to its functions or activities, which can include preventing or managing COVID-19. It must not be collected in an unlawful or unfair way and when collecting it, the agency must not intrude unreasonably into your personal affairs.5

If your employer can achieve their purpose without collecting your vaccination status information, or is asking for it for an unspecified or possible future purpose, it will be difficult for them to establish that the collection is necessary.

Specific health and safety risks in your workplace and applicable workplace laws can affect whether the collection of your vaccination status information is necessary for your employer’s activities or functions.

More information

Refer to WorkSafe Queensland, the Fair Work Ombudsman and Safe Work Australia for information on workplace COVID-19 management.

What if the collection is authorised or required by law?

Agencies can collect your vaccination status information if a law authorises or requires it. Law includes a Queensland Act or an Act of another jurisdiction, such as the Commonwealth, that applies in Queensland or regulations or any other instrument made under those Acts, including public health orders or directions. For example, the Requirements for Quarantine Facility Workers Direction (No. 4) requires relevant employees to be vaccinated against COVID-19 and authorises public health emergency officers to direct relevant employees to provide evidence of vaccination.

Does my employer have to tell me why they are collecting my vaccination status information?

In most cases, yes, the agency you work for must be transparent about why your information is being collected and how it will be used.6 The agency must take reasonable steps to let you know why the information is being collected, any legal authority for the collection, anyone it is the agency's usual practice to disclose it to and any entity that they will disclose it to.

Your employer should give you this information before they collect your vaccination status information or, if this is not practicable, as soon as practicable after collection occurs.

If I give my vaccine status information to my employer, will it be protected?

Agencies must protect your vaccine status information against unauthorised misuse, loss and unauthorised access, modification or disclosure and must ensure it is appropriately secured.7 Reasonable steps must be taken by the agency to ensure it is accurate, complete, up to date and not misleading.8

It can only be used or disclosed in accordance with why it was collected, what you were told when your employer collected it, or as provided for in the privacy principles.9 See Basic guide to IPPs 8-11 - Use and disclosure for more information.

Can I make a complaint if I think my employer is misusing my vaccination status information?

If you think your employer is misusing your vaccination status information, you should contact your employer in the first instance to try to resolve the issue. If it cannot be resolved informally, you should follow the agency's complaint process and make a written privacy complaint to your employer.

If this complaint cannot be resolved within 45 business days, you can bring your complaint to the Office of the Information Commissioner. If it cannot be resolved by this Office, you will have the right to request it be referred to the Queensland Civil and Administrative Tribunal.

  • 1 In this guideline an agency includes a Minister.
  • 2 Personal information is any information about an individual who can reasonably be identified; see section 12 of the IP Act for the full definition.
  • 3 The privacy principles include the Information Privacy Principles (IPPs), with which all agencies except health agencies must comply.
  • 4 This guideline is based on the Office of the Australian Information Commissioner's COVID-19: Vaccinations and my privacy rights as an employee.
  • 5 IPP 1 and IPP 3; see: All agencies - Obligations when collecting personal informationfor more information.
  • 6 As set out in IPP 2.
  • 7 IPP 4.
  • 8 IPP 7 and 8.
  • 9 IPP 10 and 11 set out when agencies can use and disclose information.

Current as at: July 2, 2021