Skip to content

I Am an Employer. Can I Collect Personal Information Regarding COVID-19?

During the peak of the COVID-19 pandemic, contact tracing and digital vaccination certificates were paramount to ensuring the health and safety of our communities. Such tools contain a wealth of personal information, and it is essential to understand how such information should be handled. If you are an employer or run a business in the private sector, there are important obligations on you to maintain a safe environment for your employees and visitors and to handle personal information appropriately. This article sets out how you should treat the information you collect from employees or visitors concerning COVID-19. This is particularly relevant as we move away from the pandemic’s peak. 

Background 

Under the Privacy Act 1988 (Cth) (Act), sensitive information includes information or an opinion about the health of an individual. As such, information about an individual relating to their general health status, infection and risk of exposure to COVID-19 will also be deemed sensitive information. 

Under the Act, you must not collect sensitive information unless the customer consents and the information is reasonably necessary for one or more of the collecting organisation’s functions or activities. However, there are certain exceptions to this requirement, including where a permitted health situation exists. 

Collection of an individual’s COVID-19 vaccination status may have been reasonably necessary for an organisation’s functions or activities during the peak of the COVID-19 pandemic to prevent and manage the virus’s transmission risk.

However, there are limited circumstances where such information collection would still be deemed reasonably necessary.

Can You Collect Vaccination Information?

Yes, you can. However, it is important to follow the 9-step process provided by the Office of the Australian Information Commissioner (OAIC). This process helps you determine whether you can ask your customers to show evidence of vaccination and collect the information. 

This includes: 

  • whether you can sight evidence of vaccination status instead of collecting it; 
  • determining if there is a law requiring or authorising you to collect vaccination status information from customers; 
  • where there is no relevant law, whether vaccination status information is reasonably necessary for the business functions and to obtain consent from the customer; 
  • identifying the amount of information to be collected; 
  • notifying customers and visitors about the purpose of collection and how it will be used; 
  • determining how you will secure information; 
  • considering restrictions on using and disclosing vaccination information; and 
  • a plan to delete the information at an appropriate time. 

As a general rule of thumb, the OAIC recommends collecting as little information as is reasonably necessary for preventing or managing COVID-19. For example, when it comes to an individual’s COVID-19 digital certificate, it is more appropriate to sight the certificate than to collect a copy of it.


This is especially important where the certificate contains an individual’s health identifier (IHI). The IHI has a higher standard of privacy protection. Failure to meet the obligations may attract civil or criminal penalties. 

Continue reading this article below the form
Loading form

Collecting Personal Information for Contact Tracing

Whether you can collect personal information for contact tracing purposes hinges on the Direction or Order issued by the state where you are located. Some States and Territories may issue a Direction or Order, stating that collecting customer and visitor contract information is a condition of businesses reopening

However, restrictions are slowly easing. Accordingly, if there is no longer an applicable Direction or Order to your business, you do not need to collect information for contact tracing purposes. Additionally, you should destroy such information once you no longer require it.  

Can I Collect Employee Information? 

Under the Act, there is an exemption for employee records allowing employers to collect personal information to manage employment. However, the information you collect must be for a purpose directly related to their employment. Similarly, with COVID-19, you can only collect information about your employee’s vaccination status in circumstances where they provide consent. Additionally, the information must be reasonably necessary to collect for the function of your business. 

Front page of publication
Directors' Duties Complete Guide

If you are a company director, complying with directors’ duties are core to adhering to corporate governance laws.
This guide will help you understand the directors’ duties that apply to you within the Australian corporate law framework.

Download Now

Key Takeaways 

With COVID-19, it is crucial to be aware of the obligations you have as an employer when treating personal and sensitive information. Being prudent and understanding the purpose of collecting the information is important. 

If you need help collecting information as part of your COVID-19 protocol, our experienced employment lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.

Frequently Asked Questions 

Is vaccination information in my COVID-19 digital certificate considered sensitive information? 

Yes. Your certificate contains the Individual Health Identifier, a unique 16-digit number that identifies you for healthcare purposes. 

Should I be collecting vaccination information for COVID-19 purposes? 

This depends. It is important to consider whether there is a need to collect vaccination information due to the nature of your business. Additionally, there may be laws compelling you to collect such information. 

Register for our free webinars

ACCC Merger Reforms: Key Takeaways for Executives and Legal Counsel

Online
Understand how the ACCC’s merger reforms impact your legal strategy. Register for our free webinar.
Register Now

Ask an Employment Lawyer: Contracts, Performance and Navigating Dismissals

Online
Ask an employment lawyer your contract, performance and dismissal questions in our free webinar. Register today.
Register Now

Stop Chasing Unpaid Invoices: Payment Terms That Actually Work

Online
Stop chasing late payments with stronger terms and protections. Register for our free webinar.
Register Now

Managing Psychosocial Risks: Employer and Legal Counsel Responsibilities

Online
Protect your business by managing workplace psychosocial risks. Register for our free webinar.
Register Now
See more webinars >
Shauna Ng

Shauna Ng

Lawyer | View profile

Shauna is a Lawyer in LegalVision’s Corporate and Commercial and Regulatory and Compliance teams. She assists a diverse range of clients in drafting and reviewing their agreements and also provides regulatory and compliance advice in various areas as required. Shauna has a particular interest in health-related services, including NDIS services.

Qualifications: Bachelor of Laws (Hons), Flinders University, Bachelor of Accountancy, Nanyang Technological University.

Read all articles by Shauna

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards