During the peak of the COVID-19 pandemic, contact tracing and digital vaccination certificates were paramount to ensuring the health and safety of our communities. Such tools contain a wealth of personal information, and it is essential to understand how such information should be handled. If you are an employer or run a business in the private sector, there are important obligations on you to maintain a safe environment for your employees and visitors and to handle personal information appropriately. This article sets out how you should treat the information you collect from employees or visitors concerning COVID-19. This is particularly relevant as we move away from the pandemic’s peak.
Background
Under the Privacy Act 1988 (Cth) (Act), sensitive information includes information or an opinion about the health of an individual. As such, information about an individual relating to their general health status, infection and risk of exposure to COVID-19 will also be deemed sensitive information.
Under the Act, you must not collect sensitive information unless the customer consents and the information is reasonably necessary for one or more of the collecting organisation’s functions or activities. However, there are certain exceptions to this requirement, including where a permitted health situation exists.
Collection of an individual’s COVID-19 vaccination status may have been reasonably necessary for an organisation’s functions or activities during the peak of the COVID-19 pandemic to prevent and manage the virus’s transmission risk.
Can You Collect Vaccination Information?
Yes, you can. However, it is important to follow the 9-step process provided by the Office of the Australian Information Commissioner (OAIC). This process helps you determine whether you can ask your customers to show evidence of vaccination and collect the information.
This includes:
- whether you can sight evidence of vaccination status instead of collecting it;
- determining if there is a law requiring or authorising you to collect vaccination status information from customers;
- where there is no relevant law, whether vaccination status information is reasonably necessary for the business functions and to obtain consent from the customer;
- identifying the amount of information to be collected;
- notifying customers and visitors about the purpose of collection and how it will be used;
- determining how you will secure information;
- considering restrictions on using and disclosing vaccination information; and
- a plan to delete the information at an appropriate time.
This is especially important where the certificate contains an individual’s health identifier (IHI). The IHI has a higher standard of privacy protection. Failure to meet the obligations may attract civil or criminal penalties.
Collecting Personal Information for Contact Tracing
Whether you can collect personal information for contact tracing purposes hinges on the Direction or Order issued by the state where you are located. Some States and Territories may issue a Direction or Order, stating that collecting customer and visitor contract information is a condition of businesses reopening.
However, restrictions are slowly easing. Accordingly, if there is no longer an applicable Direction or Order to your business, you do not need to collect information for contact tracing purposes. Additionally, you should destroy such information once you no longer require it.
Can I Collect Employee Information?
Under the Act, there is an exemption for employee records allowing employers to collect personal information to manage employment. However, the information you collect must be for a purpose directly related to their employment. Similarly, with COVID-19, you can only collect information about your employee’s vaccination status in circumstances where they provide consent. Additionally, the information must be reasonably necessary to collect for the function of your business.

If you are a company director, complying with directors’ duties are core to adhering to corporate governance laws.
This guide will help you understand the directors’ duties that apply to you within the Australian corporate law framework.
Key Takeaways
With COVID-19, it is crucial to be aware of the obligations you have as an employer when treating personal and sensitive information. Being prudent and understanding the purpose of collecting the information is important.
If you need help collecting information as part of your COVID-19 protocol, our experienced employment lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.
Frequently Asked Questions
Yes. Your certificate contains the Individual Health Identifier, a unique 16-digit number that identifies you for healthcare purposes.
This depends. It is important to consider whether there is a need to collect vaccination information due to the nature of your business. Additionally, there may be laws compelling you to collect such information.
We appreciate your feedback – your submission has been successfully received.