Skip to content

Individual Health Identifiers in Vaccination Statements. What are My Privacy Obligations as a Business Owner?

If you are a service provider that provides health information management services to healthcare providers, you must understand how to manage the information you collect. How you treat an individual’s healthcare identifier is particularly important, with the introduction of the COVID-19 digital certificate and checking vaccination information. A COVID-19 digital certificate contains personal information. While not all versions contain a health identifier, it is essential to understand what it is and its obligations. This article sets out what health identifiers are, the regulatory frameworks that protect them, the privacy obligations involved and the consequences of not complying with them. 

What is an Individual Health Identifier?

An Individual Healthcare Identifier (IHI) is a unique number used to identify an individual for healthcare purposes.

The collection, use, disclosure and storage of IHIs are regulated under the Healthcare Identifiers Act 2010 (Cth) (HI Act), which establishes the Healthcare Identifiers Service. They are also regulated by the Privacy Act 1998 (Cth) (Privacy Act), which establishes the Australian Privacy Principles (APPs) that set out how organisations must handle personal and sensitive information (such as an IHI).

In particular, the IHI is not only sensitive (health) information, but it is a government identifier that attracts a high level of protection under the Privacy Act. 

The entities authorised to collect this include:

  • identified healthcare providers (including aged care providers);
  • certain Government agencies and service operators of those Government entities; and
  • entities providing healthcare services to individuals.

Generally, if an entity has authorisation to collect, use or disclose IHIs, then any service providers they contract also have authorisation, provided:

  • the contract between the entities sets out and limits the purpose of the collection, use or disclosure of the IHI; and 
  • the purpose for the disclosure is reasonably connected with the original purpose for the collection and relates to the communication of health information or health management services to the healthcare provider

Privacy Obligations Concerning IHIs 

Due to how sensitive the IHI is, a party may only access, use or disclose it for limited purposes. A key obligation under both the Privacy Act and HI Act is for entities to take reasonable steps to secure personal information and healthcare identifiers they hold. 

For example, under section 27 of the HI Act, an entity must: 

  • take reasonable steps to protect healthcare identifiers the entity holds from:
    • misuse and loss; and
    • unauthorised access, modification or disclosure; and
  • comply with any requirements prescribed by the regulations for the protection of healthcare identifiers the entity holds.
Continue reading this article below the form
Loading form

What are Reasonable Steps? 

The Office of the Australian Information Commissioner (OAIC) suggests that the ‘reasonably necessary’ test is an objective one.

This is determined by whether a reasonable person who is properly informed would agree that the collection, use or disclosure is reasonably necessary for a particular function or activity.

Determining what constitutes reasonable steps will turn on the circumstances of the collection of the information, which include: 

  • the size, resources, complexity and business model of the entity; 
  • the amount and sensitivity of the personal information the entity holds; 
  • the adverse consequences for an individual in the case of a breach; and 
  • the practical implications of implementing security measures, such as the time and cost.

The OAIC has also published a guide on reasonable steps to protect personal information. At the time of this article, the OAIC is in the process of updating this guide. 

As a practice, you should avoid collecting or storing IHIs. The OAIC advises that it is generally appropriate to sight an individual’s COVID-19 digital certificate and not collect a copy of the certificate, especially one that contains an IHI. You can do this by recording the sighting and confirming, such as placing a tick next to the person’s name.  

Failing to Comply With Obligations

Unauthorised use and disclosure of an IHI may attract substantial criminal and civil penalties under the HI Act, Privacy Act and even the My Health Records Act 2012 (Cth). For example, under the HI Act, penalties include:

  • imprisonment of up to 2 years;
  • 120 penalty units; or 
  • 600 penalty units where the person knows or is reckless about the unauthorised use or disclosure. 
Front page of publication
Guide to Protecting Your Brand

Your business’ brand represents your values, identity and reputation. Learn how to create a successful brand and protect it.

Download Now

Key Takeaways

COVID-19 digital health certificates are increasingly common. However, these certificates contain sensitive information protected by regulatory frameworks. Accordingly, it is crucial to ensure you treat such information appropriately. 

If you have any questions about your obligations concerning individual health identifiers, our experienced lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.

Frequently Asked Questions 

What is an individual healthcare identifier?  

An individual healthcare identifier is a unique 16-digit number used to identify an individual for healthcare purposes. This can be found on an individual’s COVID-19 digital certificate. 

What reasonable steps may I need to take to protect healthcare identifiers? 

This is largely dependent on the circumstances of the collection, which includes factors such as the entity’s size, resources, complexity and business model and the amount and sensitivity of the personal information held.

Register for our free webinars

ACCC Merger Reforms: Key Takeaways for Executives and Legal Counsel

Online
Understand how the ACCC’s merger reforms impact your legal strategy. Register for our free webinar.
Register Now

Ask an Employment Lawyer: Contracts, Performance and Navigating Dismissals

Online
Ask an employment lawyer your contract, performance and dismissal questions in our free webinar. Register today.
Register Now

Stop Chasing Unpaid Invoices: Payment Terms That Actually Work

Online
Stop chasing late payments with stronger terms and protections. Register for our free webinar.
Register Now

Managing Psychosocial Risks: Employer and Legal Counsel Responsibilities

Online
Protect your business by managing workplace psychosocial risks. Register for our free webinar.
Register Now
See more webinars >
Shauna Ng

Shauna Ng

Lawyer | View profile

Shauna is a Lawyer in LegalVision’s Corporate and Commercial and Regulatory and Compliance teams. She assists a diverse range of clients in drafting and reviewing their agreements and also provides regulatory and compliance advice in various areas as required. Shauna has a particular interest in health-related services, including NDIS services.

Qualifications: Bachelor of Laws (Hons), Flinders University, Bachelor of Accountancy, Nanyang Technological University.

Read all articles by Shauna

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2025 Future of Legal Services Innovation Finalist - Legal Innovation Awards

  • Award

    2025 Employer of Choice - Australasian Lawyer

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2022 Law Firm of the Year - Australasian Law Awards