Acknowledging the various privacy regimes across Australia, the national and state and territory privacy commissioners have collaborated on 5 National COVID-19 Privacy Principles.
Below is our summary of these 5 National COVID-19 Privacy Principles and some tips for how to implement them in your organisation.
| No. | Principle | Explanation |
| 1 | Data minimisation | Only collect and hold the minimum amount of vaccination information you need.
Do you need to store copies of certificates?
Can you sight certificates instead? |
| 2 | Purpose limitation | Only use and disclose vaccination information for the purpose for which it was collected.
Your collection statement should describe the primary purpose of collection. |
| 3 | Security | Take reasonable steps to secure this information. Community expectations are that you do not store this overseas.
Reflect on your cloud service providers, and other data protection measures such as password protections and access limitations. |
| 4 | Retention and deletion | Ensure information handling processes reflect on how long your organisation needs the vaccination information for, and when it can be deleted.
Delete as soon as possible. |
| 5 | Regulation under privacy law | Individuals should have enforceable rights and a means to redress (despite the employee records exemption). |
The national regulator, the Office of the Australian Information Commissioner, has also recently published privacy guidance for businesses collecting COVID-19 vaccination information that draws on these 5 key principles.
Privacy by design
Privacy by design is the concept that privacy protections should be built into systems from the beginning to ensure privacy is an automatic feature of information handling processes.
This is why a change in information handling practices – such as starting to collect vaccination information – is the perfect time to reflect on how your organisation meets its privacy compliance obligations and can better design privacy into technical systems and human processes.
How we can help
Moores has expertise in privacy, from technical data flow assessments and audits to better understand how you can manage your data assets, to privacy training and refreshers to staff, and helping you respond to data breaches.
Please contact us for further assistance.