Confused about privacy and vaccination information? Regulators come together for national guidance

Acknowledging the various privacy regimes across Australia, the national and state and territory privacy commissioners have collaborated on 5 National COVID-19 Privacy Principles.

Below is our summary of these 5 National COVID-19 Privacy Principles and some tips for how to implement them in your organisation.

No.PrincipleExplanation
1Data minimisationOnly collect and hold the minimum amount of vaccination information you need.
Do you need to store copies of certificates?
Can you sight certificates instead?
2Purpose limitationOnly use and disclose vaccination information for the purpose for which it was collected.
Your collection statement should describe the primary purpose of collection.
3SecurityTake reasonable steps to secure this information. Community expectations are that you do not store this overseas.
Reflect on your cloud service providers, and other data protection measures such as password protections and access limitations.
4Retention and deletionEnsure information handling processes reflect on how long your organisation needs the vaccination information for, and when it can be deleted.
Delete as soon as possible.
5Regulation under privacy lawIndividuals should have enforceable rights and a means to redress (despite the employee records exemption).

The national regulator, the Office of the Australian Information Commissioner, has also recently published privacy guidance for businesses collecting COVID-19 vaccination information that draws on these 5 key principles.

Privacy by design

Privacy by design is the concept that privacy protections should be built into systems from the beginning to ensure privacy is an automatic feature of information handling processes.

This is why a change in information handling practices – such as starting to collect vaccination information – is the perfect time to reflect on how your organisation meets its privacy compliance obligations and can better design privacy into technical systems and human processes.

How we can help

Moores has expertise in privacy, from technical data flow assessments and audits to better understand how you can manage your data assets, to privacy training and refreshers to staff, and helping you respond to data breaches.

Please contact us for further assistance.

Authors