Vaccinated Australians will have, by now, accessed their COVID-19 vaccination certificate, a token of our roadmap out of lockdown. However, the token comes with personal and, in some formats, sensitive information. For example, the:
- COVID-19 digital certificate which can be saved to a smart phone reveals date of birth;
- the International COVID-19 Vaccination Certificate that can be downloaded from the Australian Government myGov portal identifies date of birth and passport number; and
- the Medicare Immunisation History Statement identifies the date of birth and the Individual Healthcare Identifier (IHI), together with details of various other vaccinations received by the individual. IHI is a unique 16-digit number the My Health Record system uses to identify an individual.
Incorrect handling of these vaccination certificates may expose the individuals concerned to serious identity, privacy and security risks.
State or Territory health departments may require you to confirm that your customers and/or employees are vaccinated before they enter your premises. You may even have already asked your employees to provide you with a copy of their vaccination certificate confirming their vaccination status before they are granted access to the workplace.
Given the nature of personal and sensitive information that is disclosed in the COVID-19 vaccination certificates, it is important that businesses take precautions to ensure that they are complying with their privacy obligations, and to ensure that they are not collecting or storing personal and/or sensitive information revealed in the COVID-19 vaccination certificates. For any business that is unsure how to navigate the new terrain of COVID-19 vaccination certificates, we recommend the following:
- Sight vaccination certificates, rather than obtaining a copy. Make a record of who the vaccination certificate was sighted by and on what date. If absolutely necessary you can record the document number, but do not make a record of the certificate itself, the individual’s date of birth or IHI revealed in the certificate, or any other details that are not related to COVID-19 vaccination status.
- If it is absolutely necessary to obtain a copy of the vaccination certificate, advise the individuals concerned to redact their date of birth and IHI before providing you with the certificate.
- Where possible, provide a secure form of transmission for sending vaccination certificates even if in redacted form. Email is a notoriously unsecure form of communication.
- If you have already collected copies of vaccination certificates, or recorded details such as an individual’s date of birth or IHI in connection with sighting vaccination certificates, delete these records as soon as possible.
- The vaccination certificate is not to be used for any purpose except for compliance with Government directives regarding COVID-safety.
This article was written by Special Counsel Hayley Bowman. If you need advice on how to lawfully handle the COVID-19 vaccination information of your employees or customers, please contact Hayley Bowman.