COVID-19 and health information (including vaccination status) have been key topics of importance in recent months, but there has been much discussion and little guidance until now. On 2 September 2021, the Commonwealth Privacy Commissioner and the State Information and Privacy Commissioners and ombudsmen issued a joint set of privacy principles to support a nationally consistent approach.
While these "universal" privacy principles will support a consistent approach and provide a useful touchpoint for policymakers enacting laws or rules that involve the handling of personal information, we know that, to date, there has been a lot of confusion and certainly a lot of overlap in different rules.
In particular, as we move towards the notion of vaccine passports and sharing information about vaccination (which is ordinarily regarded as health information and thus sensitive information), there has been significant overlap in the requirements imposed by employers, workplaces and third parties seeking to ensure that those who come onto their premises are vaccinated or have a negative test result. In addition, the issue of QR code check-ins and location information about individuals has been the subject of potential scope creep and abuse by police forces in Western Australia and Queensland seeking to access this information for purposes other than the public health reasons for which it was provided.
In order for there to be trust in the system, individuals need to know that their privacy is being respected. This universal set of privacy principles, which covers five points, seeks to establish an environment where that trust will be maintained. The release is timely, as state and territory governments continue to pursue access to federal government data on vaccination status (i.e. the Australian Immunisation Register) for their check-in apps.
Data minimisation
The principle that information is only collected to the extent that it is reasonably necessary to achieve a legitimate purpose is the first principle. This includes considering alternative solutions which achieve the same purpose and do not require personal information to be collected and maintained in a record. This is an issue challenging those who seek proof of vaccination status without keeping a record of that vaccination. For example, if a venue was asked to prove confirmation that only vaccinated persons had attended, how would it do so?
Purpose limitation
There is a general requirement that personal information is only collected for purposes to which the individual has consented or would reasonably expect. In the context of COVID-19 and, in particular, information supplied for public health regulation and no other purpose, scope creep and purpose limitation are of utmost importance. For example, the recent access by state police to check-in information in venues was roundly criticised. It is important that information continue to be used only for the purpose for which it is collected.
Security
The requirement to take reasonable steps to keep personal information secure in line with community expectations continues to be of importance. We can see how this has evolved during the pandemic with the requirement for check-ins at venues moving from third-party providers (who may or may not be regulated by Australian privacy legislation and who may or may not use the information for additional purposes such as marketing) to government-operated and sponsored QR codes. We know that various government departments are considering how vaccination certificates can be made available to third parties with confidence, but this is a continuing process.
Retention or deletion
It is a policy that personal information should be deleted when it is no longer needed for the purpose for which it has been collected. That has been a feature of check-in information that is generally maintained only for 28 days – the period during which contact tracers might need to access the information. In terms of vaccination information, as we move into the new phase, this may be a more difficult question of timing to resolve.
Regulation under privacy law
The principles state that Australians' personal information should be protected by an enforceable privacy law to which individuals have redress if their information is mishandled. This brings into consideration the issue of the employee records exemption. Something that is challenging employers in relation to the use of vaccine information is how they can share that with third parties if it may be necessary for that individual to carry out their job. for example, individuals might only want vaccinated contractors to come onto their premises.
Looking ahead
In all of this, it is important for businesses to weigh up the various risks that apply to the circumstances in which they find themselves. However, until the various regulators align and introduce some specific guidelines to deal with vaccination status and how it is shared, the legal position will be somewhat unclear.
Having looked at the above, it is somewhat ironic that social media seems covered in individuals wanting (and being encouraged) to publicise their vaccination status and make it a matter of public record which, if collected and held by a regulated organisation or agency, would then be subject to significant regulation as being sensitive information.
We look forward to some further, more detailed guidance coming from the regulators in the near future.
This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.
