Most states and territories have privacy laws that can apply in addition to the Privacy Act 1988 (Cth) (“Privacy Act“).
Health information
If you operate in Victoria or New South Wales, these states’ health privacy laws apply directly to your organisation regarding health information. If you are starting to collect vaccination information from workers or stakeholders in Victoria and New South Wales, you need to think about health privacy and the Privacy Act. Victoria and New South Wales both have information privacy principles and health privacy principles that apply specifically to health information.
If you operate in other states or territories across Australia, those states’ privacy laws many apply though a funding contract. More information about the various privacy principles is in our recent article: Health privacy: are you prepared to collect vaccination status and meet privacy obligations?
Contracts imposing privacy compliance
State contracts for funding, grants or the provision of goods and services to government organisations can include requirements that your organisation must comply with the privacy laws of that State or Territory.
Government departments often face a requirement that they impose the same standards on contractors.* This is to ensure that government information when disclosed from the government to your organisation for purposes under the contract, that information is handled according to the same standards applying to that government.
In addition to requiring your organisation to comply with certain privacy principles, the contract terms may also require training or breach reporting.
Small charities with less than $3 million annual turnover
Charities with less than $3 million annual turnover are not bound by the Privacy Act, however, the same contractual obligations may be imposed by contracts with the Commonwealth government. This contracted service provider requirement overrides the small business exemption.**
This would mean the Australian Privacy Principles would apply, as well as the Notifiable Data Breach scheme.
How do I comply with multiple regimes?
While there are many different privacy principles across Australia, the foundational concepts have strong similarities.
- Data minimisation: minimising the amount of personal information you collect is a privacy protection that reduces intrusion into someone’s privacy and reduces an organisation’s risk of serious data breaches.
- Consent: it is common that sensitive and health information requires consent to collection, recognising that disclosing this information impacts more greatly on a person’s privacy.
- Autonomy and transparency: privacy laws are designed to empower people with rights to control their identity as it is known by companies. The requirements to have a policy, explain uses and disclosures and inform individuals of collection are common themes in the various privacy principles.
You should always endeavour to meet the higher standard. Often, health privacy principles will have tighter restrictions on the handling of health information, again reflecting the intrusiveness and personal nature of someone’s health information.
Health privacy – vaccination information
If your organisation is preparing to collect vaccination information from employees, clients or other stakeholders, we recommend reflecting on what privacy laws apply to your organisation – including health privacy principles. Now is the time to implement strong collection and security measures for health information such as vaccination status.
Vaccination status is considered health information and therefore sensitive information in most jurisdictions across Australia. This means stricter requirements on how you collect, use, disclose and store that information.
The below mind map contains some ideas and concepts relevant to protecting vaccination information.
How we can help
Our privacy team can help you identify gaps in your current information handling practices to ensure you are meeting all applicable requirements. We can help redesign information flows and storage through your organisation to ensure compliance and protection of your data assets at all times of the information lifecycle.
Please contact us.
* Information Privacy Act 2000 (Vic) s 17; Information Act 2002 (NT) s 149.
** Privacy Act 1988 (Cth) s 6D(4)(e).