Are you considering collecting vaccination status from your staff or stakeholders? This means you will be collecting health information. If you operate in Victoria, New South Wales and the Australian Capital Territory, health information is regulated by the Privacy Act 1988 (Cth) and state based privacy laws.
Is your organisation captured?
You may need to consider how state based health privacy principles affect how your organisation handles health information, such as vaccination status, if:
- You operate in Victoria and collect, or intend to collect health information (e.g. vaccination status);
- You operate in New South Wales, collect, or intend to collect health information and have an annual turnover greater than $3 million;
- You operate in Victoria or New South Wales and provide a health service (e.g. counselling, physiotherapy);
- You have a state funding or services contract that contractually imposes state privacy laws.
Privacy principles across Australia
Different states have privacy principles that apply in conjunction with the national Australian Privacy Principles.
| Jurisdiction | Privacy Principles | Apply directly to some private sector organisations | Can apply by contract (organisation is a contracted service provider to government agency) |
|---|
| Commonwealth | Australian Privacy Principles (APPs) | ✔ | ✔ |
| Victoria | Information Privacy Principles (IPPs) | × | ✔ |
| Health Privacy Principles (HPPs) | ✔ | ✔ |
| New South Wales | Information Privacy Principles (IPPs) | × | ✔ |
| Health Privacy Principles (HPPs) | ✔ | ✔ |
| Australian Capital Territory | Territory Privacy Principles (TPPs) | × | ✔ |
| Queensland | Information Privacy Principles (IPPs) | × | ✔ |
| National Privacy Principles (NPPs) | × | ✔ |
| South Australia | None | × | ✔ |
| Northern Territory | Information Privacy Principles (IPPs) | × | ✔ |
| Western Australia | None | × | ✔ |
| Tasmania | Personal Information Protection Principles (PIPPs) | × | ✔ |
What does this mean for me?
Given the increasing importance of understanding the vaccination and health status of individuals in the community, your organisation may be changing how it collects and uses information about its staff or other stakeholders, such as customers or students. When information handling practices change – such as introducing a vaccination status register – We/the OAIC recommend(s) conducting a Privacy Impact Assessment to help you reflect on any privacy protection measures and ensure ongoing privacy compliance with all privacy principles that may apply.
How do I do a Privacy Impact Assessment?
- A Privacy Impact Assessment involves considering the current information handling practices in comparison to the proposed new practices. This helps you see how privacy might be affected – for example, by an increase in the collection of sensitive health information such as vaccination status.
- Having identifies how the proposed change may affect privacy, you are better placed to introduce steps to protect privacy and maintain compliance. For example, you may re-educate staff or increase data protection measures.
- Reflect on how the changing information handling practice might require an update to your Privacy Policy.
Following these steps of a Privacy Impact Assessment encourages a privacy-by-design approach, where privacy protections are included in the design process of new information practices.
If you are a school, Moores has published a specific guide to undertaking a Privacy Impact Assessment regarding remote learning adjustments that may also be helpful.
How we can help
If you are uncertain as to how to adapt your current policies and practices to equip you for the new environment, may wish to consider:
- Introducing a Privacy Impact Assessment process and/or template to ensure ongoing compliance and privacy-by-design.
- Reviewing, updating and amending your privacy policy;
- Reviewing, updating or amending internal process sheets for staff when collecting personal information =;
- Implementing and/or reviewing a data breach response plan;
- Drafting consent forms for clients, customers, and/or students that details what information may be collected/used/disclosed; and
- Training your staff on their rights and obligations.
Moores can provide assistance with all of the above and is available for online training with staff members.
Please contact us if you would like further information.