Fact Sheet - collection of COVID-19 vaccination information

Read the document below or download it here: Fact Sheet - Collection of COVID-19 vaccination information March 2021

Information about an individual’s vaccination status is health information under the HRIP Act.

The HPPs are legal obligations which NSW public sector agencies, and some private sector organisations, must abide by when they collect, hold, use and disclose a person’s health information.

The IPC has published guidance on the HPPs.

Should an agency collect vaccine information?

An agency should only collect vaccine information about its employees if the collection is:

  • for a lawful purpose directly related to the functions or activities of the agency, and
  • reasonably necessary for the functions or activities of the agency.

In addition, the agency must take reasonable steps to ensure that the collection is not excessive and does not unreasonably intrude on the personal affairs of their employees.

In making a decision whether to collect vaccine information, agencies should carefully consider whether this information is reasonably necessary to enable the agency to undertake its functions or activities.

You must have clear and justifiable reasons for collecting your employees’ vaccination information. If you have no specified use for this information, are recording it on a ‘just in case’ basis, or if you can achieve your purpose without collecting this information, you are unlikely to be able to show that the collection is reasonably necessary. For example, if you are collecting vaccination status information for monitoring purposes only, it will be difficult to demonstrate the necessity of collecting this information.

Some agencies may wish to collect vaccine information in order to prevent or manage COVID-19 risks. Before implementing collection of this information agencies should consider public health advice to determine whether collection of this information is reasonably necessary to prevent or manage COVID-19.

The health and safety risks in your agency and relevant work health and safety legislation will assist you to determine whether the collection of vaccination status information would be considered reasonably necessary for your activities or functions. 

Agencies should have regard to any advice issued by relevant authorities including the NSW Chief Medical Officer and Safework NSW.

Is employee consent required to collect vaccine information?

Consent is not required to collect health information under the HRIP Act. An agency must comply with the collection principles set out in HPPs 1-4 which require that:

  • the information is collected for a lawful purpose that is reasonably necessary to a function of the agency
  • the information is relevant to the purpose for which is is collected, accurate and not excessive or intrusive
  • the information is collected from the individual concerned unless it is unreasonable or impracticable to do so
  • the individual is made aware of the matters outlined in HPP 4, including the consequences for the individual if the information is not provided.

In certain circumstances, an agency may be required to collect health information under legislation or other law. This may include an Act of the Commonwealth or a state or territory, or a regulation or a legislative instrument such as a Public Health Order. If you are unsure whether this applies to your agency, you should seek advice from your legal unit.

If your agency does decide to collect vaccine information, you must take reasonable steps to ensure your employees are aware of:

  • the purpose for which the information has been collected
  • whether that collection is required by law
  • any person or agency to whom the agency usually discloses this information
  • how the employee can view and correct their health information, and
  • any consequences that will occur if they decide not to provide their information to the agency.
What other requirements apply?

Vaccine information must be managed in the same manner as any other health information collected by your agency.

You should ensure that your agency’s handling of this information is in compliance with the HPPs. You should ensure that health information is:

  • stored securely, not kept any longer than necessary, and disposed of appropriately
  • protected from unauthorised access, use or disclosure
  • only used for the purpose for which it was collected or for a directly related purpose, which a person would expect, unless an exception applies or the individual consents, and
  • only disclosed for the purpose for which it was collected, or for a directly related purpose that a person would expect, unless an exception applies or the individual consents.
For more information

Contact the Information and Privacy Commission NSW (IPC):

Freecall:          1800 472 679
Email:             ipcinfo@ipc.nsw.gov.au
Website:          www.ipc.nsw.gov.au

NOTE: The information in this fact sheet is to be used as a guide only. Legal advice should be sought in relation to individual circumstances.