COVID data deletion date is fast approaching – what do you need to do?
Remember COVID and all that vaccination data you collected about your employees, contractors, volunteers and site visitors, etc? Well, for businesses in Victoria, the date to destroy the data recorded or held under the Occupational Health and Safety Amendment (COVID-19 Vaccination Information) Regulations 2022 (Amending Regulations) is fast approaching – 11 August 2023.
When were businesses allowed to record COVID data?
The Amending Regulations – published in 2022 – originally allowed for businesses to collect, record, hold and use COVID information (in particular, vaccination information) about individuals, for the purpose of the business complying with its workplace health and safety requirements. The Amending Regulations formalised and replaced the various COVID data collection requirements introduced in Victoria under the various Workplace Directions and pandemic orders.
The data collected and currently held by Victorian businesses included:
- individuals’ COVID-19 vaccination status;
- the date/s of vaccination; and
- detail about if an individual was unable to receive COVID-19 vaccination (eg, acute medical illness, medical contraindication, and/or age restriction reasons).
What’s happening now?
Part 2.1A of the Amending Regulations (“Collection and use of Covid-19 Vaccination Information”) was revoked on 12 July 2023. So, any business that collected, recorded, held or used data collected under the Amending Regulations must destroy that data by 11 August 2023 (being, 30 days after revocation).
Businesses that fail to do so may be found to be in breach of health privacy legislation, including the federal Privacy Act 1988 (Cth) and the Victorian Health Records Act 2001 (Vic). Maximum penalties for non-compliance with the federal Privacy Act can reach $50 million, three times the benefit received from the misuse of the data, or 30% of the business’ turnover.
Now that we are back to “business as usual”, and living with COVID just like any other illness, the Government has already taken steps to delete unnecessary data held about individuals. The Government has confirmed that all COVIDSafe app data has been deleted from the data store and the COVIDSafe app itself has been decommissioned and is no longer available. Individuals can delete the app from their devices.
What do you need to do with the data?
For many businesses holding COVID-19 vaccination data, you must destroy it.
There is no specific requirement about “how” the data must be destroyed, but it should be done by taking “reasonable steps” applicable to your business, in a secure manner, and in accordance with any data destruction policy your business may have. Common examples of destruction activity could include:
- For paper and/or electronic records: de-identifying the data (ie, removing entirely the connection between the data and the individual’s name and/or other identifiers) and ensuring it cannot be re-identified.
- For paper records: Securely shredding, pulping or disintegrating your paper documents (avoid general waste disposal!); and
- For electronic records: Overwriting the files before they are deleted, “double deleting” the files and degaussing / demagnetising data held on file storage devices.
You will need to consider all file locations and may need to involve your internal or external IT support providers. Businesses should ask themselves:
- What further spreadsheets, records and documents were created including or referencing the COVID-19 data?
- Who was it shared with?
- Is this information included in system backups?
Some businesses might also wish (though there is no obligation) to advise individuals that their COVID-related data has been (or is now being) destroyed.
Of course, businesses and employers that are still permitted or required to hold vaccination information and other health data can (or must) continue to do so. They are exempt from the Amending Regulation’s requirement to destroy the data.
Further thoughts
In general, Australian privacy legislation requires that businesses do not hold personal information for longer than is reasonably necessary – principles of data minimisation and retention. So, this is also an opportune time for businesses to consider their privacy compliance more generally, including the destruction of other data that is no longer reasonably necessary for the business’ functions and activities.
How can Macpherson Kelley help?
If you are unsure what this means for your business, how to appropriately destroy the COVID data, or for further assistance with your privacy and data protection requirements more generally, please contact our Privacy experts.
The information contained in this article is general in nature and cannot be relied on as legal advice nor does it create an engagement. Please contact one of our lawyers listed above for advice about your specific situation.
more
insights
Spotlight on Real Estate: Anti-Money Laundering and Counter-Terrorism Financing Regime
Professional Services face extra compliance requirements as Anti-Money Laundering and Counter-Terrorism Financing Regime gets green light
AI adoption in business: Unveiling the Senate’s blueprint for regulation
stay up to date with our news & insights
COVID data deletion date is fast approaching – what do you need to do?
Remember COVID and all that vaccination data you collected about your employees, contractors, volunteers and site visitors, etc? Well, for businesses in Victoria, the date to destroy the data recorded or held under the Occupational Health and Safety Amendment (COVID-19 Vaccination Information) Regulations 2022 (Amending Regulations) is fast approaching – 11 August 2023.
When were businesses allowed to record COVID data?
The Amending Regulations – published in 2022 – originally allowed for businesses to collect, record, hold and use COVID information (in particular, vaccination information) about individuals, for the purpose of the business complying with its workplace health and safety requirements. The Amending Regulations formalised and replaced the various COVID data collection requirements introduced in Victoria under the various Workplace Directions and pandemic orders.
The data collected and currently held by Victorian businesses included:
- individuals’ COVID-19 vaccination status;
- the date/s of vaccination; and
- detail about if an individual was unable to receive COVID-19 vaccination (eg, acute medical illness, medical contraindication, and/or age restriction reasons).
What’s happening now?
Part 2.1A of the Amending Regulations (“Collection and use of Covid-19 Vaccination Information”) was revoked on 12 July 2023. So, any business that collected, recorded, held or used data collected under the Amending Regulations must destroy that data by 11 August 2023 (being, 30 days after revocation).
Businesses that fail to do so may be found to be in breach of health privacy legislation, including the federal Privacy Act 1988 (Cth) and the Victorian Health Records Act 2001 (Vic). Maximum penalties for non-compliance with the federal Privacy Act can reach $50 million, three times the benefit received from the misuse of the data, or 30% of the business’ turnover.
Now that we are back to “business as usual”, and living with COVID just like any other illness, the Government has already taken steps to delete unnecessary data held about individuals. The Government has confirmed that all COVIDSafe app data has been deleted from the data store and the COVIDSafe app itself has been decommissioned and is no longer available. Individuals can delete the app from their devices.
What do you need to do with the data?
For many businesses holding COVID-19 vaccination data, you must destroy it.
There is no specific requirement about “how” the data must be destroyed, but it should be done by taking “reasonable steps” applicable to your business, in a secure manner, and in accordance with any data destruction policy your business may have. Common examples of destruction activity could include:
- For paper and/or electronic records: de-identifying the data (ie, removing entirely the connection between the data and the individual’s name and/or other identifiers) and ensuring it cannot be re-identified.
- For paper records: Securely shredding, pulping or disintegrating your paper documents (avoid general waste disposal!); and
- For electronic records: Overwriting the files before they are deleted, “double deleting” the files and degaussing / demagnetising data held on file storage devices.
You will need to consider all file locations and may need to involve your internal or external IT support providers. Businesses should ask themselves:
- What further spreadsheets, records and documents were created including or referencing the COVID-19 data?
- Who was it shared with?
- Is this information included in system backups?
Some businesses might also wish (though there is no obligation) to advise individuals that their COVID-related data has been (or is now being) destroyed.
Of course, businesses and employers that are still permitted or required to hold vaccination information and other health data can (or must) continue to do so. They are exempt from the Amending Regulation’s requirement to destroy the data.
Further thoughts
In general, Australian privacy legislation requires that businesses do not hold personal information for longer than is reasonably necessary – principles of data minimisation and retention. So, this is also an opportune time for businesses to consider their privacy compliance more generally, including the destruction of other data that is no longer reasonably necessary for the business’ functions and activities.
How can Macpherson Kelley help?
If you are unsure what this means for your business, how to appropriately destroy the COVID data, or for further assistance with your privacy and data protection requirements more generally, please contact our Privacy experts.