News & Insights

With borders opening 13 December and new public health directions effective from 17 December 2021, businesses in Queensland will soon join their southern counterparts in being able to operate at normal capacity. However, the catch is that for this to happen, everyone at the specified business (including staff and patrons) must be double vaccinated. The collection of vaccination status information poses a dilemma for many small businesses that previously didn’t need to have a privacy policy and didn’t need to comply more generally with the Privacy Act.

privacy risks

On the one hand, if vaccination status information is collected by the business, then it must be done in accordance with Australia’s privacy laws, which means you must have a compliant privacy policy (and other compliance measures in place), or you risk being fined up to $5,000 (or more) by the Australian Privacy Commissioner. While on the other hand, if vaccination status information isn’t collected, the business might not be able to adequately demonstrate that it is complying with the vaccination status legislative requirements.

Additionally, businesses that have a privacy policy will also be impacted as the collection of an individual’s vaccination status is classified as “sensitive” health information under Australian privacy laws. This means that there are higher standards relating to who can collect this information, how it is collected, who it is shared with, what it is used for and how it is stored etc.  Further, businesses will need to ensure their privacy policy complies with these higher standards, which is not included in most privacy policies.

keeping privacy compliance front of mind

While there are simple solutions to keep your business compliant, it’s always prudent to seek professional legal advice while navigating the fast-approaching changes.

That being said, our team has compiled some simple recommendations to implement prior to 13 December to guide you along the right path.

1. Have a compliant privacy policy that enables your business to collect vaccination status information in accordance with the Australian Privacy Principles;
2. Ensure your staff are aware of collection protocols, including:
   1. how to record vaccination status, be it keeping a digital copy, and/or paper, record of the status;
   2. only obtaining and keeping the bare minimum information required to demonstrate the vaccination status of the individual;
   3. only sharing/disclosing the bare minimum of that information to people within the business who truly need to know;
   4. informing patrons of why and how the data is collected; and
   5. informing patrons of how they can access, correct and complain about the personal information held about them.
3. Store the vaccination status information securely and only for as long as is reasonably necessary.
4. Plan for the deletion of the vaccination status information once it is no longer required (or if a patron requests it be deleted).

At Macpherson Kelley, we have created effective solutions to the above that can be implemented immediately for your businesses. Whether you require a review of your privacy policy to determine if it complies, a new policy, or drafted communications for staff, site visitors and/or patrons, please contact Mark Metzeling or  Kelly Dickson. Our experts would be delighted to assist your business with timely and practical advice to help you comply with the Australian Privacy Principles.

For more information, please read the Australian Privacy Commissioner’s COVID-19 data collection page.

The information contained in this article is general in nature and cannot be relied on as legal advice nor does it create an engagement. Please contact one of our lawyers listed above for advice about your specific situation.