To keep or not to keep – Retention of employee COVID-19 vaccination information

It was not that long ago that many businesses were legally required to verify the COVID-19 vaccination status of employees in order to comply with pandemic laws which mandated that only fully or partially vaccinated workers could attend certain workplaces. Some businesses, whilst not subject to those laws, chose to implement their own workplace policies as a means of complying with work health and safety obligations, which often involved collecting vaccination evidence from staff and other visitors to the workplace.

Almost all of the pandemic laws which previously required businesses to collect vaccination information have now ceased operation, and many businesses have discontinued their previous practice of asking people to verify their vaccination status.

But what have businesses done with the information that was collected from employees and third parties? Has that information been destroyed, or has it been retained on employees’ personnel files or within other business records? This article considers business’ legal obligations with respect to the retention of COVID-19 vaccination information that was collected during the course of the pandemic.

Vaccination information about an individual constitutes ‘personal information’ under the Privacy Act 1988 (Cth) (Privacy Act).

For those organisations that are covered by the Privacy Act:

• vaccination information about employees will generally be treated as an exempt employee record, meaning that the requirements in the Privacy Act concerning retention of the information will not be binding. However, best practice is to abide by the Australian Privacy Principles (APPs);

• vaccination information about non-employees, such as visitors to the workplace or contractors, must be dealt with in accordance with the APPs.
  

Organisations that are not covered by the Privacy Act should also consider adopting the practices set out in the APPs.

In South Australia, there are no longer any specific pandemic laws which require businesses to retain vaccination information for a particular period of time, or to destroy that information within a particular timeframe.

Vaccination information about an individual constitutes ‘personal information’ under the Privacy Act 1988 (Cth) (Privacy Act).

For those organisations that are covered by the Privacy Act:

• vaccination information about employees will generally be treated as an exempt employee record, meaning that the requirements in the Privacy Act concerning retention of the information will not be binding. However, best practice is to abide by the Australian Privacy Principles (APPs);

• vaccination information about non-employees, such as visitors to the workplace or contractors, must be dealt with in accordance with the APPs.
  

Organisations that are not covered by the Privacy Act should also consider adopting the practices set out in the APPs.

Relevantly, APP 11.2 requires an organisation to take reasonable steps to destroy, or alternatively de-identify, information that constitutes ‘personal information’ if the organisation no longer needs the information for the purpose (or purposes) for which the information was originally collected by the organisation.

Most businesses initially collected vaccination information in order to comply with a specific pandemic law, or to comply with general work health and safety duties.

Noting that in South Australia there are no longer any specific pandemic laws in place which require businesses to collect vaccination information, it can no longer be said that a business needs that information in order to comply with those now defunct laws. Accordingly, it will only be lawful for a business to retain vaccination information if it can demonstrate that it still has a need for the information in order to comply with its work health and safety obligations

Businesses should assess their own circumstances in determining any need to retain vaccination information for this purpose. Relevant considerations include:

• the industry in which the business operates;
• the demographic of vulnerable people, or people with medical contraindications, who are present in the business’ workforce;
• COVID-19 vaccination rates of the general public in the locations where the business operates;
• the prevalence of COVID-19 cases in those locations;
• current medical advice in relation to COVID-19; and
• the relevancy and accuracy of the vaccination information.
  

It is not permissible to retain the information on a “just in case” basis, and in most cases it will be difficult for businesses to be able to demonstrate a need to retain what may well be out-of-date information.

Businesses that take steps to destroy vaccination information in their possession should take particular care to ensure that destruction results in the information being no longer capable of being retrieved.

Any hard copies of the information should be securely shredded, and in the case of electronically stored information, care should be taken to ensure that any back-ups are also destroyed. It may also be necessary to seek verification from offsite or cloud-based storage providers that the information has been effectively destroyed.

This article provides general commentary only. It is not legal advice. Before acting on the basis of any material contained in this article, seek professional advice.

The authors would like to thank Lachlan Chuong for his assistance with this article.

Our workplace team advises and represents clients in all areas of employment and industrial law, from day-to-day advice to support on specific issues.

We’ve helped our clients achieve their goals by structuring commercially effective workforce arrangements which protect intellectual property, confidential information, business contacts and goodwill. We also advise on disciplinary issues including misconduct, performance management, workplace grievances, bullying and discrimination, and have assisted with confidential legal investigations.

Find out how our expert workplace team can assist your business.