FAQs about COVID-19 vaccination information
This FAQ answers some of the most common questions OVIC is asked about privacy and COVID-19 vaccination information.
This FAQ is current at 26 May 2022.
Can my employer collect my vaccination information?
Your employer can collect information about your vaccination status if this is required by law. Vaccination status relates to whether you are fully vaccinated, partially vaccinated, unvaccinated or you have medical grounds for being unable to be vaccinated.
In Victoria, most employers must collect, record, and hold vaccination information about any employee who is, or may be, scheduled to work outside their home. This is a legal requirement under Orders made by the Minister for Health.
What documents can my employer collect as proof of vaccination status?
Your employer may make a record that it sighted proof of your vaccination status but should not keep a copy of any documents you provided as evidence unless this is necessary.
You may provide your employer with proof of your vaccination status by using one of the following:
- COVID-19 digital certificate via the Service Victoria app;
- COVID-19 digital certificate saved to a smartphone wallet;
- Printed copy of COVID-19 digital certificate;
- Printed copy of immunisation history statement; and
- Eligible proof of vaccination exemption.
If a copy of a COVID-19 digital certificate must be collected, your employer should avoid collecting an Individual Health Identifier (IHI) that is shown on the certificate unless absolutely necessary. It can do so by:
- Asking an individual to provide a COVID-19 vaccination certificate from the Service Victoria app or downloaded to a smartphone wallet that does not display an IHI;
- Asking an individual to redact the IHI before providing a copy of the COVID-19 vaccination certificate;
- Redacting the IHI after an individual has provided a copy of the COVID-19 vaccination certificate, if they have not done so themselves.
For more information, see ‘What information should be recorded by employers?’ at coronavirus.vic.gov.au
What are my employer’s obligations when handling vaccination information?
Employers must only use or disclose vaccination information for the purpose of confirming your vaccination status unless a specific exception under privacy law or the Healthcare Identifiers Act 2010 (Cth) allows the use or disclosure for a different purpose.
Employers must also take reasonable steps to protect the vaccination information it holds from being lost, misused or subject to unauthorised access, modification or disclosure.
If an employer has collected an individual’s IHI, it should be aware of the privacy obligations regulated by the Healthcare Identifiers Act 2010 (Cth). Privacy guidance regarding Individual Healthcare Identifiers on COVID-19 digital vaccination certifications can be found on the Office of the Australian Information Commissioners (OAIC) website.
To ensure employers are not holding unnecessary information, they should consider:
- Removing or redacting IHI’s from any COVID-19 digital certificates that have already been collected.
- Creating a record that notes an individual’s proof of vaccination status has been sighted and deleting any certificates recorded.
Can venues I attend collect my vaccination information?
Patrons are not required to provide proof of vaccination to enter public venues (such as cafes, bars, cinemas, theatres etc) and there is no longer a legal requirement for venues to sight the vaccination status of patrons.
Who can I contact for more information?
The appropriate regulator to contact depends on the nature of the organisation and the nature of the information you are enquiring about:
- For enquiries about how medium and large private sector organisations handle personal information or how small businesses and Victorian Public Sector organisations handle Individual Health Identifiers, contact the Office of the Australian Information Commissioner (OAIC) on 1300 363 992 or via its enquiry form. OAIC also has a fact sheet about coronavirus vaccinations and employee rights and
- For enquiries about how Victorian Public Sector organisations or private sector organisations handle health information, contact the Health Complaints Commissioner (HCC) on 1300 582 113 or via its enquiry form.
- For enquiries about how Victorian Public Sector organisations handle personal (non-health) information, contact the Office of the Victorian Information Commissioner (OVIC) on 1300 006 842 or via email@example.com.
- For information about Victoria’s coronavirus response and regulations, visit vic.gov.au.