The Government has recently announced that once the “traffic light system” comes into force, employers subject to the mandate will be required to keep records of their employees’ vaccination statuses.

It is already clear that an individual’s vaccination status is their personal information. Therefore, when an employer collects this information, there are considerable privacy considerations that they must take into account.

Perhaps the most immediate of those concerns is how and where employers are storing information about their employees’ vaccination status to ensure that it is kept safe and secure.

How must personal information be stored?

The Privacy Act emphasises that employers must ensure that personal information about employees is protected by such security safeguards as are reasonable in the circumstances. The Act explains that those safeguards are to protect against loss, unauthorised access, use, disclosure, or other “misuse”.

Although many individuals may not be concerned with others knowing their vaccination status, or may even happily share it, some will keep it closely personal for a variety of reasons. This means that the safest approach is to treat every employee’s vaccination information as “sensitive information” and protect it accordingly.

What are reasonable safeguards?

There is often confusion surrounding what “reasonable safeguards” amount to when protecting sensitive information. In the context of a business, keeping client files on a password protected computer system where all employees can access them for work purposes is likely to be reasonable, but that approach does not necessarily translate to this situation of protecting employee vaccination information.

Many employers must turn their mind to the risk of employee browsing. Employee browsing occurs where employees access the personal information of others without good reason, and would extend to employees accessing their co-workers’ vaccination information.

Ultimately, all employers will need to store employee vaccination information in a way that securely restricts access to only those that legitimately require it (e.g. to assess compliance with the mandate and/or provide the information to authorities when required).

What are the consequences for failing to protect personal information?

Failing to adequately protect the personal information of employees may result in a notifiable privacy breach (depending on the nature of the breach), which may legally require the employer to report the breach to the Office of the Privacy Commissioner. It is worth bearing in mind that failing to report a notifiable privacy breach can result in a fine of up to $10,000.  Privacy breaches can also have major reputational consequences which extend far beyond the financial implications.

If you are uncertain about how to safely store your employees’ personal information, including their vaccination status, it is wise to consult a privacy professional experienced in the area.



0800 733 424