Collecting COVID-19 vaccination certificates from customers or employees poses a serious legal and cyber security risk to businesses that expose them to lawsuits, hefty fines and even executive jail sentences if the data isn’t handled properly, experts warn.
The risk is so grave that businesses that have already stored images of government-issued vaccination certificates from employees or customers are advised to scour their email or human resource systems and delete the images, or at the very least remove a sensitive piece of information prominent on the certificate that exposes businesses to a “world of data security pain”, one expert says.
As part of state and federal requirements for emerging out of the pandemic lockdown, businesses are asked to check whether customers and employees are vaccinated before allowing them to enter their premises.
Businesses storing information about whether someone has been vaccinated are therefore storing health information, quite possibly for the first time, exposing them to the Privacy Act, which requires they take “reasonable steps” to secure that information, said Anna Johnston, a former NSW deputy privacy commissioner who runs her own data privacy consultancy, Salinger Privacy.
Worse than that, the federal government certificates contain a unique identifier, known as the Individual Health Identifier (IHI), that is covered by its own law, with much stricter data security requirements and with punishments that could include jail if that one piece of data is mishandled, Ms Johnston told The Australian Financial Review.
IMPORTANT NOTICE FOR BUSINESS & CUSTOMERS (Australia Wide) – Vaccine passports – don’t ask, don’t tell.
Legal Advice from RDA’s Inhouse Legal Team
IMPORTANT NOTICE FOR EMPLOYERS (Australia Wide) – Vaccines & Medical Privacy
If you have provided your vaccination status already, please request that your employer prove how they are keeping your medical records private and that you want a written response as to the measures they have taken to protect your private medical records. There are severe penalties for those businesses that do not comply.
Based on the employer’s response, you can request the records be destroyed and if you are not satisfied with your employer’s response about how they are protecting your medical privacy, talk with other staff members and look at taking workplace action to force your employer to comply with Medical Privacy Laws.
If you are in the future asked about providing further medical records please read this document as you are not required by the Privacy Laws to provide that to anyone. This is your medical privacy and you have rights!