Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

APAC-CIS: COVID-19 vaccination status - What can employers collect? Part one

After more than two years since the outbreak of the global COVID-19 pandemic, challenges and rapidly changing requirements in terms of privacy, data protection, and disclosure of the employees' vaccination status in the context of employment are at the forefront. This Insight series looks across a variety of countries with regards to which information employers can collect, outlining the local requirements in Australia, New Zealand, and Singapore in part one and in China, Japan, India, and Russia in part two.

BlackJack3D / Signature collection / istockphoto.com

Australia

Australian privacy requirements in relation to COVID-19 vaccination status are complex due to the lack of uniformity between State, Territory, and Federal laws and the interplay of public health orders, corporate vaccination policies, and Federal privacy law. These requirements are also constantly in flux with new State/Territory public health orders ('PHOs') or other laws being imposed for all workers or in specific sectors, and altered or withdrawn from week to week.

In this Insight article, we refer to:

  • vaccination status evidence ('VSE'), being documentation that proves that an employee has been vaccinated; and
  • vaccination status information ('VSI'), being a yes/no flag as to whether an employee is fully vaccinated against COVID-19 (e.g. after VSE has been sighted, but not retained).

Both VSE and VSI are 'health information' and therefore also 'sensitive information' and fall within the umbrella of 'personal information' under the Privacy Act 1988 (No. 119, 1988) (as amended) ('Privacy Act').

What are the rules (if any) surrounding the collection and use of vaccination data?

Subject to limited exemptions, private sector organisations in Australia are subject to the Privacy Act when collecting and/or using personal information, including VSE and/or VSI. An organisation may only lawfully collect VSE and/or VSI if:

  • it is expressly required or authorised by law to collect that specific information (Australian Privacy Principle ('APP') 3.4); or
  • the information is reasonably necessary for one or more of the organisation's day-to-day functions or activities and the individual provides informed consent to the collection of their VSE or VSI (as applicable) (APP 3.3(a)).

These two alternative pathways are explained in turn as follows:

Required or authorised by law

Matters relating to public health and generally such responsibilities lay with the States and Territories rather than the Federal Government. Different States and Territories have significantly different PHOs. Even the structure of PHOs for different sectors can differ between States and Territories. If an organisation intends to rely on a PHO to justify the collection and/or use of VSE or VSI, it must determine (and, we suggest, seek legal advice on) whether the PHO:

  • applies to its staff; and
  • expressly requires of authorises the collection of the VSI or VSE (as the case requires).

As of December 2021, at the time of writing, New South Wales has PHOs in force covering, for example, education and healthcare workers. Each of these two PHOs include an obligation to sight and verify evidence documentation, but do not require or authorise recording or collecting any sensitive information. An organisation could not, therefore, rely on these two PHOs to justify the collection of VSE or VSI because such collection is not ‘required or authorised by law’.

At the time of writing, Victoria has in force a PHO that applies to all workers (not solely working from home) that requires the employer to collect, record, and hold VSI about a worker before that worker is permitted to come on site (e.g. return to the office) or work anywhere outside the worker's home.

Further to these, as of December 2021, at the time of writing, Western Australia has numerous PHOs in force, including two with overlapping application for many organisations (relating to resources industry workers and port workers), one of which authorises collection of VSI and one that does not.

PHOs are dynamic, constantly changing, and often their wording is not clear as to what, if anything, is required require or authorised to be collected or disclosed to others (e.g. to clients). This creates a significant challenge for employers to keep up, in particular where there are employees in multiple sectors and/or States, as well as Territories.

Reasonably necessary and informed consent

Where a PHO does not expressly require or authorise the collection of VSE or VSI, an organisation (subject to the Privacy Act) must consider collection under the Privacy Act and whether the collection of VSE or VSI is reasonably necessary for its day-to-day functions and activities. It is not enough that an organisation simply wants to collect the VSE or VSI – the organisation must be able to identify a link to its functions and activities and that the collection is reasonably necessary for the performance of those functions and activities.

Once the connection is established, there is also a requirement for informed consent from the individual. That is, each employee must consent to appropriate privacy wording (e.g. in a privacy collection statement ('PCS')) before their VSE or VSI may be collected. The PCS will be in addition to the existing employee privacy policy, and must cover what is being collected, what it will be used for, who it will be disclosed to, and, of course, a trigger for consent to the collection, use, and disclosure of such data on the terms of the PCS.

The distinction between VSE and VSI is useful under the overarching Privacy Act obligation of data minimisation. As re-iterated by the Australian Privacy Commissioner and the seven of her State and Territorial counterparts in September this year under the National COVID-19 Privacy Principles, 'the collection of personal information, including sensitive information, such as health information, should always be limited to the minimum information reasonably necessary to achieve a legitimate purpose. This includes considering alternative solutions which achieve the same purpose and do not require personal information to be collected into a record'.

Put into practice, data minimisation means that if collecting VSI is 'good enough' to serve the required purpose and VSE is not reasonably required for that purpose (or is not expressly required or authorised by a PHO), only VSI should be collected. Further, in the absence of a specific PHO requirement, if simply sighting proof of vaccination is 'good enough' (i.e. without collecting any information) to serve the required purpose, then neither VSI nor VSE should be collected.

Use after collection

Once the VSE or VSI is collected, the organisation may only use it for the consented-to purpose(s) (e.g. those purposes specified in the PCS) for which it was collected (APP 6.1(a)). If the organisation later decides to use the information for an additional purpose, it may only do so if that additional purpose is expressly required or authorised by law (e.g. a PHO) (APP 6.2(b)) or where it goes back to the individual and obtains their consent to the additional purpose (APP 6.1(a)) and that purpose is reasonably necessary for the organisation's day-to-day activities.

What would be the appropriate legal basis for such processing?

Australian privacy law does not employ the concept of 'legal basis'. However, as outlined above, a private sector organisation in Australia may legally collect VSE and/or VSI if:

  • it is expressly required or authorised by law to collect that specific information; or
  • the information is reasonably necessary for one or more of the organisation's day-to-day functions or activities and the individual provides informed consent to the collection of their VSE or VSI (as applicable).

Examples of a 'reasonable necessity' for the activities of an organisation to collect VSI would be where:

  • a PHO applies which, while the PHO does not expressly authorise the collection, the organisation reasonably determines the collection of VSI is required to meet its obligation for the relevant workers under that PHO; or
  • the organisation determines that, in order to meet the requirements of its risk-assessed vaccination policy, the collection of VSI is reasonably required.

It is hard to see the 'reasonable necessity' test ever being met for a 'voluntary' vaccination policy or where (in the absence of a PHO as noted above) no vaccination policy has been adopted by the organisation.

Is an organisation permitted to ask employees or visitors for their vaccination status prior to permitting them to enter the workplace?

Yes, if this is in accordance with a PHO or an organisation's vaccination policy (or the organisation's landlord's vaccination policy). An organisation may ask to see the employees' and visitors' vaccination status prior to permitting them to enter the workplace and may allow only vaccinated persons to enter (and persons legitimately exempted from vaccination who have a recent rapid antigen test with a negative result). However, for visits, in the absence of a PHO requiring/authorising it, it is unlikely that the collection of VSI (let alone VSE) would be justified under the Privacy Act.

Is an organisation allowed to disclose information on COVID-19 results within the company and/or to health authorities?

The Privacy Act, and APP 11.1 in particular, requires an organisation to take reasonable steps to protect the security of personal information and, in the case of sensitive information (e.g. VSI and VSE), this is a more onerous obligation (as re-iterated in the National COVID-19 Privacy Principles). Sharing employees' and/or visitors' COVID-19 results within an organisation (other than to those who need access to such information to perform a role requiring such information) will fall foul of the requirement to protect the information. Given the sensitivity of COVID-19 vaccination status or test results, strict security protections are required (e.g. encrypted database and role-based access restrictions).

Under the Privacy Act, disclosure of health information (i.e. externally to a third party) generally requires the consent of the individual to whom the information relates. Unless expressly required or authorised under a PHO, if an employer is planning to disclose COVID-19 results outside the organisation, it should have obtained the consent of the employee to such disclosure in the PCS (even if such disclosure is contractually required). However, even without a PHO, disclosure to certain health authorities is permitted under the Privacy Act where a 'permitted health situation' (as defined in the Privacy Act) exists (APP 6.2(d)).

In addition, the organisation should consider whether the relevant disclosure is 'reasonably necessary' for its activities (even if consented to) if such is not required or authorised under a PHO, or required by contract. Care must also be exercised when applying PHOs. PHOs often place limitations on the disclosure of COVID-19-related information, with severe penalties for breach.

How long is an organisation required to keep/store vaccination data?

In the case of employees (as opposed to independent contractors and other visitors to an employer's site), once VSE or VSI is collected that information may become subject to the 'employee records exemption' under Section 7B(3) of the Privacy Act. This generally exempts the Privacy Act obligations that would otherwise apply, including in relation to the retention and deletion of VSE or VSI. However, given the exceptional nature of a pandemic and the information collected relating to such, it is likely that the Privacy Commissioner may find that COVID-19 vaccination status test results are not employee records and thus not subject to the exemption. In addition, applicable PHOs may also place limitations on the holding of VSE and VSI.

In the cases of independent contractors, visitors to an employer's site - we also recommend the same for employees, unless a PHO otherwise requires -, any VSE or VSI collected (as applicable) must be deleted as soon as it is no longer necessary for the purposes for which it was collected. For example, if the organisation's COVID-19 vaccination policy is changed or the PHO ceases to apply such that there is no longer a need to prove vaccination status then any VSE or VSI held for this purpose will need to be deleted very soon after this (e.g. unless there is a good reason for not doing so). Again, applicable PHOs may also place limitations on the holding of VSE and VSI.

Any additional information?

With the dynamic regulatory environment as PHOs come and go, organisations should:

  • develop a clear risk-assessed COVID-19 vaccination policy codifying expectations for employees, contractors, and site visitors; and
  • following on health and safety and workplace requirements (e.g. consultations with employees).

The COVID-19 vaccination policy might then be used, where appropriate, as the basis to justify the organisation's collection, use, and disclosure of VSE or VSI, as appropriate, under a suitable PCS which individuals read and for which consent is obtained prior to their VSE or VSI being collected. Employers should exercise great care to comply with privacy obligations in relation to the collection, use, and disclosure of COVID-19 vaccination status and test rules despite the difficulty of that undertaking in the current Australian landscape. The Office of the Australian Information Commissioner ('OAIC') is currently energetic in its investigatory and enforcement activities (especially in relation to sensitive information). Fines of up to AUD 2.22 million (approx. €1.39 million) for breaches of the Privacy Act may be imposed and this is soon to increase to the greater of AUD 10 million (approx. €6.28 million) or 10% of any organisation's annual local turnover.

New Zealand

What are the rules (if any) surrounding the collection and use of vaccination data?

Information about a person's vaccination status is 'personal information' and therefore subject to the requirements of the Privacy Act 2020 ('the Act').

Under the Act, the organisation collecting the information must ensure that:

  • the information is collected for a lawful purpose;
  • the means of collection are fair and not unreasonably intrusive;
  • the information is collected directly from the individual (in most cases);
  • only the information necessary for the lawful purpose is collected; and
  • the organisation has taken reasonable steps to ensure the individual is aware of certain matters, including the fact of collection, the purposes of collection, the consequences for the individual if they do not provide their information, and the individual's rights to access and request the correction of their information.

In addition, the recently enacted COVID-19 Response (Vaccinations) Legislation Act 2021 amended the COVID-19 Public Health Response Act 2020 ('COVID Response Act') by, among other things, setting out additional rules when it comes to using and disclosing vaccine information (see below).

What would be the appropriate legal basis for such processing?

The appropriate legal basis for using or disclosing vaccination information would generally be that such use or disclosure is consistent with one of the purposes for which that information was obtained (or a directly related purpose).

However, under the COVID Response Act, vaccine information collected for the purpose of determining whether the individual is vaccinated, has been issued with a COVID-19 vaccination certificate, or has complied with the COVID Response Act or a COVID-19 order must only be used, held, or disclosed for the following purposes:

  • determining whether an individual is vaccinated or has been issued with a COVID-19 vaccination certificate;
  • demonstrating or ascertaining compliance with the COVID Response Act;
  • enforcing the COVID Response Act or a COVID-19 Government Order; or
  • complying with the Health Act 1956.

A person who intentionally fails to comply with the above requirements commits an offence, punishable in the case of an individual by imprisonment for a term not exceeding six months or a fine not exceeding NZD 12,000 (approx. €7,020), and in all other cases, by a fine of up to NZD 15,000 (approx. €8,780).

Is an organisation permitted to ask employees or visitors for their vaccination status prior to permitting them to enter the workplace?

Yes, provided that the organisation can establish that the organisation has a lawful purpose for collecting that individual's vaccination status.

A lawful purpose may arise if:

  • the organisation, having carried out a health and safety risk assessment, has determined that an appropriate health and safety risk mitigation measure is to require all persons present at the workplace are vaccinated and accordingly, the organisation needs to know each employee or visitor's vaccination status to implement that measure; and/or
  • under New Zealand's 'traffic light' system of COVID restrictions under the COVID-19 Public Health Response (Protection Framework) Order 2021 ('the Order'), the organisation wishes to operate in accordance with the 'CVC rules' which limit entry into the organisation's workplace to those persons who are vaccinated (or under the age of 12).

However, organisations operating certain workplaces where essential services are offered (including supermarkets, pharmacies, petrol stations, and most public transport services) must not deny a visitor access to 'designated premises' on the basis of their vaccination status.

A straightforward way to determine whether an individual is vaccinated is by asking to view that individual's COVID-19 vaccination certificate (known as 'My Vaccine Pass'), which is an official, Government-issued record of vaccination, available for download on most smart phones or as a printable paper certificate.

Can an organisation collect or ask for proof of vaccination and/or testing records?

An organisation may ask for proof of vaccination and/or testing records if that organisation has a lawful purpose for collecting that information.

However, an organisation should only collect as much information as it needs. For instance, it is very unlikely to be necessary to view an individual's full health record to determine whether they have been vaccinated or tested negatively on a recent occasion.

In most cases, asking to view an individual's 'My Vaccine Pass' for the purposes of ascertaining whether that person is vaccinated will be sufficient.

An organisation may also have a lawful purpose for asking for proof of a recent negative test, but this should be assessed on a case-by-case basis. For instance, the organisation may have a lawful purpose for viewing the individual's testing record in circumstances where the organisation has carried out a health and safety risk assessment and determined that an appropriate health and safety risk mitigation measure is to obtain proof of a negative test from the individual.

Is an organisation allowed to disclose information on COVID-19 results within the company and/or to health authorities?

Under the Act, an organisation may disclose COVID-19 testing results within the organisation and to third parties only if such disclosure is either:

  • for the purposes for which that organisation obtained that information;
  • for one of the other limited grounds under the Privacy Act; and/or
  • required or permitted by law, for instance for the purposes of demonstrating compliance with the Order.

How long is an organisation required to keep/store vaccination data?

New Zealand law does not generally require an organisation to hold vaccine data for a set period of time.

Under the COVID Response Act, information collected by an organisation for the purpose of determining whether the individual is vaccinated, has been issued with a COVID-19 vaccination certificate, or has complied with the COVID-Response Act or a COVID-19 order must only be held for so long as is necessary for the following purposes:

  • determining whether an individual is vaccinated or has been issued with a COVID-19 vaccination certificate;
  • demonstrating or ascertaining compliance with the COVID Response Act;
  • enforcing the COVID Response Act or a COVID-19 Government order; and/or
  • complying with the Health Act 1956.

Singapore

Would vaccination data constitute personal data?

Vaccination data may include information about the employee as well as their vaccination status.

Personal Data Protection Act

The Personal Data Protection Act (No. 26 of 2012) ('PDPA') is the primary legislation in Singapore that governs the collection, use, and disclosure of personal data by private organisations, including employers. The PDPA imposes nine obligations on organisations with respect to the protection of personal data of employees. These obligations relate to consent, purpose limitation, retention limitation, security, access and correction, accuracy, transfer limitation, and openness, when collecting, using, disclosing, or transferring personal data.

The Personal Data Protection Commission ('PDPC') is the statutory body which administers and enforces the PDPA. The PDPC is also responsible for promoting awareness of data protection in Singapore and has published numerous advisory guidelines which are non-binding, but provide guidance on how the PDPC would handle complaints, reviews, and investigations of breaches of the PDPA in practice.

Vaccination data as personal data

Personal data is defined under the PDPA as data, whether true or not, about an individual who can be identified from that data, or from that data and other information to which the organisation has or is likely to have access. Vaccination data about a particular individual (including their vaccination status) is likely to fall within this wide definition of personal data, especially where it includes a combination of data or includes data (for example, name, email address, National Registration Identity Card (‘NRIC’) number, Foreign Identification Number (‘FIN’), or passport number) that, when viewed with other information an organisation or employer has, or is likely to have, access to, can be used to identify the individual to which it relates.

What are the rules (if any) surrounding the collection and use of vaccination data?

The Consent Obligation

As a general rule, under Section 13 of the PDPA, organisations must obtain the consent of an individual prior to the collection, use, or disclosure of their personal data ('the Consent Obligation'). The individual must have been notified of the purposes for which the collection, use, or disclosure of their personal data will be undertaken before such consent is considered to have been validly given.

However, the consent of such individuals is not required in certain prescribed circumstances which are exempted from the Consent Obligation under Section 17 of the PDPA, read with the First and Second Schedule of the PDPA, or where the collection, use, and disclosure of an individual's personal data is required or authorised under any other law, although organisations must still comply with other obligations under the PDPA applicable to any such personal data which has been collected.

The prescribed exemptions under the PDPA include the collection, use, and disclosure of the personal data of employees as is reasonable for the purposes of managing employment relationships with the relevant individual (Paragraph 10 of Part 3 of the First Schedule to the PDPA) ('the Employee Management Exemption'), or as may be necessary for the purposes of responding to an emergency threatening the life, health, and safety of other individuals (Paragraph 2 of Part 1 of the First Schedule to the PDPA) ('the Emergency Response Exemption'). In these cases, while consent is not required, the relevant individual ought to be notified of the purposes of such collection, use, or disclosure.

While the PDPA does not specify any manner or form in which an organisation is to notify the individual of the purposes for which it is collecting, using, or disclosing the individual's personal data, the organisation should determine the best way of doing so, such that the individual is provided with the required information to understand the purposes for which their personal data is collected, used, or disclosed, e.g. for tracking vaccination status to adhere to the Singapore Government's rules on differentiated measures in response to the COVID-19 pandemic. Typically, a simple and visible message notifying the relevant individual of the purpose for which their personal data is being collected, displayed along with a form or such other medium used to collect an employee's vaccination data, ought to suffice.

With respect to the Employee Management Exemption, the collection and use of personal data for the purposes of managing of employee work-schedules, employee deployment, and health and safety at work has been recognised as purposes which could fall within the Employee Management Exemption.

Further, the Updated Advisory on COVID-19 Vaccination at the Workplace issued on 23 October 2021 by the Ministry of Manpower ('the Workplace Management Advisory') sets out certain workplace safety measures to be implemented and effective from 1 January 2022, including a requirement for employers to ensure that employees who are allowed to enter into and work from the workplace have either been vaccinated or recovered from COVID-19 within 270 days prior to their return to the workplace. Employees who are unvaccinated on the other hand, must have obtained a negative test result (i.e. at least 24 hours before their intended time of entry) before they can be permitted to return to the workplace. To facilitate employers' compliance with these requirements, the Workplace Management Advisory further recognises that the collection of an employee's vaccination status by an employer is permitted for the purposes of planning the deployment of its employees. As stated above, the collection of personal data for such purposes is expected to fall within the Employee Management Exemption under the PDPA.

The Purpose Limitation

Where the personal data of an individual has been collected, an organisation must not use or disclose such personal data for a purpose to which the individual has not consented (even if the relevant individual has consented to the collection, use, and disclosure of their personal data for other purposes), or for which there is no applicable exemption from the Consent Obligation ('the Purpose Limitation'). In such cases, the employer or organisation must first ensure employees have either consented to, or been notified of, the additional purposes for which their personal data which has been collected by the organisation is to be used or disclosed.

Other obligations in relation to personal data collected

Apart from the Consent Obligation and Purpose Limitation, organisations are also subject to the following obligations in respect to how personal data that has been collected is to be processed. In summary:

  • where such personal data is in its possession or control, upon a reasonable request of the individual to which the personal data relates, the organisation has to ('the Access and Correction Obligation'):
    • provide such individual with their personal data and information about the ways in which the personal data may have been used or disclosed during the past year; or
    • correct an error or omission in respect of such personal data;
  • make reasonable efforts to ensure that personal data collected by or on its behalf which is likely to be used to make a decision affecting the relevant individual or is likely to be disclosed to another organisation is accurate and complete ('the Accuracy Obligation');
  • make reasonable security arrangements to protect any such personal data in its possession or under its control to prevent unauthorised access, collection, use, modification, or disposal of such personal data, and the loss of any storage medium on which such personal data is being stored ('the Protection Obligation');
  • cease to retain any such personal data or ensure that such personal data is no longer capable of being associated with the relevant individual, as soon as it is reasonable to assume that the purpose for which such personal data was collected is no longer being served by its retention, and the retention of such data is no longer necessary for legal or business purposes ('the Retention Limitation Obligation');
  • ensure that any transfer of personal data to a country or territory outside of Singapore is done in accordance with the requirements prescribed under the PDPA, which include ensuring that such transferred personal data is afforded a similar level of protection as that which is required under the PDPA in the country or territory outside of Singapore ('the Transfer Limitation Obligation');
  • where there has been a data breach, assessing whether such breach is notifiable and if required, to notify any affected individuals and/or the PDPC accordingly ('the Data Breach Notification Obligation'); and
  • to implement policies and procedures which are necessary to enable it to meet its obligations under the PDPA and ensure that such information on such policies and procedures are publicly available (the 'Accountability Obligation').

What would be the appropriate legal basis for such processing?

As stated above, where the purpose for which personal data is being processed does not fall within the prescribed exemptions from the Consent Obligation in the First and Second Schedule of the PDPA, the organisation must first obtain the consent of the relevant individual. This can take the form of consent that is recorded in writing or in a manner that is accessible, such as having the employee checking off on a consent box as part of a vaccination data collection form, which will then be retained by the employer.

Is an organisation permitted to ask employees or visitors for their vaccination status prior to permitting them to enter the workplace?

The Workplace Management Advisory recognises that employers are permitted to collect an employee's vaccination data for the purposes of planning deployment at the workplace. To provide further context, this is to facilitate compliance with the Workplace Management Advisory, which as indicated above requires employers to only permit employees (save for those who are medically ineligible for vaccination) who are vaccinated or have recovered from COVID-19 within 270 days to return to the workplace from 1 January 2022 onwards. If an employee is unvaccinated, they should not be allowed to enter the workplace unless the employee has obtained a negative test result (i.e. at least 24 hours before their intended time of entry).

Visitors

There is no specific prohibition restricting an organisation's ability to require a visitor to provide their vaccination status as a condition for entry into the organisation's premises. Under the COVID-19 (Temporary Measures) (Control Order) Regulations 2020, organisations may also be required to, as far as reasonably practicable, establish and apply appropriate procedures and controls to enable or facilitate contact tracing of visitors to their premises and deny entry to visitors who refuse to comply with such measures. This includes the implementation of Government-developed 'TraceTogether' and 'SafeEntry' systems, which involve the collection of the personal data of visitors and employees entering the workplace for contact tracing purposes.

Nevertheless, insofar as the personal data of visitors are being collected as part of this process, the organisation would have to ensure that it complies with the relevant obligations under the PDPA, including the Consent Obligation as may be applicable and such other obligations in relation to the processing and protection of such personal data which has been collected, such as the Protection Obligation (making reasonable security arrangements to protect the data being collected).

Can an organisation collect or ask for proof of vaccination and/or testing records?

Yes. Apart from vaccination data, the Workplace Management Advisory permits employers to require employees to provide proof of vaccination before reporting to the workplace. In the case of unvaccinated employees, employers may also request for such employees to produce their test results, given that a negative test result is required for such unvaccinated employees to work from the workplace. Where employees refuse to produce proof of vaccination and/or testing records, such employees may be treated as unvaccinated individuals and/or should be denied entry to the workplace.

Is an organisation allowed to disclose information on COVID-19 results within the company and/or to health authorities?

Yes, provided that, where such COVID-19 results constitute personal data, the disclosure is being made for either:

  • a purpose to which the relevant individual has consented to; or
  • which fall within one of the exempted purposes set out in the First or Second Schedule of the PDPA, provided that any applicable requirements have been met (e.g. the Employee Management Exemption, and provided that the relevant individuals have been notified of the purposes).

In particular, the PDPC has recognised that the collection and subsequent disclosure of personal data to health authorities is permitted for the purposes of undertaking contact tracing exercises in the event that there is a COVID-19 case in the workplace or premises of the organisation and falls within the Emergency Response Exemption.

For completeness, where the COVID-19 results disclosed cannot be used to identify the relevant individuals and hence do not constitute personal data, the consent of the individuals to which it relates will not be required for such disclosure. In other words, consent would not be required for the disclosure of COVID-19 results which have been anonymised or aggregated such that the dataset being disclosed cannot be used, or used with other data that the organisation may, or may reasonably, have access to, to identify any particular individual to which it relates.

How long is an organisation required to keep/store vaccination data?

There is no requirement for an organisation to keep or store vaccination data for a specific duration. However, the Retention Limitation Obligation requires an organisation to cease to retain personal data or remove the means by which the personal data can be associated with particular individuals, as soon as it is reasonable to assume that the purpose(s) for which that personal data was collected is no longer being served by retention of the personal data, and the retention is no longer necessary for legal or business purposes. What is considered reasonable is typically determined with regard to the purposes for which the personal data was collected and the legal or business purposes for which the retention of personal data may be necessary. Where the vaccination data is no longer needed for the purpose it was collected, it should be expunged or deleted.

Keshawna Campbell Lead Privacy Analyst
[email protected]
Chanelle Nazareth Privacy Analyst
[email protected]

Comments provided by:
Alec Christie Partner
[email protected]
Clyde & Co, Sydney
James Wong Associate
[email protected]
Clyde & Co, Melbourne
Angela Flannery Partner
[email protected]
Holding Redlich, Sydney
Clare Giugni Law Graduate
[email protected]
Holding Redlich, Sydney
Hayley Miller Partner
[email protected]
Dentons Kensington Swan, Auckland
Campbell Featherstone Senior Associate
[email protected]
Dentons Kensington Swan, Auckland
Chester Toh Partner and Head of Integrated Regulatory Practice
[email protected]
Rajah & Tann Singapore LLP, Singapore
Joshua Law Associate
[email protected]
Rajah & Tann Singapore LLP, Singapore