Businesses beware – legal risks when collecting vaccination information

Many businesses are now requiring proof of COVID-19 vaccination for their employees and those entering their premises. Most are aware that collecting and storing vaccination information comes with strict obligations under privacy legislation, but it is essential that businesses are also aware of important obligations concerning the collection, storage and use of vaccine information that contains an Individual Healthcare Identifier (IHI).

What you need to know

Some forms of proof of COVID-19 vaccination (including the COVID-19 Digital Certificate and the Immunisation History Statement) contain an individual’s IHI, a unique identifier primarily used to assist healthcare providers in communicating and accessing records.

The IHI is very sensitive personal information and invokes the Healthcare Identifiers Act 2010 (Cth) (HI Act), which regulates the use of IHIs and only allows IHIs to be collected, used and disclosed in very limited circumstances relating to supporting healthcare.  There are significant civil and criminal penalties for breach of the HI Act (including imprisonment for up to two years).  Accordingly, in our view, businesses that are not healthcare providers should avoid collection of any information that includes an IHI due to the potential application of the HI Act.

Where a business does collect and store vaccination information containing IHIs, the HI Act requires that the business takes reasonable steps to protect any IHIs the entity holds from misuse, loss and unauthorised access, modification or disclosure.

Please note that obligations under the HI Act are in addition to obligations under the Privacy Act 1988 (Cth).


We recommend that businesses consider the following options for managing information containing proof of vaccination status:

  • ask employees, contractors or visitors to show their proof of vaccination to a particular person within the business (e.g. WHS manager) and that person records the individual’s vaccination status without the business storing the proof of vaccination information;
  • IHIs are redacted by the individual before the individual provides their proof of vaccination information to the business; or
  • the business requests that other forms of proof of vaccination that do not contain an IHI are provided.

More information

If you have any queries or would like further information about this article, please contact:

Kathryn Speed
M: 0408 446 013

Ella Wade
T: (03) 6235 5161

Published: 18 January 2022

Copyright © 2023 Page Seager. Privacy Statement Privacy Policy Page Seager Commitments and Policies