Have you deleted your COVID data?

During much of the COVID-19 pandemic, public health orders required businesses across Australia to collect vaccination information about workers and visitors to their premises.

Victorian stations may be aware of SafeWork Victoria’s recent advice that their state regulations require certain COVID-19 vaccination information to be deleted now (unless required to be kept under a different regulation).

Generally, no matter which state you operate within, it’s advisable to delete private health information such as vaccination information, when no longer required. We recommend that all stations carefully review the Office of the Australian Privacy Commissioner’s Guidance for businesses collecting COVID-19 vaccine information, which includes the following:

9. Make a plan to delete the information at the appropriate time

If you collect vaccination status information, it should be destroyed once it is no longer needed to verify the vaccination status of your customer or visitor. You should have internal systems and procedures in place to ensure that information is deleted at the appropriate time.

If you have collected customer and visitor vaccination status information in accordance with the requirements of a public health order or direction, you should comply with any provisions regarding retention periods for this information and, if there are none, destroy the information after a reasonable period of time. As a general measure, if you have retained information beyond 28 days, you should regularly review whether this is still reasonably necessary.

Stations should stay up to date with their data privacy obligations under state and federal laws and seek advice if in doubt.