Information Commissioner releases privacy guidance on Healthcare identifiers on digital vaccination certificates

March 10, 2022 |

The Information Commissioner has issued privacy guidance on individual Healthcare Identifiers (“IHIs”) on vaccination certificates. This in addition to the guideline titled Privacy guidance for businesses collecting COVID-19 vaccination information issued on 12 November 2021.

The guidance provides:

The Office of the Australian Information Commissioner (OAIC) is the independent regulator of the Privacy Act 1988 (Privacy Act) and is also the independent regulator of the privacy aspects of the Healthcare Identifiers Act 2010 (HI Act). The Privacy Act and the HI Act jointly govern how IHIs on an individual’s COVID-19 digital certificate can be collected, used and disclosed.

Generally, only APP entities – including organisations with an annual turnover of $3 million or more and Australian Government agencies – have obligations under the Privacy Act. However, individuals and state and territory authorities who handle an IHI also have privacy obligations under the HI Act. Failure to meet these obligations may attract civil or criminal penalties.

Key privacy tips

    • Don’t collect a COVID-19 digital certificate if it is not required – sight a copy of the certificate instead.
    • If a copy of a COVID-19 digital certificate must be collected, do not collect an IHI.
    • Consider removing or redacting IHIs from any COVID-19 digital certificates that have already been collected and stored in a record.
    • Understand the privacy obligations that apply once you have collected an IHI.

COVID-19 digital vaccination certificates

Example of Covid Certificate

Individuals who have received a COVID-19 vaccination in Australia (or cannot receive a vaccination for medical reasons) are able to get proof of their vaccination in several ways, including through their Medicare online account through myGov, the  Express Plus Medicare mobile app, their My Health Record or through the Individual Healthcare Identifiers service in myGov for those who are not eligible for Medicare.

See the Department of Health’s website for more details on how to obtain a COVID-19 digital certificate.

A COVID-19 digital certificate contains personal information, including:

    • full name, as recorded on the Australian  Immunisation Register
    • date of birth
    • Individual Healthcare Identifier, if applicable
    • COVID-19 vaccination status
    • brand names of the vaccinations you received, if applicable
    • dates that you received the vaccinations, if applicable
    • valid from date
    • valid to date, if applicable.

The COVID-19 digital certificate draws this personal information from the Australian Immunisation Register which records vaccinations given to people in Australia. Individuals who have been vaccinated overseas can have their vaccination recorded on the Australian Immunisation Register by a recognised vaccination provider.

Not all versions of the COVID-19 digital certificate contain an IHI and it is preferable that IHIs are not collected.  For more information on COVID-19 digital certificates see Services Australia’s website.

Individual Healthcare Identifiers

An IHI is a unique 16-digit number used to identify an individual for healthcare purposes. If you have a Medicare card, are enrolled in Medicare or have a Department of Veteran’s Affairs card, you will have an IHI. The Healthcare Identifiers Service has automatically allocated one to you. If you are not eligible for Medicare, you can apply to receive an IHI.

An IHI is deemed to be personal information under the HI Act and the Privacy Act. In the context of inclusion in a COVID-19 digital certificate, an IHI is also considered to be sensitive health information under the Privacy Act, meaning that additional protections and obligations – such as the Australian Privacy Principles (APPs)– apply to APP entities when handling this information.

For more information on IHIs see the OAIC’s webpage.

Protections for Individual Healthcare Identifiers

The handling of IHIs is regulated through the HI Act, the Healthcare Identifiers Regulations 2020 (HI Regulations) and the Privacy Act. Healthcare identifiers may only be accessed, used and disclosed for very limited purposes.

The HI Act attaches a high standard of privacy protections to IHIs. Criminal and civil penalties may apply if an IHI is used or disclosed by any individual or entity in circumstances not permitted by the HI Act or HI Regulations.

Individuals acting in a personal capacity and entities (such as small businesses) who are ordinarily exempt from coverage of the Privacy Act must be aware that the provisions of the HI Act will apply to their handling of IHIs.

Similarly, the HI Act treats state and territory authorities as ‘organisations’ as defined in the Privacy Act. State and territory authorities are also subject to the investigatory powers of the Information Commissioner’s powers under Part V (Investigations) of the Privacy Act in respect of acts and practices relating to IHIs.

Any unauthorised use or disclosure of IHIs is considered to be an interference with privacy under the Privacy Act.  As the privacy regulator, the OAIC has a range of functions and enforcement powers to ensure compliance with privacy requirements relating to IHIs.

Tips for good privacy practice

Do not collect a COVID-19 digital certificate – sight information instead

The following applies to anyone, including an individual or entity, who handles IHIs.

    • Under the Privacy Act, you ‘collect’ personal and sensitive information if you include it in a record or generally available publication.
    • To ensure compliance with the HI Act and the Privacy Act, individuals and entities should not collect COVID-19 digital certificates containing an IHI unless absolutely necessary as criminal and civil penalties apply to any unauthorised use or disclosure of an IHI.
    • It will generally be appropriate for you to simply sight an individual’s COVID-19 digital certificate and not collect a copy of the certificate, including an IHI.
    • You can sight an individual’s COVID-19 digital certificate to confirm that they have been vaccinated and make a record of this confirmation – for example, by placing a tick next to a person’s name, without collecting the person’s IHI. This record of confirmation is a collection of sensitive information, so the Privacy Act and the APPs will apply to APP entities who are ordinarily covered by it, but the HI Act will not apply.

More general information on the collection of vaccination status information by entities regulated by the Privacy Act is available here.

If a copy of a COVID-19 digital certificate must be collected, avoid collecting an IHI

    • If an entity is required or authorised to collect proof of an individual’s vaccination status, then it should consider options that do not involve collecting an IHI. For example:
      • ask an individual to provide proof of vaccination which does not contain an IHI. COVID-19 digital certificates linked to a state or territory check-in app do not contain an IHI and can be used to provide proof of vaccination. The front page of a COVID-19 digital certificate downloaded to a digital wallet does not display an IHI.
      • before collecting a copy of a COVID-19 digital certificate which contains an IHI, ask the individual to redact the IHI so that it is not collected into your records.
      • in the event that the individual does not redact the IHI, you should redact it.

COVID-19 digital certificates already collected

    • Consider whether you can remove IHIs from your records if they have already been collected.
    • APP 10 requires APP entities to take reasonable steps to ensure that the personal information they hold is accurate, up to date, complete and relevant. An IHI may not be a relevant piece of information to hold about an individual if an APP entity is not providing a healthcare service. You should remove the IHI if it is not relevant to your functions and advise the individual if you intend to do this.
    • For any IHIs already collected, you must handle and secure IHIs in accordance with the requirements of the HI Act, as set out below.
    • It may not be necessary to retain a copy of a COVID-19 digital certificate. For example, you can delete a certificate and simply note in your records that proof of vaccination has been sighted. If you are an entity who is required to collect a certificate you could delete the information you hold and ask the individual to provide a new copy without an IHI. This will ensure that an IHI is not retained in your records, and you will be ensuring a data minimisation approach by not holding unnecessary information.

If you cannot take any of the above steps, understand the privacy obligations

If you have collected an individual’s IHI then you must understand the legal protections that apply to IHIs – including civil and criminal penalty provisions – and handle and protect them accordingly.

More information is set out below.

More information about IHI privacy obligations

The HI Act strictly regulates how IHIs may be handled by healthcare providers and by other individuals or entities who collect IHIs.

A person must not use or disclose IHIs except where they are required or authorised to do so under the Act, or in other limited circumstances. Criminal and civil penalties apply if this obligation is breached.

Generally, only a healthcare provider is permitted to make any use of, or disclose, an IHI.

This means that if you are not a healthcare provider and you have collected a COVID-19 digital certificate which contains an IHI, you cannot use or disclose the COVID-19 digital certificate while it contains the IHI.

You must ensure you take reasonable steps to protect the IHIs from misuse and loss, unauthorised access, modification or disclosure. More information on security is provided below.

Unauthorised use or disclosure of an IHI

Generally, an entity uses personal information when it handles and manages that information within the entity’s effective control. For example, an individual or entity uses personal information when they access and read the personal information or search their records for the personal information. Passing the information from one part of an entity to another, such as between different departments of a business, is also ‘use’ of the personal information.

An entity discloses personal information when it makes it accessible or visible to others outside the entity and releases the subsequent handling of the personal information from its effective control.

IHIs are designed to be used by healthcare providers for the provision of healthcare to an individual. Anyone using IHIs outside of this context must be authorised to do so under the HI Act. Only limited uses and disclosures are authorised by the HI Act and it is unlikely that any of these will apply to the use or disclosure of an IHI on a COVID-19 digital certificate. These exceptions include:

    • where the use or disclosure is required or authorised under the HI Act, or
    • where the use or disclosure is required or authorised under another Commonwealth law, or a court/tribunal order, or
    • where a permitted general situation exists in relation to the use or disclosure of the IHI (as per subsection 16A(1) of the Privacy Act).

Although there is an exception where another Commonwealth law, or court/tribunal order exists, this does not extend to state and territory laws or regulations, including public health orders. This means that, even if you are an entity who is required or authorised by a public health order or direction to collect proof of vaccination, you are not permitted to use or disclose IHIs on a COVID-19 digital certificate. Additionally, whilst the Privacy Act is a Commonwealth law, it does not operate to authorise any uses or disclosures of IHIs as more stringent protections apply to IHIs under the HI Act. A law must expressly require (or necessarily imply) a permitted use or disclosure of an IHI in these circumstances.

In general it is unlikely that any of the permitted general situations referred to by the HI Act apply to permit the use or disclosure of an IHI outside of the healthcare system.

Consequences of unauthorised use or disclosure of an IHI

Criminal and civil penalties apply to anyone who uses or discloses an IHI when they are not permitted to do so, including individuals and entities.

Additionally, if an individual or entity uses or discloses an IHI in circumstances that are not permitted, that action will also be an interference with privacy for the purposes of the Privacy Act and can be dealt with as such under that Act.

This means that the Information Commissioner has powers to investigate any unauthorised use or disclosure of an IHI. The Information Commissioner’s powers extend to those who are not usually bound by the Privacy Act such as individuals, small business operators and state and territory authorities.

Individuals and entities should be aware that accidental uses and disclosures may also be an interference with privacy under the Privacy Act.

Security obligations for IHIs

The HI Act requires entities (including individuals, partnerships, unincorporated associations/bodies, and trusts) to take reasonable steps to protect IHIs from misuse and loss, and from unauthorised access, modification, or disclosure.  You will need to action this obligation if you have collected an individual’s IHI.

A failure to take reasonable steps to protect IHIs, regardless of whether it is intentional or inadvertent, is considered an interference with privacy under the Privacy Act.

The Privacy Act also requires APP entities to take reasonable steps to protect personal information (including IHIs) from misuse, interference and loss as well as unauthorised access, modification or disclosure – see APP 11.1. Reasonable steps to protect IHIs may include redacting or deleting IHIs from your records, having appropriate access and ICT controls, staff training or otherwise ensuring appropriate controls. The OAIC’s Guide to securing personal information provides further guidance on how personal information can be protected.

You should establish internal systems or procedures to ensure that IHIs and any information relating to them is deleted once you no longer require it.

If you are no longer legally required to retain proof of vaccination – for example, if public health order requirements change – you should consider whether you can destroy any proof of vaccination you have collected including IHIs.

It is drafted in quite broad and woolly language.  That is a common trait, and failing of guidelines issued by the Information Commissioner.

Leave a Reply

Verified by MonsterInsights