Small businesses collecting vaccine certificates face serious legal risks

Small businesses forced to comply with vaccine mandates across different states face serious legal risks when collecting and storing the health data of their staff.

The federal government’s digital vaccine certificate includes an Individual Health Identifier (IHI), which is a unique number that’s subject to stringent data security regulations.

In fact, the government considers the handling of the individual health identifier to be so sensitive that it passed specific legislation called the Healthcare Identifiers Act to regulate its use.

Now that many businesses are subject to vaccine mandates, employers are required to collect the digital vaccination certificates of their staff, which include the IHI. 

Anna Johnston, director of the privacy consultancy Salinger and former NSW deputy privacy commissioner, told The Australian Financial Review that penalties for the misuse of health information can include jail.

“I really feel for small businesses in particular,” Johnston told The AFR.

“They probably don’t have the foggiest clue that there are special rules for the use and disclosure of the IHI that, if they breach those rules, expose them to both a civil penalty and a criminal penalty.”

Some large organisations are treating vaccination certificates with extreme caution, deleting emails that contain them and restricting staff from viewing them.

Victoria expanded its vaccine mandate earlier this month, making it a requirement for businesses that have authorised workers onsite to ensure their staff are fully vaccinated by November 26.

Businesses found breaching the public health order risk fines of between $1817 and $10,904.

In NSW, vaccine mandates exist for some industries including education and care, health care, airport, quarantine and transport.

The Northern Territory recently required workers coming into contact with people at risk of severe illness from COVID-19, workers in high risk settings and essential infrastructure workers to be fully vaccinated by December 24.

Josh Cairns, managing business director of Op Central, says many organisations find requesting the personal medical history of their staff uncomfortable.

Op Central, which is a software product for businesses, launched Vax Central earlier this month. The platform provides businesses with a secure solution to upload, store and report their vaccination data.

“We found that for organisations battling through this, there’s a tech aspect in terms of how the data is collected, a legal aspect and a strong social aspect,” Cairns tells SmartCompany.

The platform allows workers to directly upload their vaccination status into the system, without their information being sent to other staff members via email.

Businesses using Vax Central can also restrict access to their workers’ health information, giving only designated staff members the ability to view certain subsets of data.

While the platform doesn’t provide businesses with expert legal advice, it does help them manage their privacy disclosure statements and record keeping policies.

“Businesses with in-house counsel or external lawyers can update every single piece of the terms conditions, whether it be privacy related or whether it’s usage terms,” Cairns says.