Source: New Zealand Privacy Commissioner – Blog
The vaccine is an essential part of New Zealand’s response to COVID-19 and there is significant interest in the immunisation programme. This interest often has privacy implications. At OPC, we know there is interest from businesses and individuals about sharing a person’s vaccination status – for instance, whether an employer can ask about someone’s vaccination status and how should they ask for it.
A person’s vaccination status is personal information and so falls under the protections laid out in the Privacy Act 2020. However, as we have outlined previously, there are limited situations where an employer can ask for the vaccination status of an employee where they have a legitimate need to know. Justifiable reasons to ask for this can include a legitimate health and safety concern, or where certain roles must be performed by a vaccinated worker, such as staff at an MIQ facility.
An individual’s vaccination status should not be shared, including with other employees, unless it is necessary in the circumstances. Chances are, most people in an organisation won’t need to know about this information, so it is best to ensure access to it is limited to those that do.
An organisation must consider how it gets personal information. They must not collect information in a way which is unreasonably intrusive in the circumstances. This means that even where an organisation has established it has a legitimate reason to request someone’s vaccination status, it cannot be done in a way that is unlawful, unfair, unreasonable or intrusive. Asking for someone’s vaccination status in front of others or in a public space is likely to be an unreasonable intrusion into privacy. Likewise, threatening, coercive, or misleading behavior will be considered unfair.
It is also important to note that while an organisation may have a justifiable reason to know whether a person has been vaccinated, it doesn’t necessarily need to know why a person is unable or chooses not to be vaccinated, and an employee does not have to provide this information.
Each situation will depend on what is reasonable in the circumstances. A good rule of thumb to keep in mind is to ‘put yourself in the shoes’ of the individual concerned and consider how you would like your own information to be treated, and what is a reasonable method for collecting sensitive information.
The vaccination programme is a crucial part of the public health response to COVID-19, but it is important not to lose sight of individual privacy rights. If you think your organisation needs to know whether a person has been vaccinated, we recommend you carefully consider the privacy implications. Why do you need this information? How much information do you need? How do you ask for it in a reasonable, privacy enhancing way? And remember the simple rule – put yourselves in the shoes of the person affected.
This update provides general information about the privacy considerations associated with an individual’s vaccination status. For specific advice, or if you have any concerns about how your personal information is being used, we recommend you contact the relevant organisation or your organisation’s privacy officer.
Additional resources