As part of the Australian Government’s response to COVID-19, a nationwide vaccination program is being rolled out in stages to support access to, and delivery of, safe and effective COVID-19 vaccines and treatments for all Australians (Program). The first stage of the program will treat certain high priority populations (including quarantine, border and front line health care workers) and the remaining stages covering a broader rollout of vaccines to the balance of the adult population. The rollout raises a series of privacy questions and concerns, particularly in relation to the mandatory reporting of vaccinations which is required under the Australian Immunisation Register Act 2015 (Cth). Some of these concerns are discussed below.

Informed Consent

While the Government strongly supports immunisation, it is not mandatory to receive the COVID-19 vaccination. The Australian Government Department of Health, as the Commonwealth Agency responsible for the Program rollout, has released Guidelines for COVID-19 vaccination providers. These Guidelines emphasise the importance of obtaining verbal or written informed consent before administering the vaccine.

The Australian Immunisation Register

The Australian Immunisation Register Amendment (Reporting) Bill 2020 (Bill) amends the Australian Immunisation Register Act 2015 (Cth) (Act) and makes it mandatory for recognised vaccination providers to report specified information in relation to certain vaccines. Prior to the introduction of the Bill, not all vaccine providers were required to record in the Australian Immunisation Register (Register) when a vaccine was administered. This meant that individuals or health professionals would not always have access to vaccination history. The Bill aims to ensure that all vaccination providers report vaccines given, including any COVID-19 vaccine, in the Register for the purpose of improving overall public health.

Under the Act, certain types of information must be input into the Register including but not limited to:

  • identifying information about the patient (such as their full name, date of birth, gender, address, and other identifiers including their Individual Health Identifier);
  • information related to the patient’s health ((such as medical contraindications or natural immunity);
  • the date the vaccination was administered;
  • information relating to who administered the vaccine; and
  • information about the vaccine administered (such as brand, dose number and batch number).

This information must be input into the Register when administering the COVID-19 vaccination.

Who can access this information?

Under section 22(2) of the Act, authorised individuals are permitted to use, disclose and make records of information in the Register. Authorised individuals include but are not limited to:

  • an officer or employee of the Commonwealth or of an authority of the Commonwealth; or
  • a recognised vaccination provider.

Such use and disclosure of personal information is authorised by the Act and consequently “authorised by law” for the purposes of the Privacy Act 1988 (Cth).

If any individual makes a record of, discloses or otherwise uses information on the Register and it is not authorised under the Act then that individual may have committed a criminal offence. Such offence is punishable by imprisonment for 2 years or 120 penalty units, or both (s 23). There, are, however a number of exceptions to this offence, including where:

  • the use or disclosure was made in good faith and in purported compliance with the Act (s 24);
  • where the information is ‘commercial in-confidence’ as defined under section 5 of the Act (s 25); and
  • where the information is disclosed to the person to whom the information relates (s 26).

What about patient rights?

The Act gives individuals a certain degree of control over how their personal information is used or disclosed. Individuals (or a parent or guardian) can request that they not be sent information from the Register, including for example, a reminder that the person is due for a vaccination (s 11(1)). Individuals may also request that personal information from the Register is not disclosed to other entities, such as to a recognised vaccination provider (s11(2)).

Any such request must be made in an approved form (s 11(2)) and the Commonwealth will be required to comply with the request as soon as practicable (s 11(3)).

It is critical that individuals are made aware of their rights under the Register when receiving the COVID-19 vaccination. This is particularly the case as Australians are reluctant to disclose health information. In its 2020 Australian Community Attitudes to Privacy Survey (Survey), the Office of the Australian Information Commissioner (OAIC) found that approximately 60% of Australians are reluctant to provide medical or health information to a business, organisation or government agency. Approximately 8% more are reluctant to provide these kinds of information than any other kind of information. Interestingly, the Survey showed that 53% of Australians are comfortable with their personal information, including health information being shared to combat the coronavirus.

Moving Forward

A successful rollout of the Program is contingent upon ensuring the public trust the Australian Government, particularly in its use, disclosure and protection of personal information collected pursuant to the Program. Ensuring the rollout meets legislated privacy requirements will assist in fostering that confidence.

For more information, get in touch with us today.