Covid-19 Vaccination Records and the Privacy Act 2020
Can the Government keep a record about what vaccinations I have had?
The recent arrival of the Delta variant of Covid-19, in New Zealand has resulted in a huge increase in vaccinations. As a part of this, the New Zealand Ministry of Health (MOH) has created a “COVID Immunisation Register”, also known as the CIR.
The CIR is confidential, and is used by the MOH to store records of immunisation levels within New Zealand. It records all relevant identification details for those people who have received a COVID-19 Vaccination. Examples of this information include; your name, date of birth, health number, address, details about the vaccination/s received and any reactions you had to the virus.
The CIR is accessible by medical professionals. However, the details of workers who are subject to the COVID-19 Public Health Response (Vaccinations) Order 2021 – that is workers who are legally required to be vaccinated – will also be recorded in the Border Workforce Testing Register (BWR). Employers who are required to have their workers vaccinated are able to check this second register to ensure workers that they hire are complying with those requirements.
At first glance, it can be scary to know that MOH is storing this kind of personal information. However, MOH’s record keeping, like all businesses with a presence in New Zealand, is closely regulated by the Privacy Act 2020. This means that, just like anyone else, they have to comply with the rules. While anyone who receives a vaccination will automatically be recorded on the CIR, this is subject to restrictions, namely:
- It will be kept confidential only to those working in the vaccination programme;
- It will be held securely; and
- You can correct your records if they are wrong.
Information from workers who are required to be vaccinated can also be given to their employers, who will be able to use it to ensure they comply with legal requirements, but must otherwise keep it confidential. Employers using this information should also take care to ensure that they comply with their employment obligations when they are doing so.
Privacy Act 2020
New Zealand carefully controls the way all businesses use private or personal information. This is done through the Privacy Act 2020. This Act created 13 Privacy Principles, which are flexible rules which govern the way businesses use our information. They are flexible to make sure that they can always be applied to new technologies. The principles regulate the collection, storage, use and distribution of information by business, including MOH.
The overarching principle relating to the collection of information is ensuring agencies (ie. MOH) are collecting information in manner that is lawful, fair, and not unreasonably intrusive for the individuals concerned. Broadly, this means that MOH needs to make you aware that they are collecting your information (such as your phone number) – they can’t do it covertly. An example of this that you may see often is when you click onto a website, and a “cookie banner” pops up, notifying you that the website is using cookies. If they are going to use it for a particular purpose, they will also usually need your consent.
Once information has been collected, the 2020 Act requires that information be securely stored. It needs to be protected from harm such as loss, unauthorised access, misuse or modification. MOH has confirmed that the CIR operated on a secure platform hosted in Sydney. Only authorised persons can access the register.
Information should only be stored for a limited period of time. A limited period of time is the period for which it is required, and for a reasonable period of time. Here, the purpose of collecting the information is to help control the spread of Covid-19. MOH has indicated that the information will be retained on the CIR for a minimum of 10 years.
Under the Act, the information collected by MOH when administering vaccines can only be used for the purpose for which it was collected – to control the spread of COVID-19. They cannot use the information to contact you needlessly, or send you spam emails.
The only people able to access the information are Ministry staff involved in the vaccine roll out and (in the case of the BWR) employers who need to know if their staff are vaccinated. Employers who are not required to have vaccinated employees will not be able to use the CIR to check up on their workers.
Release outside of the specific reasons why the information was requested will only be possible in special circumstances – such as where you consent, or where there is a legal reason that disclosure is required. Otherwise, you are entitled to expect this information to be kept confidential.
What can I do if I think my privacy rights are being breached?
You are always entitled to get in contact with any organisation holding your information, and request a summary of the information held. This is the same for the MOH. If there are any errors, you are entitled to request that the information be corrected.
If you feel that the a company has breached the Privacy Act, you should get in touch with them. If you aren’t happy with their response, you are able to make a complaint to the Office of the Privacy Commissioner. The Privacy Commissioner than has the power to investigate and rectify the matter. If a business does not comply with the investigation, the Privacy Commissioner can fine them up to $10,000.00.
If you are dissatisfied with the result from the Privacy Commissioner, you can appeal to the Human Rights Review Tribunal. The Tribunal can review further, and also has the power to award damages for emotional harm.
Where We Can Help
The recent changes to the Privacy Act mean that Holland Beckett Law has been advising our clients on all things privacy. This has included updating their online privacy statements, as well as correct practice for businesses to adhere to the new legislation.
We are also providing advice to clients who are affected by the various Covid orders that have been put in place – including the requirement to ensure that employees are vaccinated. This is a difficult area, and we recommend that employers working with the BWR get specific advice about their obligations.
The increasing need to create accurate records with personal information mean that it is important to have people on your side who understand the requirements – like in relation to the CIR and the BWR. We are more than happy to discuss your situation and help you better understand your rights, obligations, and options.