How collecting data on your employees’ COVID-19 vaccination status could end up in a $10 million dollar fine

It’s tough for employers at the moment trying to navigate the minefield around whether or not to require mandatory COVID-19 vaccinations for their employees. For those who ultimately decide to make the vaccinations mandatory and collect evidence of vaccination status, things just got more complicated.

The issue is that in collecting evidence of employees’ and/or clients’ vaccination status, employers are now collecting health data. Businesses that collect health data are subject to the Notifiable Data Breach Scheme (NDBS), regardless of the size of the business. The NDBS requires businesses to take “reasonable steps” to protect data held by the business, with fines of up to $10 million for serious or repeated offences.

For businesses now subject to the NDBS, and for that matter all businesses given the rising rates of cyber attacks, this is the perfect time to consider how secure your business is against cyber attacks.

For those businesses collecting the Australian Government’s COVID-19 digital certificates as evidence of vaccination status, we strongly recommend removing the Individual Health Identifier (IHI) from those certificates (as seen in the image below). The IHI is a particularly sensitive piece of data subject to its own, much stricter legal obligations, which could see jail sentences of up to five years handed to those responsible for mishandling this data.

Sample COVID-19 Digital Certificate

Protecting data is not just a legal obligation, it’s also good business. If you would like assistance in assessing how secure your business is against cyber attacks or want further information on how to better secure your business, please contact us today.