Navigating COVID-19 Vaccination Data: Ensuring Compliance

As of August 11, 2023, Victorian employers have been tasked with a new responsibility – the destruction of all COVID-19 vaccination information collected under the Occupational Health and Safety Amendment (COVID-19 Vaccination Information) Regulations 2022. This article provides employers with an insight into what information must be destroyed and the crucial steps to avoid non-compliance.


A recap of the regulations

The Occupational Health and Safety Amendment (COVID-19 Vaccination Information) Regulations 2022 initially allowed employers to gather COVID-19 vaccination data from ‘specified persons’ as part of their occupational health and safety obligations. These persons encompassed employees, volunteers, students on placement, independent contractors, and their employees. The data included key details such as vaccination dates, administered doses, and medical contraindications preventing vaccination.

However, the landscape changed on 12 July 2023, with the revocation of these Regulations. Employers were granted a 30-day grace period to ensure the destruction of accumulated COVID-19 vaccination data.


What must you destroy?

The COVID-19 data that employers must destroy includes information about:

  • whether and when an employee has received any dose of a COVID-19 vaccination
  • whether an employee was unable to receive a dose of a COVID-19 vaccination or a further dose due to a medical contraindication, an acute medical illness or the person’s age.

This data can be sourced from various channels, including the Australian Immunisation Register Act 2015, medical practitioner letters, or certificates from Services Australia certifying medical contraindications.


Crucial steps to ensure compliance

As employers, adhering to these changes involves several essential considerations:

  1. Open Communication: Employers should transparently communicate with the ‘specified persons’ whose data is being destroyed. This is necessary to keep them informed and respect their privacy.
  2. Secure Destruction: Collaborate with IT experts to ensure irreversible and secure data erasure, safeguarding sensitive health information.
  3. Comprehensive Review: Employers should review records containing vaccination data to ensure full compliance with regulatory mandates.
  4. Review and Confirm: Employers should conduct a meticulous review to confirm that all relevant data has been destroyed. This reinforces both compliance and accountability.
  5. Policy Adjustments: Employers should consider revising policies, procedures, and contracts to align with the new data protection landscape and evolving privacy regulations.


Continuing Data Handling

For those who still require COVID-19 vaccination data for legitimate purposes, compliance with the Privacy Act 1988 (Cth) and the Health Records Act 2001 (Vic) is crucial. Balancing the necessity of data collection with respect for individual privacy rights is key to maintaining compliance and meeting business needs.


What if I have missed the deadline?

Failure to comply with the revocation of these regulations may give rise to a breach of health privacy legislation. This includes the Privacy Act 1988 (Cth) and Health Records Act 2001 (Vic). Both which regulate the handling of health information about Victorians.


Key takeaways

  • From August 11, 2023, Victorian employers are required to destroy all COVID-19 vaccination information.
  • Employers must eliminate details of received doses and medical contraindications.
  • Compliance with the Privacy Act 1988 (Cth) and the Health Records Act 2001 (Vic) remains essential for those continuing to collect such information.



Gladwin Legal are experts in employment and privacy law and have extensive experience in advising businesses. If you require assistance in understanding your legal obligations please contact us at or 1300 033 934.