Should I keep my employee's IHI number?

Edge Legal

31 January 2022

Not if it can be avoided.

Knowing an employee’s vaccination status has been an important tool in managing the risks of COVID-19 in the workplace. However, there are some important privacy obligations placed on employers who hold a record of their employee’s vaccination status.

Whether collected because of a public health direction or an internal risk management strategy, evidence of vaccination is classified as sensitive health information and applies equally to:

(a)a vaccine certificate; and

(b)any record of an employee’s vaccination status (e.g. an excel spreadsheet).

Once collected, the evidence becomes an employee record and is to be treated like any other (e.g. pay slips, leave balances, individual flexibility arrangements etc...).

Individual Health Identifiers

Additionally, government issued vaccine certificates contain an Individual Health Identifier (IHI). IHIs are unique to each person and are used exclusively in the healthcare industry. Consequently, they are an extremely sensitive form of personal information, similar to a Tax File Number.

IHIs have not presented an issue previously, mainly because employers have not historically been required to access and hold medical information relating to their employees. Only within the context of the pandemic and the obligations flowing from Public Health Directions and WHS, has it posed widespread risk.

IHIs have their own, specific privacy legislation which sits on top of an employer’s ordinary obligations when handling personal information under thePrivacy Act. TheHealthcare Identifiers Act2010 carries penalties which may include prison for misuse of an IHI.

Therefore, the storage of IHI’s by an employer should be avoided wherever possible. However, it is made challenging by the inclusion of an individual’s IHI on the top left corner of government issues vaccine certificates.Below are some of the ways employers can manage their employee’s vaccination status, while limiting risk of breaching privacy obligations.

Sighting Only

If no record is kept of an employee’s vaccination status, then privacy obligations in relation to employee records are avoided entirely. Sighting is a worthwhile consideration where employers wish to know the vaccination status of their employees to assess the need to make minor accommodations to the workplace.

However, sighting records is only likely to be available to industries that are not subjected to a government vaccine mandate. Furthermore, it may be less effective where employers are seeking to enforce a workplace vaccination policy through disciplinary action.

Although no record of vaccination exists, employers should respect the confidentiality of their employees.

Sighting and Recording

In some states, employers are required to collect and hold evidence of their employee’s vaccination status. In these circumstances, employers will be unable to simply sight evidence of an employee’s vaccination. However, it will be important to refer to the relevant Public Health Direction for obligations.

Instead of keeping a copy of the evidence itself, it is likely to be sufficient to view the evidence and then record the status on an internal database.

It may involve employees emailing through their vaccine certificate to HR, which once viewed, is immediately deleted. If the certificate is emailed, it is highly advisable to request employees blank out their IHI from any document before sending it through.

Privacy obligations relating to employee records will still apply.

Keeping Vaccine Certificates without IHI

If evidence of vaccination is required to be kept by an employer, then it is highly advisable to request employees blank out their IHI from any document before sending it through. In this way, the most serious risks in relation to privacy are avoided by the employer.

Keeping Vaccine Certificates with IHI

Although it is unlikely to ever be required, if employers wish to keep an undoctored copy of their employee’s vaccination status(including the IHI) it must be provided and stored in a secure way.

Companies such as Optus and Nimbus have adopted policies for storing vaccine certificates, which includes limiting access to particular, trusted employees and encryption of the data.

Several software companies are already putting their hands up to offer an ‘all in one’ style solution which both:

(a)secures the record; and

(b)allows for keeping records current.

Sign up for our 'Tips & Trends' Articles

You will get short, relevant articles on topical areas with actionable steps and real commentary

We care about the protection of your data. Read our Privacy Policy.