Policies and procedures for vaccination privacy
The best policies and procedures are simple, accessible and usable. They reflect that Privacy law is basically about treating personal information carefully and respectfully.
Some of the worst types of policies are those that are excessively long and make privacy very complex.
Today, we look at policy and procedure implications of some rules of the Privacy Act 2020 as they relate to workplace vaccination requirements. We keep it simple.
Less is best – 3 Privacy Principles
The Information Privacy principles 1, 9 and 10 stiputate requirements for collecting, using, storing and sharing personal information. They are important and relevant to the collection and use of vaccination information from kaimahi/staff.
Privacy Principle 1 requires that only information relevant to purpose should be collected.
Privacy Principle 9 prescribes that personal information should not retained for longer than necessary and Privacy Principle 10, that you can’t use personal data for purposes other than for the reason it was collected.
So … don’t collect more than what is needed; don’t keep or use more than you need; and stick to the initial purpose for collecting the information. If it’s sufficient to sight personal information like vaccination information, then do that. Don’t record or photograph what you don’t need.
Vaccination information for mandated staff
Public health orders mandating vaccinations, require health, disability, education and prison-related services to collect and record vaccination information about kaimahi/staff including details about:
- whether they are in a mandated
- any doses of a COVID-19 vaccine the person has received, or
- the dates by which vaccination must be and was achieved
- whether the person relies on an exemption
- written verification of an exemption if relied on
- other criteria specified in law.
The legislation requires a written record or if it’s digital, for the information to be easily accessible and able to be converted into written form.
Information collection for non-mandated workforce
For other kaimahi whom an organisation decides, after risk assessment, should be vaccinated, there are no legislated requirements about collecting and using vaccination information. Not yet anyway.
For this category, the Information Privacy principles should be applied carefully and cautiously.
Your purpose, when collecting the vaccination/exemption information, is king. Your purpose is to manage risks to the health and safety of your client group and other staff.
It should determine what and why you collect the information and how long you retain it for.
Keep this purpose in mind when deciding how to collect the information. Is it sufficient to sight evidence of full vaccination or is more recording necessary? Be guided by the purpose when deciding what vaccination to collect.
Don’t forget to tell
Information Privacy Principle 11 limits the disclosure of personal information to third parties to when consent is given and a limited range of other situations.
It means that when collecting information about vaccination status, you need to inform staff that you may need to share their information with Ministry of Health, WorkSafe and any other entity that may require your staff to be vaccinated.
On the other hand, if you’re collecting vaccination information from whānau/clients accessing your social, education or health service – then you will need to tell them that the purpose is to mitigate health and safety risks in service delivery. On this basis, different information may be required from a non-vaccinated person and a vaccinated person because the health and safety implications will be different.
Your policies and procedures…
Policy and procedure to guide your approach to collecting and managing vaccination information about kaimahi/staff is crucial at this time. Keep it simple!