Most Victorian organisations that are still storing employee COVID Vaccination information have until Friday to delete the data.
The Occupational Health and Safety Amendment (COVID-19 Vaccination Information) Regulations 2022 (Amending Regulations) was set up in 2022. It allowed business to collect COVID vaccination information on employees so that they could comply with the relevant pandemic orders. The Amending Regulations was revoked on 12th July 2023. This means you have 30 days from that date to delete the information.
There are significant fines under the privacy legislation if you fail to delete that information by Friday 11th August 2023. So it is important businesses find out if they are still holding that information electronically or in paper form and de-identify, shred or destroy it.
Some business may have other requirements to collect and store this vaccination information. Therefore it is important they continue to follow those requirements.
Data security and privacy obligations continue to be a key risk for organisations. Your organisation should consider these key processes to ensure you are doing everything you can to protect and secure your data:
- Understand your data storage and privacy obligations and seek legal assistance where needed,
- Undertake a data stocktake, know where you are data is held, including with third parties and how it is protected,
- Consider data storage policies,
- Develop data security controls,
- Undertake employee training to educate your employees about best practices around data security and storage of sensitive information,
- Develop a data breach response plan,
- Identify vulnerabilities and gaps in your controls by undertaking testing,
- Ensure you have robust data disposal processes,
- Ensure you have adequate cyber insurance and are complying with its requirements;.