In July 2023 Part 2.1A of the Amending Regulations (“Collection and use of Covid-19 Vaccination Information) was revoked by the Victorian Government. As a direct result any COVID-19 data that has been collected, recorded or held by employers MUST be deleted. This data could include
- An individual’s COVID-19 vaccination status
- Reasons why an individual did not receive any COVID-19 vaccination
- Details of dates of vaccination and vaccine type
Failure to comply with this requirement may lead to the business breaching health Privacy legislation including the federal Privacy Act 1988.
There is no specific direction on how such information must be destroyed however it has been set out that this should be done by taking ‘reasonable steps’ applicable to the Employer’s business, in a secure manner, and in accordance with any data destruction policy where applicable.
It is suggested that the following steps may be appropriate:
- For paper and/or electronic data: de-identifying the data and ensuring that it cannot be re-identified.
- For paper records: securely shredding or suitably destroying the documents but not via general waste services.
- For electronic records: overwriting files before they are deleted or “double deleting” the files.
It is important to consider all possible data locations for example files shared with others and backups, as well as types of records for example physical and electronic records when undertaking this exercise.