The legal requirements to destroy vaccination information vary, depending on what law applies.
We have summarised state and territory requirements to destroy vaccination information below.
Note
The information set out in this note does not cover health service providers. If your organisation is a health service provider, it may be subject to different obligations under relevant health records legislation.
If you are not sure whether your organisation’s is required to destroy vaccination information, seek legal advice.
Victoria
In Victoria, vaccination information may only be retained if:
- this is necessary to ensure compliance with an employer's duty of care under the Occupational Health and Safety Act 2004 (Vic) and the Occupational Health and Safety Regulations 2017 (Vic), or
- the information is still necessary for the purpose for which it was collected under the Health Records Act 2001 (Vic)
If the vaccination information doesn’t meet these requirements, it must be destroyed under the Occupational Health and Safety Regulations 2017 (Vic). The deadline to do this was 11 August 2023.
Australian Capital Territory, New South Wales
In the ACT and NSW, vaccination information may only be retained if necessary to ensure compliance with an employer's duty of care under work health and safety (WHS) legislation.
If the vaccine information is no longer needed for the purpose for which it was collected (under the Health Records (Privacy and Access) Act 1997 (ACT) or the Health Records and Information Privacy Act 2002 (NSW)), it must be destroyed or permanently deidentified.
Northern Territory, Queensland, Tasmania, South Australia, Western Australia
In the NT, Queensland, Tasmania, SA and WA, vaccine information may only be retained if necessary to ensure compliance with an employer's duty of care under WHS legislation.
There is no obligation to destroy employees' vaccination information, as this falls within the employee records exemption under the Privacy Act 1988 (Cth). But note that the vaccine information of non-employees must be destroyed if it is no longer needed (Australian Privacy Principle 11.2). Non-employees may include contractors, volunteers, prospective employees and customers.
For further guidance on handling personal information in the context of the COVID-19 pandemic, see the Office of the Australian Information Commissioner (OAIC) website.
The content on this webpage was last updated in October 2023 and is not legal advice. See full disclaimer and copyright notice.
