Should employers keep Covid-19 vaccine records?

26 Apr 2022
Author: Andrea Twaddle
Should employers keep Covid-19 vaccine records?

With Government protections in managing Covid-19 being eased, along with the removal of vaccination mandates in many sectors, employers have sought clarity regarding whether to keep or delete Covid-19 vaccine records. In this article, we set out steps for employers to follow in order to meet your obligations.

Privacy Act Obligations

The collection, retention and storing of personal information, including sensitive medical information such as vaccine records, is governed by the Privacy Act. 

  • Information Privacy Principle 9 provides that an agency (i.e. employer or contracting organisation) should not keep personal information for longer than is required for the purpose it may be lawfully used for.
  • Information Privacy Principle 10 governs use of personal information. It provides that an agency holding personal information that was obtained in connection with one purpose may not use the information for any other purpose, unless the agency believes, on reasonable grounds, that the use is directly related to the original purpose, or, if the person gives their permission for the information to be used in a different way.

Advice for employers

We recommend that employers [1]:

1.      Review the initial request to collect information, and the purpose for which the vaccination record was obtained. For many, this was associated with a risk assessment for Covid-19 within the workplace, and/or, to ensure that the organisation was able to meet Covid-19 Health Orders regarding mandatory vaccination.

Keep a record of those communications.

2.      Consider whether the organisation reasonably requires the personal information for the purpose it was collected for, or, for a use directly related to it.

3.      Decide whether to retain the personal information or not. Consider whether all personal information needs to be retained. For example, vaccine passes may be obsolete as an accurate record of vaccination status, but record of the worker having a second vaccination or booster, and on what date, may not.

4.      If you are retaining the personal information, ensure that it is stored securely, with reasonable safeguards to prevent loss, misuse or disclosure of personal information (as required by Information Privacy Principle 5). 

We recommend a separate, secure file is kept for Covid-19 vaccine records, with limited authorized persons who can access the file, to ensure that it is only accessible to those who need to use it.

5.      Communicate with your workers. If you are wishing to retain the information, let workers know:

a.      The reason for the organisation wishing to retain the information (i.e. while Covid-19 remains in the community, there are health and safety risks that may need to be reassessed, e.g. an assessment about whether certain role is required to be performed by a vaccinated person);

b.      Who to raise any questions or concerns with;

c.      Your reassurance to workers regarding the safeguards in place for the secure storage of their personal information.

If you are looking to delete the personal information, ensure that workers are informed, and that all data is fully and securely deleted, and personal information documentation is disposed of safely (e.g. shredding).

6.      If you are retaining the vaccine records in the short term, put review mechanisms in place to reconsider the decision in the future.

Employment obligations, including communicating in good faith and taking all practicable obligations to maintain a healthy and safe work environment are particularly important where there is a changing environment. Clear communication can minimise the inherent stress that can come from such uncertainty.  Employers should also be mindful that meeting privacy obligations, particularly with highly sensitive information such as personal health information (i.e. vaccine records), contributes to trust and confidence, critical to the employment relationship.

For questions relating to employment, health and safety and privacy matters, please do not hesitate to contact our specialist team at DTI Lawyers on 07 282 0174 or email us directly.


[1] We note that this advice is for private organisations. Government organisations are required to retain personal information under the Public Records Act for seven years, alongside the obligation to protect it under the Privacy Act.

Should employers keep Covid-19 vaccine records?
About the Author
Andrea Twaddle
Andrea is an experienced specialist employment lawyer and Director at DTI Lawyers. She advises on contentious and non-contentious employment law issues, including privacy, and health and safety matters. Andrea is AWI-CH qualified, and undertakes complex workplace investigations. She is a member of the national Law Society Employment Law Reform Committee, a former Council Member at the WBOP District Branch of the Law Society, and Coordinator of the WBOP Employment Law Committee. Andrea is a sought-after commentator and speaker on employment law issues at client and industry seminars. She provides specialist, strategic advice to other lawyers, professional advisors and leadership teams. You can contact Andrea at