There’s no ‘one size fits all’ policy on collecting and managing vaccination records
An employment and privacy law expert is urging bosses to hold off hitting the delete button on their staff vaccination records.
Last week, Newsroom reported some employment lawyers were urging companies to review the information they have on hand, and erase what they couldn’t justify keeping lest they expose themselves legally.
But another employment lawyer is challenging this advice, saying deleting this information is the last thing employers want to be doing.
Christchurch-based employment lawyer Kathryn Dalziel is advising employers in both the private and public sectors to maintain all records on staff vaccinations, along with information on any decisions the employer may have made when rolling out workplace vaccination requirements.
Dalziel, who also sits on the Privacy Foundation New Zealand committee, says the Privacy Act allows for retention of this information.
According to principle nine of the Act, an agency or organisation should not keep personal information for longer than it is required for the purpose it may lawfully be used for.
While principle 10 means organisations can generally only use personal information for the purpose it was collected, there is the capacity for this to be used for different purposes.
“Sometimes other uses are allowed, such as use that is directly related to the original purpose, or if the person in question gives their permission for their information to be used in a different way.”
“Employers need to maintain a record of what was decided at the time and the information on which the decision was based, in case the employee challenges the employer’s decision in respect of the mandate [or workplace vaccination policy]”
– Kathryn Dalziel, employment lawyer
This is a crucial detail, according to Dalziel, as it means employers are entitled to hold on to that information in case an employment dispute arises, as keeping this as evidence for use in court counts as a lawful purpose.
“Employers need to maintain a record of what was decided at the time and the information on which the decision was based, in case the employee challenges the employer’s decision in respect of the mandate [or workplace vaccination policy],” she says.
“It would be terrible for them to delete that right now.”
Having said that, Dalziel says it’s vital that employers follow principle five of the Privacy Act. This requires employers to securely store records and have reasonable safeguards to prevent loss, misuse, or disclosure of personal information.
Information on vaccination status should not be held on the employee’s general HR file. Instead, it should be held securely and only accessible to privileged staff members who need to use it.
Government agencies aren’t exempt from holding this information tight, either.
“All government agencies should have privacy compliance programmes and assessment, lest they end up like the Waikato District Health Board,” she says.
Govt agency set to hold vaccine records for seven years
While private employers can make the call on whether they keep or discard records, some government agencies will be holding on to this information for years to come.
According to the Public Service Commission, there’s no ‘one size fits all’ policy on collecting and managing vaccination records.
The Ministry of Education is among the agencies opting to keep the vaccination status of its workforce on file for years to come.
Corporate leader Zoe Griffiths says the vaccine mandate covered just over two-thirds of the ministry’s workforce.
As a government agency, it is required to retain information under the Public Records Act. Instead, the nitty gritty of this legislation means the ministry will retain personnel files and information on health, safety and welfare for seven years in general.
This requirement was in place before Covid-19 even existed.
Acting Privacy Commissioner Liz MacPherson says agencies have obligations under both laws.
“If there is an obligation to retain personal information under the Public Records Act, there is an obligation to protect it under the Privacy Act,” she says. “This includes employee records that are current for use as well as those that are gathered for a specific purpose, such as staff vaccination records.”
MacPherson says Government agencies should be ensuring there are controls in place against using or disclosing personal information that is no longer relevant for a current purpose, including suppressing or internally archiving information once it no longer has an ongoing purpose.
Employees can ask their employer about the reasons for keeping such information, how it will be kept safely and the protections in place against continuing use of the information if there is no longer a purpose to do so, she says.
“If the employee is concerned, they can ask for the information to be suppressed on their file if it no longer has an ongoing purpose. This is part of their right to request correction of personal information under the Privacy Act, she says.
“If not satisfied with the employer’s response, the employee can make a privacy complaint to the Office of the Privacy Commissioner.”