Collecting COVID-19 vaccination certificates from customers or employees poses a serious legal and cyber security risk to businesses that exposes them to lawsuits, hefty fines and even executive jail sentences if the data isn’t handled properly, experts warn.
The risk is so grave that businesses that have already stored images of government-issued vaccination certificates from employees or customers are advised to scour their email or human resource systems and delete the images, or at the very least remove a sensitive piece of information prominent on the certificate that exposes businesses to a “world of data security pain”, one expert says.
As part of state and federal requirements for emerging out of the pandemic lockdown, businesses are asked to check whether customers and employees are vaccinated before allowing them to enter their premises. Businesses storing information about whether someone has been vaccinated are therefore storing health information, quite possibly for the first time, exposing them to the Privacy Act, which requires they take “reasonable steps” to secure that information, said Anna Johnston, a former NSW deputy privacy commissioner who runs her own data privacy consultancy, Salinger Privacy. Worse than that, the federal government certificates contain a unique identifier, known as the Individual Health Identifier (IHI), that is covered by its own law, with much stricter data security requirements and with punishments that could include jail if that one piece of data is mishandled, Together with the Tax File Number, the IHI is the most sensitive piece of data used by government, she said. It uniquely identifies Australians for healthcare purposes, far more so than a Medicare number, which can be shared by family members. It’s so sensitive that, when it was brought in 2010, it came with its own privacy legislation, the Healthcare Identifiers Act
“Including the IHI on the vaccination certificate, which is a document we’re supposed to be showing to our gyms, hairdressers and restaurants, as well as to our employers and customers, was a terrible mistake by the federal government,” she said.
“It’s a bad data-security problem that the government has created, “I really feel for small businesses in particular. They don’t have an in-house compliance officer telling them what to do. They don’t have an information security officer telling them how to secure these records. They probably don’t have the foggiest clue that there are special rules for the use and disclosure of the IHI that, if they breach those rules, expose them to both a civil penalty and a criminal penalty.
“You face up to two years imprisonment for use or disclosure of the IHI for any purposes outside of supporting healthcare. And now that number is on a PDF that is being emailed around willy nilly.”