Some companies that have chosen us

Privacy Officer and Privacy Consultant
CDP Scheme according to ISO/IEC 17024:2012
European Privacy Auditor
ISDP©10003 Certification Scheme according to ISO/IEC 17065:2012
According to standard UNI 11697:2017
Lead Auditor ISO/IEC 27001:2022
According to standard ISO/IEC 17024:2012
Data Protection Officer
According to standard ISO/IEC 17024:2012
Anti-Bribery Lead Auditor Expert
According to standard ISO/IEC 17024:2012
ICT Security Manager
According to standard UNI 11506:2017
IT Service Management (ITSM)
According to the ITIL Foundation
Ethical Hacker (CEH)
According to the EC-Council
Network Defender (CND)
According to the EC-Council
Computer Hacking Forensics Investigator (CHFI)
According to the EC-Council
Penetration Testing Professional (CPENT)
According to the EC-Council

Professional qualifications

Stay up-to-date with world news!

Select your topics of interest:


Home / News
NEW ZEALAND SUPERVISORY AUTHORITY: The COVID-19 vaccination and privacy rights

NEW ZEALAND SUPERVISORY AUTHORITY: The COVID-19 vaccination and privacy rights

The vaccine is an essential part of New Zealand’s response to COVID-19 and there is significant interest in the immunisation programme. This interest often has privacy implications. At OPC, we know there is interest from businesses and individuals about sharing a person’s vaccination status – for instance, whether an employer can ask about someone’s vaccination status and how should they ask for it.

A person’s vaccination status is personal information and so falls under the protections laid out in the Privacy Act 2020. However, as we have outlined previously, there are limited situations where an employer can ask for the vaccination status of an employee where they have a legitimate need to know. Justifiable reasons to ask for this can include a legitimate health and safety concern, or where certain roles must be performed by a vaccinated worker, such as staff at an MIQ facility.

An individual’s vaccination status should not be shared, including with other employees, unless it is necessary in the circumstances. Chances are, most people in an organisation won’t need to know about this information, so it is best to ensure access to it is limited to those that do.

An organisation must consider how it gets personal information. They must not collect information in a way which is unreasonably intrusive in the circumstances. This means that even where an organisation has established it has a legitimate reason to request someone’s vaccination status, it cannot be done in a way that is unlawful, unfair, unreasonable or intrusive. Asking for someone’s vaccination status in front of others or in a public space is likely to be an unreasonable intrusion into privacy. Likewise, threatening, coercive, or misleading behavior will be considered unfair.

It is also important to note that while an organisation may have a justifiable reason to know whether a person has been vaccinated, it doesn’t necessarily need to know why a person is unable or chooses not to be vaccinated, and an employee does not have to provide this information.

Each situation will depend on what is reasonable in the circumstances. A good rule of thumb to keep in mind is to ‘put yourself in the shoes’ of the individual concerned and consider how you would like your own information to be treated, and what is a reasonable method for collecting sensitive information.

The vaccination programme is a crucial part of the public health response to COVID-19, but it is important not to lose sight of individual privacy rights. If you think your organisation needs to know whether a person has been vaccinated, we recommend you carefully consider the privacy implications. Why do you need this information? How much information do you need?  How do you ask for it in a reasonable, privacy enhancing way? And remember the simple rule – put yourselves in the shoes of the person affected.


Recommended to you

Advanced Research