OAIC has updated its guidance on COVID-19: Vaccinations and privacy rights as an employee and Vaccinations: Understanding your privacy obligations to your staff. Key points include: Vaccination status information can only be collected without consent in circumstances where the collection is required or authorised by law (including a state or territory public health order or direction). Only the minimum amount of personal information reasonably necessary to maintain a safe workplace should be collected, used or disclosed. Vaccination status information should only be used or disclosed on a ‘need-to-know’ basis. You must inform employees about how their vaccination status information will be handled. Ensure you take reasonable steps to keep employee vaccination status and related health information secure.