COVID-19 digital certificate privacy notice

This privacy notice outlines how we manage personal information for the COVID-19 digital certificate.

What information is shown

Your digital certificate shows your COVID-19 vaccination details, as reported to the Australian Immunisation Register by your vaccination provider. It’s available because either:

  • you have received all required COVID-19 vaccinations
  • you have a valid medical contraindication to all COVID-19 vaccinations.

Your COVID-19 digital certificate contains personal information about you. It shows the following information:

  • full name, as recorded on the Australian Immunisation Register
  • date of birth
  • Individual Healthcare Identifier, if applicable
  • COVID-19 vaccination status
  • brand names of the vaccinations you received, if applicable
  • dates that you received the vaccinations, if applicable
  • valid from date
  • valid to date, if applicable.

You are responsible for keeping your COVID-19 digital certificate safe and secure if you choose to do any of these:

  • print your certificate
  • download your certificate to a device, such as a phone or computer
  • store your certificate to a digital wallet
  • share your certificate with a jurisdiction check-in app.

This also applies to your child or dependant’s certificate.

Who we may share your information with

We’ll only disclose personal information in your COVID-19 digital certificate if any of the following apply:

  • we have your consent
  • it’s authorised or required by law
  • it’s otherwise allowed under the Privacy Act 1988.

If you add your digital certificate to a digital wallet

If you add your certificate to Google Pay, you’ll first need to consent to us disclosing the certificate information to Google’s servers, which may be located outside Australia.

If you share your digital certificate with a jurisdiction check-in app

If you share your certificate with a check-in app, we’ll ask for your consent before we share your COVID-19 vaccination information.

With your consent, we’ll share either of the following depending on each jurisdiction’s check-in app requirements:

  • a PDF of your COVID-19 digital certificate
  • a data token.

The data token contains all of the following:

  • certificate document number
  • certificate date of issue
  • full name
  • date of birth
  • brand names of the vaccinations received, if applicable
  • dates the vaccinations were received, if applicable
  • vaccination status
  • digital token generation time.

You can withdraw your consent to share your certificate with a check-in app at any time. You can do this by using the unlink certificate option in any of these:

  • your Express Plus Medicare app
  • your Medicare online account through myGov
  • the Individual Healthcare Identifiers Service through myGov.

After you unlink your certificate, we’ll stop sharing your vaccination status with the check-in app. However, your certificate will remain in the check-in app until you remove it. Your certificate will also remain on the device until you or the device owner delete it.

How to view or correct your personal information

If any of the vaccination details on the certificate are incorrect, ask your vaccination provider to provide the correct details. They can call us on the Australian Immunisation Register line. Call charges may apply.

If you have any questions about the certificate, please call the Australian Immunisation Register. Call charges may apply.

Where to find more information

You can read more about your right to privacy. This includes information about how:

  • we handle your personal information
  • you can make a complaint about a breach of your privacy.

We may update this privacy notice to reflect relevant developments, including in government policy or technology.

Page last updated: 29 October 2021