Privacy notice for COVID-19 vaccination providers using the Commonwealth-procured Booking Platform

Find out how we manage any personal information we collect when a vaccination provider has chosen to use the Commonwealth-procured booking platform (Booking Platform) to manage patient appointments for COVID-19 vaccination.

This privacy notice explains how we (the Australian Government Department of Health) manage your personal information, consistent with our obligations under the Privacy Act 1988 (the Privacy Act), when a vaccination provider has chosen to use the Commonwealth-procured booking platform (Booking Platform) to manage patient appointments for COVID-19 vaccination.

We have partnered with HealthEngine Pty Ltd (HealthEngine) to develop and run the Booking Platform.

Many clinics already have an online booking system that will be used for COVID-19 vaccination appointments. This privacy notice does not apply where a vaccination provider has chosen to use a different online appointment booking platform for COVID-19 vaccinations (that could include their existing booking platform).

For clarity, this privacy notice also does not apply where a provider has an existing HealthEngine booking solution that they intend to use instead of the Commonwealth-procured Booking Platform. Those arrangements will be governed by HealthEngine’s Practice Customer Terms and Conditions and are independent of the Booking Platform.

What is the Booking Platform

The Booking Platform is part of our COVID-19 Vaccine Information and Booking Service (CVIBS), which provides Australians with the right information and services they need to get a COVID-19 vaccination.

The Booking Platform has been procured by the Commonwealth as an option for providers who do not already have an online booking solution. It enables these providers to create appointment slots for eligible patients to make an online booking to receive a COVID-19 vaccination. It will be in use from phase 1b of the COVID-19 Vaccine Rollout Program onwards.

COVID-19 vaccination providers can choose to use the non-mandatory Booking Platform only if they don’t have an existing online booking solution. It is for COVID-19 vaccination appointments only, and will not integrate with existing practice management software.

Collection of your information

Providers who wish to use the Booking Platform must advise the Australian Government Department of Health so that they can be onboarded by HealthEngine.

When providers sign up to the Booking Platform, they will be required to provide personal information about their personnel and information about their practice. They will need to provide information as part of their Agreement with HealthEngine including:

  • the legal name of the provider entity
  • the address of the provider’s site
  • information about the provider’s practice such as practice contact details (phone and email), number of practictioners and website details
  • the name and contact details (phone number and email address) of a primary contact and a technical contact
  • the Australian Business Number (ABN) of the legal entity.

Where a provider operates as a sole trader, information about the provider collected by the Booking Platform may also be personal information about the provider.

Providers who sign up to use the Booking Platform to book and schedule COVID-19 vaccinations will need to consent to HealthEngine’s End User Terms and Conditions for the Booking Platform.

Providers can then submit further information about the name(s) of the individual health professional(s) with whom a patient can make an appointment. This is not required by HealthEngine if appointments do not need to be made with individual health professionals.

Uses of your information

HealthEngine will use your information to provide and administer an online booking platform service. This includes facilitating bookings by displaying information about the vaccination providers at your site and available appointment times to the public.

Any personal information provided as a legal entity or for health professionals at a provider’s site will be used in accordance with HealthEngine’s privacy policy and the Department’s Privacy Policy. We recommend that you read HealthEngine’s privacy policy.

HealthEngine is only permitted to use information collected by the Booking Platform for the purposes set out in this privacy notice or as otherwise permitted by the Privacy Act.  

HealthEngine will disclose relevant site details and de-identified booking information to us so we can monitor service capacity.

We may use this information to:

  • contact the Primary Contact or the Technical Contact if needed to support COVID-19 vaccination bookings at the provider’s site.
  • include relevant provider booking information (such as service capacity) in the Vaccine Data Solution as part of our monitoring of the vaccine rollout. The Vaccine Data Solution is a software solution hosted in Australia that we use to monitor coverage and logistics for COVID-19 Vaccines. It generates reports and statistics that will not contain any personal information.
  • share with other entities, such as States and Territories, who are involved in the rollout of the COVID-19 vaccine.

All personal information collected by us will be handled by us in accordance with our privacy policy. If there are significant changes to our use of provider data, we will update this Privacy Notice.

HealthEngine will not hold information collected in the Booking Platform for longer than we require. Providers will be able to receive extracts of the appointments made for their own record-keeping purposes.

After the completion of the COVID-19 vaccine rollout, or at an earlier time chosen by us, the Booking Platform may no longer be required. Providers who wish to use an online booking service beyond this time, or for purposes beyond COVID-19 vaccinations, will need to purchase a solution from the existing market. Providers who wish to choose to use HealthEngine after this time will need to make alternate arrangements with HealthEngine, including accepting the Practice Customer Terms and Conditions for use of HealthEngine’s mainstream booking platform.

Website analytic

When providers use the Booking Platform, HealthEngine will use cookies (small files stored on the providers’ device) to recognise an individual web user as they use the Booking Platform. The cookie identifies a browser or device, not the individual user personally. No personal information is stored within cookies used by the Booking Platform’s website. The information collected includes:

  • the server and IP address
  • the name of the top level domain
  • the type of browser used
  • the date and time they accessed the website
  • how they interacted with our website
  • the previous website  visited.      

HealthEngine will use the above information to understand how the Booking Platform is being used. They may also disclose reports on usage to us.

This helps HealthEngine to improve the Booking Platform and provides a better user experience. The information generated by the cookie may be transmitted to and stored by Adobe, who may use this information for the purpose of compiling reports on website activity for HealthEngine. Demographic and interest reports may be generated. These reports do not identify users personally.

How the Booking Platform stores booking system data

Booking Platform data is stored on HealthEngine’s cloud environment in Australia. HealthEngine is required to meet our requirements for privacy and data security.

Information which is held by us after we receive it from the Booking Platform will be stored in our secure ICT systems in Australia and may be retained in accordance with the Archives Act.

How you can access and correct information

If providers would like to obtain access to or request changes to your personal information you can ask HealthEngine’s Privacy Officer:

  • by letter: Privacy Officer, HealthEngine Pty Limited, PO Box 7754, Cloisters Square, WA 6850, Australia; or
  • by email: privacyofficer [at] (subject: Healthengine%20Privacy%20Policy)

Concerns and complaints

Our privacy policy explains how you can make a complaint if you think we (the Department of Health) have breached:

  • the Australian Privacy Principles
  • the Australian Government Agencies Privacy Code

Our privacy policy also explains how we will manage your complaint.

Alternatively, you can contact HealthEngine:

  • by letter: Privacy Officer, HealthEngine Pty Limited, PO Box 7754, Cloisters Square, WA 6850, Australia; or
  • by email: privacyofficer [at]

More on COVID-19 vaccine privacy

We have taken steps to ensure that the implementation of the the COVID-19 Vaccine and Treatment Strategy is compliant with the Privacy Act 1988 and any other legislation that is relevant to the rollout.

Read more about privacy matters relating to the COVID‑19 vaccine rollout on our COVID-19 Privacy Page.

For general privacy matters, see our privacy page and our full privacy policy.

Departmental privacy enquiries

Contact to find out more about privacy within the department, or to make a privacy enquiry or complaint.

Privacy officer:
privacy [at]
Postal addresses: 
Department of Health
MDP 62
GPO Box 9848
Canberra ACT 2601

View contact

Last updated: 
24 March 2021

Help us improve

If you would like a response please use the enquiries form instead.