Privacy notice for vaccination providers using the COVID-19 Vaccine Administration System (CVAS)
Find out how we manage any personal information we collect in relation to the COVID-19 Vaccine Administration System (CVAS).
This privacy notice explains how we (the Australian Government Department of Health) manage your personal information, consistent with our obligations under the Privacy Act 1988 (the Privacy Act), in relation to the COVID-19 Vaccine Administration System (CVAS).
The CVAS is a digital ordering and inventory management system that vaccination providers can use to order COVID-19 vaccines and related products, as well as report delivery acceptance, stock on hand and wastage.
The CVAS will collect some personal information about the legal entities for the business and the individuals who are nominated by the vaccination provider as contacts to facilitate the delivery of the vaccines and other products to the vaccination provider (Distribution Contacts). If a vaccination provider operates as a sole trader, information about the provider collected by the CVAS may also be personal information of the individual operator of that business.
Information we collect and store in the CVAS
Vaccination providers who have been onboarded to the Australian COVID 19 Vaccine Roll out Program by the Department of Health are able to use the CVAS. We will use the existing information in your Expression of Interest (EOI) to be a COVID-19 vaccination provider application so you do not have to provide it twice. We may collect some of it directly from you where it has not already been provided. This will include:
- the name and address of the provider’s site
- the legal name of the provider entity
- contact details of the provider’s Distribution Contacts (that is, the individuals who have been nominated as the primary and secondary contacts for the delivery of vaccines and related products to the provider)
- relevant business details to verify your site (including the provider’s Australian Business Number (ABN) and Australian Company Number (ACN) (if relevant)).
If you are nominated as a Distribution Contact for the vaccination provider, we will collect your name and contact details.
General Practices will be assigned a Site Identifier for the CVAS linked to the ‘Practice Incentives Program’ (PIP) number that we hold for the provider in our existing Enterprise Data Warehouse. For other providers, we will use the provider’s ‘AIR provider number’ as the Site Identifier. This is the number that is provided for the vaccination provider organisation for the purposes of the Australian Immunisation Register. The AIR provider number will be stored in the CVAS.
We will also collect information in the CVAS about vaccine vials and batches, consumables and stock used or wasted.
Why we collect and store this information
We collect information in the CVAS, including the non-personal information, to help us effectively manage the rollout of the COVID-19 vaccination program across Australia. This includes monitoring service capacity, stock levels of COVID‑19 vaccines, and other components of the COVID‑19 vaccine rollout, and includes undertaking analysis and reporting of these matters.
We collect the personal information about Distribution Contacts to facilitate the delivery of the vaccines and related products that have been ordered by the vaccination provider.
How we use and disclose information from the CVAS
We will use the information collected from the vaccination provider’s EOI to:
- create and populate an account for the vaccination provider in the CVAS
- verify the type of Site Identifier that is required, and to generate the Site Identifier for the vaccination provider (this will include using the provider’s ABN provided to obtain relevant the PIP number or AIR provider number from our other systems)
- generate and send on-boarding materials and access codes to the provider, to allow the provider to register its Users and use the CVAS
- operate the CVAS, including storing and displaying information about the vaccination provider, and its Users and Distribution Contacts, so that the information does not need to be provided a second time.
We will disclose logistics (including site details and details about orders for vaccine and related products) and the contact details for Distribution Contacts, to our Logistics and Distribution Partners, who will deliver the vaccines and related products to the vaccination provider’s site.
We may disclose provider (site) information to other entities, such as State or Territory governments, for the purposes of facilitating or monitoring the vaccine rollout.
Site information and clinic email addresses are provided to the Australian Digital Health Agency (ADHA) to set up providers with the Vaccine Clinic Finder Connect system. This enables providers to directly manage and update their clinic details on the Vaccine Clinic Finder.
In order to monitor the COVID-19 vaccine rollout, we intend to transfer site-related information such as the site type (ie, General Practice) and site location, vaccine and vaccine product information, from the CVAS into a Vaccine Data Solution (Data Solution). However, personal information about Users and Distribution Contacts (including contact details) that are stored in the CVAS will not be transferred to the Data Solution. The Data Solution is a software solution hosted in Australia that we use to monitor coverage and logistics for COVID-19 Vaccines. The Data Solution generates reports and statistics that do not contain any personal information.
In future, we may also transfer some information from the CVAS into other systems, to support the vaccine rollout or meet our obligations under the Archive Act. If this happens, we will update this Privacy Notice, and may take other steps as reasonable to notify vaccination providers, Users, and Distribution Contacts.
How information in the CVAS is stored
The information collected in the CVAS is stored in a secure cloud service using a Salesforce platform and hosted on Amazon Web Services. The information is stored in Australia.
Our ICT service providers responsible for managing and operating the CVAS may also have access to information stored in the CVAS for system maintenance and upgrades, but they must meet our strict requirements for privacy, confidentiality and security.
Our data partner who manages the cloud service must meet our requirements for privacy, confidentiality, and data security. This includes complying with the Privacy Act and protecting data from misuse, loss, corruption and unauthorised access or disclosure.
How you can access or correct your information
If you need to correct information that you have inputted into the CVAS and you have access to the CVAS, you can make amendments directly in the CVAS. If you need further assistance, you can contact the Vaccine Operations Centre (VOC) at 1800 318 208 (7 am – 10 pm AEST).
We will retain your data in the CVAS in accordance with any requirements under the Archives Act.
Concerns and complaints
- the Australian Privacy Principles
- the Australian Government Agencies Privacy Code
More on privacy
We have taken steps to ensure that the implementation of the the COVID-19 Vaccine and Treatment Strategy is compliant with the Privacy Act 1988 and any other legislation that is relevant to the rollout.
Read more about privacy matters relating to the COVID‑19 vaccine rollout on our COVID-19 Privacy Page.
Departmental privacy enquiries
Contact to find out more about privacy within the department, or to make a privacy enquiry or complaint.