We are retiring the Commonwealth Booking Platform (CBP) and the Clinician Vaccination Integrated Platform (CVIP).
All vaccine providers currently using the CBP will need to transition to an alternative booking process or commercially available booking platform by mid-2022.
All vaccine providers currently using the CVIP will need to transition to a commercially available, AIR compliant, vaccination reporting software by mid-2022.
If you require further information regarding the CBP or CVIP please email CV19.Products@Health.gov.au
When this privacy notice applies
This privacy notice explains how we (the Australian Government Department of Health and Aged Care) manage your personal information, consistent with our obligations under the Privacy Act 1988 (the Privacy Act), when uploading your healthcare provider and patient personal information through the CVIP for purposes of uploading to the Register.
What is the CVIP?
CVIP is a tool we have developed to help your healthcare provider meet their mandatory reporting obligations under the Australian Immunisation Register Act 2015 (the Register Act) and to collect critical information (including personal and sensitive information, such as, the main reason you were assessed as eligible for a COVID-19 vaccine) to support government health agencies in implementing vaccination programs. CVIP temporarily stores your information. Your information is deleted from CVIP after your vaccination record has been uploaded to the Register and/or transferred to your vaccine provider, usually within 24 hours.
When you give us your personal information it is used for the following purposes:
- to verify your identity for reporting to the Register;
- to report your vaccination to the Register;
- to allow a healthcare provider treating you to view your Register record including immunisation history;
- to allow vaccine provider’s clinics to produce a list of vaccinations provided through the clinic; and
- to allow Commonwealth and State or Territory government health agencies to monitor the progress of vaccinations.
If you are a vaccine provider, your personal information is also used to create your CVIP account. This is stored in CVIP as part of your user registration.
What is the Register?
The Register is a whole of life, national immunisation register which records vaccines given to all people in Australia. The Register includes vaccines given under the National Immunisation Program, through school-based programs, and privately, such as for seasonal influenza or travel. The Register may also include details of vaccines administered outside of Australia.
The Register came into existence in 2016 when the Australian Childhood Immunisation Register was expanded to become the Register. The Australian Childhood Immunisation Register began in 1996.
Patient information
Information we collect
When you receive a vaccine, your vaccine provider or someone on their behalf in their clinic, may enter your information, including personal information into the CVIP. Some of this information is uploaded to the Register.
For COVID-19 and influenza vaccinations, your vaccine provider will be required by law to report the information to the Register.
The personal information that may be put into the Register includes your name, date of birth, contact details, gender, and Indigenous status, as well as your Medicare number (if any) and healthcare identifier (if any). We may also collect information about previous immunisations administered to you that are recorded in the Register. Other information will also be included in the Register, such as details of the vaccination, and information about the vaccine provider who administered the vaccine.
Information collected by your vaccine provider will only be put into the Register where it is authorised or required by the Register Act. If no matching record is located in the Register, a new record will be created in the Register.
Information we collect to support vaccination programs
In addition to information collected for the Register, we may also collect other information about you in CVIP. This information may be sensitive information, such as the main reason you were assessed as being eligible to receive a COVID-19 vaccine in the relevant phase of the COVID-19 vaccine rollout. We collect it to support the COVID-19 vaccine rollout, this includes monitoring and clinical administration of vaccinations.
If you or your legal guardian provide consent to your vaccine provider, they will also enter into CVIP the main reason you were assessed as being eligible to receive a vaccine. If you do not provide your consent, we will not collect this information, but you will still be able to receive your vaccination (and your vaccination details will still be reported to the Register).
Where your vaccine provider uses the Commonwealth-procured Booking Platform (Booking Platform), your personal information and booking details may be shared from the Booking Platform to your vaccine provider’s CVIP account on the day of your booking so that you do not have to provide it twice.
Why we collect this information
We collect this information so that your vaccine provider can upload information about your vaccination into the Register.
We also collect sensitive information (including the main reason you are eligible for a vaccine if you provide your consent) from you so that reports can be provided to us (the Australian Government Department of Health and Aged Care) or to government health agencies in your State or Territory. These reports are important tools to support government health agencies in monitoring their implementation and the progress of the COVID-19 vaccine rollout, such as how many eligible people in a front-line health role have been vaccinated.
Who can record, use and disclose your personal information through CVIP?
The Register Act and the Privacy Act govern when your personal information can be used and disclosed.
We disclose your personal information to Services Australia to facilitate the verification of your identity, and the upload of your vaccination information to the Register. This may include the details of your Medicare Card Number.
Your vaccine provider can access and upload your personal information through CVIP on to the Register for a purpose permitted by the Register Act. Vaccine providers registered to use CVIP must comply with relevant laws and not publish, distribute, email, transmit or disseminate patient data. This includes the use of any automated scripting tools or software to gain access to consumer data on the CVIP app.
For information on how you can access and correct your personal information in the Register, please see the Register privacy policy.
In addition, your personal information, including the main reason you are eligible for a vaccine (if you have provided your consent), will be included in reports to us or the government health agencies in your State or Territory to support managing and monitoring the implementation of the COVID-19 vaccine rollout. State or Territory health agencies may also use your information with their other clinical datasets for this purpose, in line with the relevant State or Territory privacy legislation or policies and the Register Act.
The Australian Digital Health Agency (ADHA) has been authorised by us, in accordance with the Register Act, to assist with this process if necessary.
Information in the Register is only accessed and transmitted through secure channels.
For details of when information in the Register can be used and disclosed please see the Register privacy policy.
Provider information
Information we collect
We will collect your Provider Digital Access (PRODA) login details and the associated personal information to provision you access to the CVIP as a vaccine provider.
Why we collect your personal information
When you give us your personal information, including the personal information you have stored against your PRODA registration, it is used to:
- verify your identity
- register you as a user in CVIP
- link you to the clinic at which you work.
We preload clinics into CVIP, so you can select which one you are working at the time you are giving vaccinations. Please note that you will use your PRODA login details to access CVIP.
When you give us your personal information, we will:
- store it as long as you have a CVIP account
- delete it when you delete your CVIP account, in accordance with the relevant legislation.
Who can use and disclose your personal information through CVIP?
We may use and disclose your information collected through CVIP. The ADHA is authorised by us to use your information. State and Territory health agencies may also use and disclose your information. The Register Act and the Privacy Act govern when your personal and sensitive information can be used and disclosed.
For details of when vaccine provider information in the Register can be used and disclosed please see the Register privacy policy.
How information is stored in CVIP
The protection of your personal and sensitive information and your vaccine provider’s personal information is something we take very seriously, and we are committed to keeping it secure. We take significant precautions to protect personal information from misuse and loss, and from unauthorised access, modification or disclosure.
We store personal information provided for CVIP on SalesForce. SalesForce is a cloud-based storage solution that we have contracted with to support the functioning of CVIP. CVIP will upload your vaccination details through an automated process.
Accuracy of information
Although we make every reasonable effort to maintain current and accurate information, you should be aware that there is still the possibility of inadvertent errors and technical inaccuracies.
If a patient makes a booking using the Booking Platform and the personal information provided in the booking is incorrect or outdated, the vaccine provider will be able to update it in CVIP to ensure it matches information in the Register. For information on how you can correct your personal information in the Register, please see the Register privacy policy.
We do not warrant that the App is error or virus-free.
Concerns and complaints
Our privacy policy explains how you can make a complaint if you think we have breached:
- the Australian Privacy Principles
- the Australian Government Agencies Privacy Code
The privacy policy also explains how we will manage your complaint.
More on privacy
We have taken steps to ensure that the implementation of the COVID-19 Vaccine and Treatment Strategy is compliant with the Privacy Act and any other legislation that is relevant to the COVID-19 vaccine rollout.
Read more about privacy and security for the COVID‑19 vaccine rollout on our website including:
- the COVID-19 vaccinations privacy notice explains how we collect, use and handle your personal information safely and securely for the COVID-19 vaccine rollout;
- how your information is handled when you register your interest for a vaccination;
- the Privacy Impact Assessments for the implementation of the COVID-19 Vaccine Strategy; and
- privacy notices for individuals and vaccine providers.
For general privacy matters, see our website privacy policy and our full privacy policy.