This privacy notice explains how we, the Australian Government Department of Health, manage your personal information, consistent with our obligations under the Privacy Act 1988 (the Privacy Act), when you make an appointment to get a COVID-19 vaccine through the Commonwealth-procured booking platform (Booking Platform).
We have partnered with HealthEngine Pty Ltd (HealthEngine) to develop and run the Booking Platform. Many clinics already have an online booking system that will be used for COVID-19 vaccination appointments. The Booking Platform has been procured by the Commonwealth as an option for providers who do not already have an online booking solution.
This privacy notice does not apply where:
- your vaccine provider is using a different online booking solution to schedule and manage appointments (that could include their existing HealthEngine booking solution which is covered under a separate privacy policy from the Booking Platform).
- you contact providers directly rather than booking online, even if they may be using the Booking Platform.
What is the Booking Platform?
The Booking Platform is part of our COVID-19 Vaccine Information and Location Service (VILS), which provides Australians with the information and services they need to get a COVID-19 vaccination. It is a Commonwealth-procured online Booking Platform that vaccine providers can choose to use to create and manage appointment slots for COVID-19 vaccinations. It will be in use from phase 1b of the COVID-19 Vaccine Rollout Program onwards.
You will first need to check whether you are in the right phase to receive a COVID-19 vaccine on the Eligibility Checker. If you are eligible, you will be directed to Healthdirect’s Vaccine Clinic Finder to select your preferred vaccine provider.
If your vaccine provider has chosen to use the Booking Platform, you will be able to tell by the co-branded experience across the booking flow and email communications featuring the Australian Government's "COVID-19 Vaccination" logo and a "powered by HealthEngine" logo.
Collection of your information
If you book your vaccination using the Booking Platform, you will be required to sign in or register a new account with HealthEngine.
When you register a new account with HealthEngine, you will be required to set up a password and provide your name and email.
If you are signing in via an existing HealthEngine account and you usually log in via Google, Apple or Facebook, you will instead be asked to login using your email. This will require you to change how your account is authenticated and you will be need to reset your password in order to proceed with making a booking.
Like many other booking solutions in the market, if you make an appointment using the Booking Platform you will also be required to provide personal information, including your:
- Name
- Contact details (address, email address and mobile number)
- Date of birth
- Medicare card details
- Whether you have attended the vaccination provider before
If you are booking on behalf of another person such as a dependent, you will be required to provide the following personal information:
- Name
- Mobile number
- Email.
You can find out more in HealthEngine’s Collection Statement for the Booking Platform and its Privacy Policy for the Booking Platform.
Use and disclosure of your information
HealthEngine’s use and disclosure of information
Any personal information provided by you will be used by HealthEngine in accordance with HealthEngine’s privacy policy for the Booking Platform and our Privacy Policy. We recommend that you read HealthEngine’s Collection Statement for the Booking Platform and its Privacy Policy for the Booking Platform carefully.
HealthEngine will provide your personal information (and that of any person making the booking on your behalf) to your vaccine provider for the purposes of booking and managing your appointment, including rearranging the date and time of your appointment.
Your vaccine provider may use the information for practice management and record‑keeping purposes. This may include using the information for the purposes of reporting into the Australian Immunisation Register (AIR).
Your personal information may also be shared with other Commonwealth-procured systems for the COVID-19 vaccine rollout. We do this to reduce the number of times you provide your personal information and to streamline your vaccine provider’s processes at your appointment. We will only do this where your vaccine provider is using other Commonwealth-procured systems for the COVID-19 vaccine rollout, such as the Clinician Vaccine Integrated Platform (CVIP).
Where your vaccine provider is a government health agency (such as a State or Territory Department of Health) and you have made a booking at their clinic using the Booking Platform, your personal information may be disclosed and used for clinical purposes and/or to monitor the progress of the rollout. The State or Territory Department of Health may also use your information with their other clinical datasets for this purpose, in line with the relevant State or Territory privacy legislation and/or policies.
If your vaccine provider is a provider that has more than one site, your information may be provided to multiple sites.
HealthEngine will not disclose your personal information for secondary purposes, such as direct marketing or research and analysis.
HealthEngine may disclose your personal information to third party service providers (such as IT and software service providers, Adobe Analytics for analysis and quality assurance purposes, security entities that minimise risks and block suspicious behaviour such as Google reCAPTCHA, and its professional advisers such as lawyers and auditors), but only for the purpose of providing goods or services to HealthEngine.
HealthEngine requires their third party service providers to agree to appropriate privacy restrictions, and only permit those service providers to access personal information to the extent needed to provide goods or services to HealthEngine.
HeathEngine will not disclose your personal information to overseas recipients.
HealthEngine will disclose de-identified booking information to us to support the monitoring and progress of the vaccine rollout.
Our use and disclosure of de-identified information
We will use the information to:
- monitor vaccine coverage and logistics for the COVID-19 vaccines rollout. We would include relevant booking information (such as number of appointments made in your postcode) in the Vaccine Data Solution to support this. The Vaccine Data Solution is our software solution hosted in Australia that generates de-identified reports and statistics.
We may share this information where it is required by law and where it is necessary for managing the rollout of the COVID-19 vaccine. This may include sharing the information with other government entities, including State and Territory government entities.
We will not disclose your information to overseas recipients.
See our Privacy notice for COVID-19 vaccinations for information on how we collect, use and handle your personal details when you get a COVID-19 vaccine.
Website analytics
When you use the Booking Platform, HealthEngine will use cookies (small files stored on your device) to recognise an individual web user as they use the Booking Platform. The cookie identifies a browser or device, not the individual user personally. No personal information is stored within cookies used by the Booking Platform’s website. This information is de-identified. The information collected includes:
- the server and IP address
- your login data
- the name of the top level domain
- the type of browser you used
- the date and time you accessed the website
- how you interacted with our website
- the previous website you visited.
HealthEngine will use the above de-identified information to understand how the Booking Platform is being used. They may also disclose reports on usage to us which also includes de-identified information only.
This helps HealthEngine to improve the Booking Platform and provides a better user experience. The information generated by the cookie may be transmitted to and stored by Adobe, who may use this information for the purpose of compiling reports on website activity for HealthEngine. These reports do not identify users personally.
How the Booking Platform stores booking system data
Booking Platform data is stored on HealthEngine’s cloud environment in Australia. HealthEngine is required to meet our requirements for privacy and data security. HealthEngine will only hold information collected in the Booking Platform in accordance with our requirements. Once the Booking Platform is no longer needed, we will require Health Engine to destroy or return the data to us.
Information which is held by us after we receive it from the Booking Platform will be stored in our secure ICT systems in Australia and may be retained in accordance with the Archives Act.
How you can access and correct information
If you would like to obtain access to or request changes to your personal information you can ask HealthEngine’s Privacy Officer:
- by letter: Privacy Officer, HealthEngine Pty Limited, PO Box 7754, Cloisters Square, WA 6850, Australia; or
- by email: privacyofficer@healthengine.com.au
Concerns and complaints
Our privacy policy explains how you can make a complaint if you think we (the Department of Health) have breached:
- the Australian Privacy Principles
- the Australian Government Agencies Privacy Code
Our privacy policy also explains how we will manage your complaint.
Alternatively, you can contact HealthEngine:
- by letter: Privacy Officer, HealthEngine Pty Limited, PO Box 7754, Cloisters Square, WA 6850, Australia; or
- by email: privacyofficer@healthengine.com.au
More on COVID-19 vaccine privacy
We have taken steps to ensure that the implementation of the the COVID-19 Vaccine and Treatment Strategy is compliant with the Privacy Act 1988 and any other legislation that is relevant to the rollout.
Read more about privacy matters relating to the COVID‑19 vaccine rollout on our COVID-19 Privacy Page.
For general privacy matters, see our privacy page and our full privacy policy.