As Australia’s COVID-19 vaccination program ramps up, and more working Australians are vaccinated, employers may seek to collect information about the vaccination status of their employees to assist with return to work initiatives and ensure the safety of their workplaces.
However, employers should be aware that there are existing privacy obligations associated with the collection, use and storage of health information which will first need to be considered and that, in many circumstances, employees may be able to decline to provide this information.
Pre-collection obligations
The primary privacy legislation applicable to private sector organisations in Australia is the Privacy Act. Many of the key obligations of the Privacy Act are set out in its Australian Privacy Principles (APPs).
Under the Privacy Act and the APPs, information about an employee’s vaccination status would be considered to be ‘health information’, and therefore handled as a kind of “sensitive information”. More robust privacy protections will apply to such sensitive information.
APP 3.3 provides that sensitive information (such as the vaccination status of an employee) can typically only be collected if:
- the individual involved consents to the collection; and
- the information is reasonably necessary for the functions or activities of the entity collecting the information (in this example, the employer).
If relying on the consent of an employee in order to collect information about their vaccination status, that consent must be freely given. In effect, this means that employers must make sure their employers understand why the information is collected, what they will use it for, and give the employees a genuine opportunity to provide or withhold consent. Employers should take particular caution in seeking such consent, given the very nature and power imbalance in an employment relationship may cause employees to feel pressured or obligated to provide their consent. As explored in our alert in August 2019, the Fair Work Commission has previously suggested that a direction to compel an employee to consent to collection of sensitive information may not be a lawful and reasonable direction and any consent compulsorily obtained pursuant to such a direction would not be considered “genuine consent“.
In addition, the relevant government regulator, the Office of the Australian Information Commissioner (OAIC), recently emphasised that employers must have clear and justifiable reasons for collecting their employees’ vaccination information. According to the OAIC, collecting such information on a “just in case” basis, or purely for monitoring purposes, would be unlikely justifiable as a reasonably necessary collection.
However, if an employer is under any compulsion under Australian law to collect vaccination information, then that would override the general provisions of the Privacy Act. For example, if the laws of any individual States and Territories or the Commonwealth were to come to require that staff in particular fields (such as health or aged care) are vaccinated, then employers in those industries may have a legal duty to collect that information.
Post-collection obligations
Once vaccination information about an employee is collected (in manner which is consistent with the APPs), then that information would form part of their employee record.
The employee records exemption of section 7B(3) of the Privacy Act provides that employers are not required to comply with the APPs in respect of personal information in employee records, where they deal with those records for matters directly related to the employment relationship. In such instances, employers are free to handle that information as they see fit, subject always to any specific requirements under workplace laws (including the Fair Work Act 2009 (Cth) and Division 3 of the Fair Work Regulations 2009 (Cth)). However, as discussed in our alert in August 2019, the Fair Work Commission has made clear that it does not remove the need to seek consent before collecting sensitive information for inclusion in an employee record.
This exemption however does not apply to persons other than employees, such as contractors, prospective employees, volunteers, or employees of another entity. If vaccination information is collected about such persons, then that will need to be handled in the manner outlined in the APPs. This includes taking such steps as are reasonable in the circumstances to protect the information from misuse, interference and loss, and from unauthorised access, modification or disclosure.
The exemption will also not apply once the information leaves the hands of the employer. For example, a consulting firm engaged to assist the employer would remain subject to the APPs when dealing with any personal information contained in the employer’s employee records.
How can we help?
Employers should seek advice before taking any steps to deal with vaccination information, or any other medical information about employees. Our privacy and workplace relations teams are experienced in assisting businesses navigate their privacy and employment obligations, in a COVID-19 context and otherwise. Please contact members of our teams should you need any assistance.
This article was written by Luke Dale, Partner, Clare Raimondo, Partner, Daniel Kiley, Special Counsel, Jessica Nicholls, Special Counsel and Stephanie Leong, Solicitor.
