Vaccination status and the Privacy Act

06 October 2021

  • Businesses must remember their privacy obligations when collecting vaccination status information (and other sensitive information) about employees, contractors and other visitors to the workplace.
  • Unless collection is required or authorised by law, informed consent is generally required for the collection of sensitive information.
  • Businesses must provide a Collection Notice to all individuals, including employees, even if consent to collection is not required.
  • Only the minimum amount of personal information reasonably necessary to prevent or manage COVID-19 or required by law should be collected, used or disclosed.
  • As Australia steadily tracks towards its vaccination targets and a much-anticipated reopening, businesses across Australia are continuing to grapple with ways to best prevent and manage COVID-19 in the workplace. Currently front of mind are vaccination policies for staff and other visitors to the workplace and Government mandated vaccine requirements. For more information on the Victorian Government’s Mandatory Vaccination Directions please see our alert here.

    As a result, businesses continue to collect more sensitive information about employees, contractors and other visitors to the workplace, including vaccination status information and medical certificates for individuals with a medical contraindication.

    It is important to remember that information about a person’s vaccination status and medical certificates are ‘personal information’ which must be collected, used and disclosed in accordance with Australian privacy laws, including the Privacy Act 1988 (Cth) (Privacy Act) and the associated Australian Privacy Principles (APPs). While many Australian businesses are required by law to comply with the Privacy Act and APPs, particularly in relation to vaccination status information, it is best privacy practice for all businesses to comply with the standards set by the Privacy Act and the APPs.

    In what circumstances can businesses collect vaccination status information about employees, labour hire workers, contractors, volunteers, candidates and other visitors to the workplace?

    Vaccination status information is ‘sensitive information’ about an individual and is afforded higher protections under the Privacy Act.

    This means that generally speaking, a person’s vaccination status must only be collected if:

    • the information is necessary for one or more of the business’ functions or activities; and
    • the individual has consented.

    In many cases, it may be necessary for businesses to collect vaccination status information to prevent and manage COVID-19 in the workplace. When considering vaccination information about workers, applicable workplace laws and contractual obligations will impact whether the collection of vaccination status information is reasonably necessary for a business’ functions or activities.

    If vaccination status information is being collected ‘just in case’, or if the purpose for which it is being collected can be achieved without the information, it will be harder to justify the information being collected.

    There are certain circumstances when consent is not required. This includes where:

    • the collection is required or authorised under law an Australian law; or
    • the information is necessary to prevent or lessen a serious threat to the life, health, safety or welfare of any individual or to public health or safety (and it is impracticable to obtain consent).

    Laws that require and authorise the collection of vaccination status information can include public health orders and directions made by State Governments. For example, this includes the Mandatory Vaccination Directions issued by the Chief Health Officer of Victoria in relation to vaccination requirements for workers attending workplaces (Victorian Directions).

    When relying on the “required or authorised by law” exemption, it is important to understand the specific requirements of the relevant law. The law will dictate what information is “required or authorised” to be collected. In most cases, it will be sufficient to sight an individual’s immunisation certificate or history statement and make a record of you doing so and that the person is partially or fully vaccinated. It is not necessary (nor is it recommended) that businesses collect and store a copy of the certificate/statement.

    Directions and public health orders are constantly being issued and updated, and all organisations should monitor the developments.

    In summary, vaccination status information about workers may be collected if a public health order or direction is in place, which requires that information to be collected. If a public health order or direction does not apply, where a lawful and reasonable direction has been given to workers to be vaccinated, you can ask your workers to provide evidence of their vaccination if you consider this is reasonably necessary and you have obtained their consent.

    In all other cases, businesses may collect vaccination status information if that information is reasonably necessary for one or more of the business’ functions or activities (which may include preventing and managing COVID-19 in the workplace) and the individual consents.

    The above principles apply equally to other types of sensitive information, including medical certificates provided by individuals who have a medical contraindication and may be exempt from vaccination requirements under law.

    Collection Notice and Transparency

    It is important that all businesses are transparent about the reasons why they are collecting vaccination status information and comply with APP 5 when it is collected.

    APP 5 requires businesses that collect personal information to take reasonable steps either to notify the individual of certain matters about the collection or to ensure the individual is aware of those matters at the time personal information is collected (or as soon as practicable thereafter).

    Businesses can comply with this requirement by giving a Collection Notice. The Collection Notice is a statement that sets out (amongst other things) why the information is being collected, how it will be used, who it will be disclosed to, whether it will be disclosed overseas and whether the collection is required or authorised by law.

    Importantly from an HR perspective, employers cannot rely on the employee records exemption to relieve themselves of the obligation to give a Collection Notice to employees. The Full Bench of the Fair Work Commission has previously confirmed that the employee records exemption does not apply until after the information has been collected and held within the employee record.

    This means all businesses must have and distribute a Collection Notice to all employees, contractors, labour hire workers, volunteers, candidates for employment and other visitors to the workplace when collecting vaccination status information.

    A properly drafted Collection Notice can also help obtain valid and informed consent, where required.

    What should businesses do now?

    While the issues around vaccination in the workplace can be confusing, the associated privacy obligations are relatively straightforward.

    If your business chooses or is required to collect vaccination status information about employees, contractors and other visitors to the workplace, we recommend the following tips for minimum best practice compliance:

    • always give a Collection Notice (which complies with the requirements of APP 5) to each individual about whom information is collected (this includes employees);
    • only collect the minimum amount of personal information reasonably necessary to prevent or manage COVID-19 or that is required by law to be collected;
    • once collected, all personal information should only be used or disclosed within and outside your business on a “need-to-know” basis and for the purposes set out in the Collection Notice;
    • have in place clear policies and parameters for destroying/retaining personal information – information must only be retained for as long as is necessary for the purpose for which it was collected (do not hold the information indefinitely); and
    • ensure the information is securely stored.

    Please contact a member of our Privacy & Data Protection team if you would like to discuss these requirements or require practical advice to help your business comply with its privacy obligations.

    You may also find our previous article about the importance of protecting personal information in a pandemic helpful.

    Disclaimer: This publication contains comments of a general nature only and is provided as an information service. It is not intended to be relied upon as, nor is it a substitute for specific professional advice. No responsibility can be accepted by Rigby Cooke Lawyers or the authors for loss occasioned to any person doing anything as a result of any material in this publication.

    Liability limited by a scheme approved under Professional Standards Legislation.

    ©2021 Rigby Cooke Lawyers