Many employers are asking about the collection and storage of information regarding an employee’s vaccination status and the requirements of the Privacy Act 1988 (Cth) (Privacy Act).
Can an employer require an employee to provide evidence of their vaccination status?
If an employer wants to collect vaccination status from employees, they must be satisfied that this collection is permitted under Australian Privacy Principle 3 (APP) in the Privacy Act. Under APP 3:
- a business must only solicit and collect personal information that is reasonably necessary for its functions or activities; and
- a business can only collect ‘sensitive information’ from an individual if the individual consents to the collection, unless an exception applies.
Vaccination status information falls within the definition of ‘sensitive information’ in the Privacy Act because it is ‘health information about an individual’.
Individual consent is not necessary where the collection of sensitive information is required or authorised by or under an Australian law. State and Territory public health orders fall within the definition of an ‘Australian law’. Victoria and New South Wales are the only states that have public health orders/directions which require hair and beauty employers to collect and store vaccination status information for their employees and require an employee to provide this information to their employer. In these circumstances, both the employer and employee must comply with the public health order/direction.
What are the requirements for genuine consent?
If there is no public health order/direction in place then a business is required to seek an individual’s consent to collect vaccination status information. The consent must be freely given, which means that the business cannot pressure or force an employee to provide information about their vaccination status.
The business must provide the person with adequate information about:
- what information will be collected i.e. vaccination status;
- why it is required; and
- what it will be used for.
The business will also need to inform the individual about whether the information will be disclosed to any third parties.
Can an employer require new employees/candidates/contractors/suppliers/clients to provide vaccination status information?
Employers can ask individuals to supply vaccination status information if the employer is required to collect the information to comply with a relevant public health order/direction requiring vaccination.
Where there is no public health order/direction, the individual will need to provide their genuine consent to collect the information, and the information must be reasonably necessary for the business to perform its functions or activities.
What can a business do with vaccination status information?
If a business is relying on consent as the basis for collecting vaccination status information, then that information can only be used in a manner that the individual has agreed to. For example, if a business disclosed the vaccination information to a third party and the individual did not agree that the employer could do this, it is likely to be considered that consent was not provided.
Public health orders/directions that require vaccination status information to be collected can only be used for the purpose it was collected for. In other words, if a business is required to collect vaccination status information in order to determine who is allowed to be on the premises, then that is all it can be used for.
How should vaccination status information be stored?
Vaccination status information must be stored securely. The information should only be accessed by a limited number of people who need to know the information.
In addition to the requirements in the Privacy Act, the Healthcare Identifiers Act 2010 (Cth) requires that businesses take reasonable steps to protect any ‘healthcare identifiers’ that the business holds from misuse, loss or unauthorised access, modification or disclosure. An individual’s full COVID-19 Digital Certificate contains the person’s ‘Individual Healthcare Identifier’ and therefore this Act would apply. There are penalties for unauthorised use and disclosure of ‘healthcare identifiers’.
Employers should consider covering the individual’s Healthcare Identifier if they are going to keep copies of digital certificates.
What can an employer do if an employee refuses to provide information on their vaccination status?
An employer and employee must comply with any public health order/direction that requires employees to collect, record and store vaccination status information.
Before any disciplinary action occurs for refusing to comply with a direction to provide vaccination status information, the employer should consider the following issues:
- Would terminating the employee’s employment be considered harsh, unjust or unreasonable? If so, the termination could breach the unfair dismissal laws in the Fair Work Act 2009 (FW Act).
- Would taking disciplinary action against the employee be seen to be discriminatory on the basis of a protected attribute (e.g. a disability in the form of a medical condition that prevents vaccination)? If so, this could breach anti-discrimination laws or the general protections in the FW Act.
How long should vaccination status information be kept?
APP3 only permits a business to collect personal information that is reasonably necessary for its functions or activities. As soon as it is no longer necessary to collect and store the information, the information should be destroyed.
If a public health order/direction regarding mandatory vaccination and collection of vaccination status information is lifted, then the employer needs to destroy any digital certificates or other vaccination status information records that they have kept.
Where can I find more information about privacy requirements?
The Office of the Australian Information Commissioner publishes guidance for entities regulated by the Privacy Act. The Office has issued guidance on privacy issues relating to COVID-19 vaccinations.