Make sure you don’t breach Australian privacy laws when collecting information about workers’ vaccination status.
Vaccination is a tough issue for businesses and staff, many of whom may have already made decisions either way or are in the process of doing so.
But what about the information relating to an individual’s vaccination status? Can it be collected and used by businesses? What happens if a business breaches Australian Privacy Principles when asking for proof of a staff member’s vaccination status?
This is yet another Pandora’s box of potential missteps for businesses.
What are the key issues around requesting proof of a staff member’s COVID-19 vaccination status and recording that data?
Editor’s note: This article is longer than our usual posts and is designed to answer some of the many complex questions around the privacy laws around vaccination data. If you’d like to skip to the question that’s most relevant to you, this article covers:
-
- Details about the relevant privacy laws
-
- What happens if businesses break Australian Privacy Principles (APP)
-
- The rules around collecting vaccine information
-
- Details about the employee records exemption
-
- Can employers demand vaccine information?
-
- When do you need to seek consent from workers to collect vaccine information?
-
- What are the rules around incentivising vaccination?
-
- The type of proof of vaccination that’s reasonable for a business to request
-
- Businesses ongoing privacy obligations
-
- The nature and extent of vaccination information
1. Privacy laws
The Privacy Act 1998 (Cth) (Privacy Act) and the Australian Privacy Principles (APP) apply to many businesses collecting, using, storing and disclosing information relating to staff vaccination status.
The Privacy Act covers Australian government agencies and private sector organisations (including all private health service providers). Some small business operators (organisations with an annual turnover of $3 million or less) are exempt.
Exempt businesses do not need to comply with the APPs but may have other legal obligations restricting their ability to compel staff to provide vaccination information or curtailing the manner in which they may discipline staff who refuse to do so.
In some jurisdictions, entities may also need to comply with State or Territory privacy legislation or privacy principles.
The National COVID-19 Privacy Principles (CPP) also provide a framework for government and business to guide a best-practice approach to the collection of information about vaccination status.
2. What happens if a business breaches Australian Privacy Principles when asking for proof of vaccination?
The Australian Privacy Commissioner may commence proceedings for an act or practice by an entity which contravenes the APPs.
This may occur, for example, after the staff member makes a complaint.
If court action is successful, civil penalties of up to 2000 penalty units (the value of a penalty unit is currently $222) may be imposed. The Commissioner may also take other action, including seeking enforceable undertakings or issuing infringement notices.
3. Collecting vaccination information – what are the rules?
Vaccination information is ‘collected‘ for the purposes of the APPs if it is included in a record. For example, a record that a business keeps about a staff member.
Vaccination information may be collected if a business records whether a staff member is vaccinated or keeps a copy of evidence of vaccination, such as the online immunisation history statement or a COVID-19 digital certificate from the Australian Immunisation Register.
It may also be collected when there is a statement to that effect on the staff member’s personnel file or the business ticks a box confirming that evidence has been sighted for a particular worker.
Of course, if a business simply sights the vaccination certificate (or other satisfactory evidence) and does not keep any records, there is no collection and the APPs will likely not apply.
Information may also be ‘collected’ by different means, including from another entity (e.g., a vaccination provider), through surveillance cameras of an area in which staff are being vaccinated or from an audit log (e.g., staff using personal/carer’s or other leave for the purposes of vaccination).
4. What about the employee records exemption?
Private sector businesses often rely carte blanche on the employee records exemption.
However, businesses need to remember the employee records exemption does not apply when a business is collecting an employee’s vaccination information, which means in most cases the employer will need prior valid consent. See Jeremy Lee v Superior Wood Pty Ltd [2019] FWCFB 2946 for more details on this.
More generally for the workforce, the exemption does not apply to the collection, use, storage or disclosure of contractors, prospective employees or volunteers’ vaccination information.
Australian government agencies may also need to undertake a Privacy Impact Assessment: Privacy (Australian Government Agencies – Governance) APP Code 2017.
5. Does a business have an unfettered right to demand vaccination information?
Seeking valid consent
APP 3 provides the framework for how businesses may collect vaccination information.
First, the collection must be reasonably necessary for an entity’s functions and activities.
A business may argue that it is reasonably necessary to provide a COVID-safe workplace or COVID-safe services. For example, if staff work face-to-face with vulnerable clients, especially where those clients have requested their service providers to be fully vaccinated. A privacy impact assessment may assist this analysis.
Second, since vaccination information (including status and medical exemptions) is classified as sensitive information, businesses must also seek valid consent from a staff member before collection.
For that consent to be valid:
-
- adequate information must be provided to staff;
- consent must be voluntary;
- consent must be current and specific (i.e., a general consent under an employment or services contract may not suffice); and
- the person must have the capacity to understand and communicate the consent (e.g, if it is in a contract, the business must explain to the person what it means at the time of signing).
Relevantly also, information provided to staff (or prospective staff) as part of this consent process must comply with the Therapeutic Goods (Restricted Representations – COVID-19 Vaccines) Permission (No. 4) 2021 (see below in question 7).
Circumstances in which businesses do not need consent
In limited situations, businesses may not need consent and may direct their staff to provide this information. Businesses may also be able to take disciplinary action for non-compliance.
For example, consent is not required when collecting data that is:
-
- required or authorised by a law, including Acts of any Australian jurisdiction, and regulations or instruments made under those Acts (e.g., public health orders); or
- required under a contract (i.e., to provide evidence of vaccination as an ongoing condition of employment) – some host businesses may also be able to avoid the APPs by imposing the requirement through service contracts with labour hire providers.
As an aside, businesses should also have regard to discrimination laws where a job applicant may, for example, have a disability or religious ground which prevents vaccination.
Even if the Privacy Act does not apply to a particular business, mandated collections of information must be carefully managed to avoid legal claims by eligible staff under unfair dismissal, discrimination and possibly as adverse action under general protections laws.
Under general protections laws, while the Privacy Act is not a workplace law, an employee or prospective employee may potentially make a complaint in relation to his or her employment and allege that they have been treated adversely because of that complaint.
6. What should businesses do when seeking consent from staff to share their vaccination information?
If a business decides to collect vaccination information by seeking consent, it must ensure it is transparent about the reasons for its collection and the use of that information (APP 1).
For example, if a business is collecting vaccination information to satisfy requirements under a public health order and the information would be stored for that purpose, staff should be informed of that.
APP 5 also requires a business to take reasonable steps (ideally before collection or soon after) to notify the affected staff:
-
- of its reasons (e.g., to comply with a public health order or for work safety)
- the consequences of refusing to provide the information (e.g., a sacking offence or no receipt of a gift/incentive)
- if the collection is required or authorised by law (i.e., is there a contractual condition, public health order, or is it part of the business’ COVID-safe plan under work health and safety laws?)
- how the information will be used or disclosed (i.e., to assist the business in demonstrating to government authorities that it has complied with the requirements in a public health order)
- that the business’ APP privacy policy is relevant to accessing or correcting information and provides information about how concerns will be dealt with.
Also, the collection itself must be through fair and lawful means, and must be free of intimidation or deception, otherwise the consent may not be valid.
It may be wise to obtain express consent from staff as it appears that consent may only be inferred in limited circumstances.
7. Is the ‘carrot and stick’ approach helpful when asking about a staff member’s vaccination status?
Where vaccination is not mandated, businesses may face difficulties if they wish to get consent from all staff to keep vaccination records as part of a COVID-safe plan.
On this basis, it may be easier to encourage consent to the collection of vaccination information as part of a work-provided vaccination benefit or incentive. A carrot rather than stick approach.
So, is this legal? Well yes, but any benefit or incentive scheme must comply with the Therapeutic Goods (Restricted Representations – COVID-19 Vaccines) Permission (No. 4) 2021 (Permission).
The Permission requires business communications about COVID-19 vaccines to be consistent with Commonwealth health messaging.
Business must not directly or indirectly reference vaccine brands, compare vaccines or reference active ingredients (except through an advertisement of an approved COVID-19 vaccination provider), state that vaccines do not cause harm or side effects or have any false or misleading statements.
Any offers of benefits or rewards which are made to vaccinated staff are subject to strict conditions under the Permission. For example, offers may only be made to staff who are partly or fully vaccinated in accordance with Australian government requirements, staff must not participate except on the advice of a health practitioner and the offer must not promote a particular vaccine.
Businesses failing to comply with these restrictions may commit an offence, with maximum civil penalties of up to 5,000 penalty units for an individual and 50,000 penalty units for a corporation.
In certain circumstances, it may amount to a criminal offence leading to imprisonment for up to 5 years. See Division 3A – Advertising offences and civil penalties.
8. What type of evidence or proof of vaccination is reasonable for a business to request?
If the APPs apply, the required proof of vaccination must be no more than is reasonably required in the circumstances, and must be held for no longer than is necessary.
However, unless mandated by a public health order, there is no clear guideline on what type of evidence is reasonable in the circumstances.
For example, under the NSW Public Health (COVID-19 Vaccination of Health Care Workers) Order 2021, an employer may request vaccination evidence by way of an “online immunisation history statement” or a “COVID-19 digital certificate from the Australian Immunisation register”.
Alternatively, if a healthcare worker is exempt from the requirement to be vaccinated due to a medical contraindication, the worker must provide a medical contraindication certificate certifying that because of a specified medical contraindication, they cannot have a COVID-19 vaccine.
Where the need to collect vaccination information is less black and white, it may be wise to link the request to an incentive being offered to vaccinated workers. For many staff, the incentive may simply be the ability to return to the workplace.
9. What are the ongoing privacy obligations once vaccination information is collected?
For employees covered by the Privacy Act, the collected information will be held on their employee records and will no longer be subject to the APPs as long as it is only used for the agreed purpose.
However, for all other staff (including volunteers, contractors and prospective but unsuccessful job applicants) that information may only be stored subject to the APPs.
This requires ongoing compliance practices and procedures. Businesses will need to ensure the information is kept accurately, limit its use and disclosure to the purpose for which it was collected (i.e., do not disclose vaccination status more generally) and conduct ongoing reviews and audits to reassess the need to keep the information on an ongoing basis.
Even if not covered by the APPs, businesses will likely wish to comply with these requirements as best practice and to ensure their COVID-safe plans are based on accurate information.
Relevantly, the National COVID-19 Privacy Principles also support a best-practice approach on vaccination records, including data and purpose limitation, taking reasonable steps to ensure information is secure and destroying it when it is no longer needed.
10. Be careful what you wish for – the nature and extent of vaccination information
Businesses need to consider what they will do if staff refuse to provide vaccination information or sufficient medical evidence of a contraindication.
Consistency is best, especially if a refusal leads to dismissal – for example, employees may be able to seek relief under unfair dismissal laws.
In the absence of a mandated requirement to vaccinate, businesses may proceed down the mandatory vaccination path and then find themselves in a quandary where they are compelled to discipline or dismiss a highly valued staff member who elects not to be vaccinated.
Also (and of equal importance), businesses may consider if they need to know the details of staff member’s medical contraindications if the workplace can be made safe through other measures – for example, through rapid antigen testing.
So, should businesses collect vaccination status data from staff, or not?
Ultimately, when deciding whether vaccination information is going to be collected, a business would be wise to consider why it wishes to do so, and whether it is necessary. This assessment may change over time, including if COVID-19 risks diminish and public health orders expire.
In situations where a public health order requires vaccination, this decision is less difficult and vaccination information will be kept in accordance with the public health order. This may also be easier when an employment or services contract lawfully requires the provision of vaccination information as a condition of ongoing employment or engagement. It is likely that many businesses going forward will include such clauses for new staff.
However, where a business simply wants to keep vaccination information as part of its COVID-safe plan and there is no legal basis to compel this, it will be all about obtaining valid consent.
The other alternative is to ask staff members to show the business the online immunisation history statement, COVID-19 digital certificate from the Australian Immunisation register or other satisfactory evidence with no record being kept of that sighting. As the information is not collected, the APPs may not apply. However, this may be of little practical utility if a business wishes to use the results to better manage risks to staff and clients, including to document its risk management as part of its COVID-safe plan.
Businesses and government agencies should also keep front of mind that dismissals or adverse treatment of staff (or prospective staff) who are not vaccinated or who do not wish to provide vaccination information to the business may create risks of legal claims, including general protections, unfair dismissal and discrimination as applicable.
This article was first published by Lexology, under the title ‘Staff privacy and vaccination information’, on the 19th of October, 2021. It has been republished and slightly edited with permission. Click here to view the original article.
The information in this article is general in nature, and should not be taken as legal advice. Where necessary, please consult a legal expert for professional and tailored advice that addresses your company’s specific needs.
Very informative. Thank you.
Your comment at point 8 ” … For many staff, the incentive may simply be the ability to return to the workplace.” Is keeping your job an incentive or coercion?