COVID-19 | Insight for employers – rapid antigen tests and collection of vaccination information

11 November 2021
Brett Feltham, Partner, Sydney George Haros, Partner, Melbourne Dudley Kneller, Partner, Melbourne Siobhan Mulcahy, Partner, Melbourne Deivina Peethamparam, Partner, Melbourne Steven Troeth, Partner, Melbourne Diana Diaz, Special Counsel, Melbourne

The COVID-19 pandemic has required employers to stay across ever emerging issues to ensure compliance with requirements and the implementation of best practice approaches.

This update covers two evolving issues: the use of rapid antigen testing, and the collection of vaccination information, specifically, individual healthcare identifiers.

What is rapid antigen testing?

Rapid antigen testing can be used to test an employee, client or visitor to a premises or office and can deliver a result in a shorter time frame than polymerase chain reaction (PCR) testing. Rapid antigen testing can be used by employers to conduct surveillance testing of employees, clients or visitors. It is not, however, an alternative to effective vaccination against COVID-19.

Rapid antigen testing provides a result in approximately 20 minutes, however, it is not as accurate as a PCR test. If a person has symptoms of COVID-19, is a close or casual contact of someone who has tested positive to COVID-19, or has received a positive rapid antigen test, they should undertake a PCR test as soon as possible.

Where is rapid antigen testing available in Australia?

Rapid antigen testing is now readily available in all Australian states and territories with the exception of South Australia and Western Australia which do not allow for its use to detect or diagnose COVID-19. A list of rapid antigen tests that have been approved by the Therapeutic Goods Administration (TGA) for use in Australia is available here. Testing kits are available in supermarkets and pharmacies as well as online. Testing kits are not covered by Medicare and cost approximately $50 for five test kits.

What are the conditions for use by employers?

Whilst there is no requirement for health practitioners to carry out rapid antigen testing, the TGA suggests that for employers, rapid antigen testing should be performed under the supervision of a health practitioner, medical practitioner, paramedic or a person trained in the correct use and interpretation of the test. If using rapid antigen testing in the workplace, employers should ensure that an employee is designated and trained in their correct use, and that a nurse or pharmacist is readily available on the phone or by video conference in order to provide assistance if required. The TGA has published further guidance on rapid antigen testing for employers seeking to use it in the workplace.

What benefit does rapid antigen testing provide to employers?

Rapid antigen testing can be used as a tool to monitor and control the spread of COVID-19 in the workplace. Whilst it is one appropriate measure, it should be used as part of a broader work health and safety minimisation strategy which also includes undertaking a risk assessment of the workplace, physical distancing practices, hygiene and cleaning, and encouragement of COVID-19 vaccinations or, where applicable, enforcing mandatory COVID-19 vaccinations.

What is vaccination information?

Many states and territories have introduced public health orders or directions requiring that employees be vaccinated against COVID-19 in order to attend for work at an office or various premises. The obligation often lies with employers to collect vaccination information of an employee in order to permit them to attend for work and to ensure compliance with those orders or directions. Vaccination information includes the following:

  • a COVID-19 certificate downloaded from MyGov;
  • an immunisation history statement from the Australian Immunisation Register (accessible through Services Australia); or
  • a letter from a medical practitioner or medical contraindication certificate.

How do I collect vaccination information from employees?

Various public health orders and directions require that employers collect, hold and store vaccination information of their employees. This can be done in a number of ways including by merely sighting vaccination information and making a record against that employee that they comply with the relevant public health order or direction.

An employer may collect and store vaccination information but should be aware of the specific obligations around maintaining privacy and security of the information as set out below.

As a general guide, employers should seek to collect, use or disclose the minimum amount of vaccination information required to meet their legal obligations.

What privacy concerns should employers be mindful of when collecting vaccination information?

The Privacy Act 1998 (Cth) (Privacy Act) and Australian Privacy Principles (APPs) cover Australian Government agencies and private sector organisations with an annual turnover of more than $3 million, and some other smaller private sector organisations (such as those which provide health services).

Those employers should be mindful that vaccination information is considered sensitive information under the Privacy Act. Whilst the employee records exemption applies after the collection of sensitive information from an employee, the initial collection of such information is tightly controlled and employers need to be aware of the APPs that govern that collection, namely:

  • under APP 3.3(a) employers must have the individual’s consent to collect sensitive information and it must be reasonably necessary or directly related to one or more of the employer’s functions or activities (such as preventing or managing COVID-19 in the workplace). It is important to provide employees with clear and justifiable reasons for the collection of vaccination information for it to be ‘reasonably necessary’ as required under this APP;
  • under APP 3.4 employers may be able to rely on an exception to collect sensitive information where it is authorised by an Australian law or a court or tribunal. Employers in states and territories with public health orders or directions requiring the collection of vaccination information of employees may be able to rely on this exception; and
  • under APP 5 employers must provide adequate notification to employees for the collection of such vaccination information, including the fact and circumstances of collection, whether the collection is required or authorised by law, and the purposes of collection.

Once the vaccination status information has been collected it may form part of an ’employee record’ and be exempt from the Privacy Act. Notwithstanding this exemption, the Australian Information Commissioner has indicated that they consider that an employer should treat that information consistently with the obligations imposed by APP 11. The security of information obligations require that the employer take reasonable steps to protect that information from misuse, interference, loss, unauthorised access, modification or disclosure.

Similarly, with vaccination information in the form of COVID-19 certificates or records downloaded from MyGov containing an individual’s healthcare identifier, employers must also be mindful that they are required to comply with the Healthcare Identifiers Act 2010 (Cth) (HI Act). Section 27 of the HI Act provides that an entity must take reasonable steps to protect an individual’s healthcare identifier that an entity holds from misuse, interference, loss, unauthorised access, modification or disclosure. This obligation is couched in similar terms to the obligations under APP 11.

What about vaccination information collected from non-employees?

In addition to collecting information from employees, many businesses may also be required to collect information from their contractors and visitors to their premises or offices.

In this context, it is particularly important for employers covered by the Privacy Act to be aware that the ’employee records’ exemption does not apply to information obtained from prospective employees, contractors, subcontractors or volunteers. As such, that information must be collected, held and used in compliance with the Privacy Act and the APPs.

What can employers do to mitigate any privacy concerns arising from the collection of vaccination information?

If businesses collect and store vaccination information, reasonable steps and strategies that will assist to mitigate privacy risks include:

  • improved governance, culture and training in relation to the safe collection, storage and disclosure of the information;
  • the introduction of internal practices, procedures and systems which underpin effective privacy compliance;
  • information security practices and procedures which assist to protect the information as required under APP 11 and section 27 of the HI Act;
  • review security protocols to regulate access to the relevant information by authorised personnel only;
  • appropriate use of third party providers with appropriate contractual obligations in place; and
  • implementing a process for the destruction and de-identification of personal information when it is no longer required.

Employers should consider how best to implement the above in their workplace if collecting and storing vaccination information.

Gadens is able to assist you with any queries you have in respect of rapid antigen testing, privacy concerns or relevant obligations under public health orders or directions.

For details of all our COVID-19 tips and updates, visit the Gadens COVID-19 Hub.

If you found this insight article useful and you would like to subscribe to Gadens’ updates, click here.


Authored by:

Deivina Peethamparam, Partner
Dudley Kneller, Partner
Nakita Rose, Lawyer

This update does not constitute legal advice and should not be relied upon as such. It is intended only to provide a summary and general overview on matters of interest and it is not intended to be comprehensive. You should seek legal or other professional advice before acting or relying on any of the content.

Get in touch