The COVID-19 pandemic has required employers to stay across ever emerging issues to ensure compliance with requirements and the implementation of best practice approaches.
This update covers two evolving issues: the use of rapid antigen testing, and the collection of vaccination information, specifically, individual healthcare identifiers.
Rapid antigen testing can be used to test an employee, client or visitor to a premises or office and can deliver a result in a shorter time frame than polymerase chain reaction (PCR) testing. Rapid antigen testing can be used by employers to conduct surveillance testing of employees, clients or visitors. It is not, however, an alternative to effective vaccination against COVID-19.
Rapid antigen testing provides a result in approximately 20 minutes, however, it is not as accurate as a PCR test. If a person has symptoms of COVID-19, is a close or casual contact of someone who has tested positive to COVID-19, or has received a positive rapid antigen test, they should undertake a PCR test as soon as possible.
Rapid antigen testing is now readily available in all Australian states and territories with the exception of South Australia and Western Australia which do not allow for its use to detect or diagnose COVID-19. A list of rapid antigen tests that have been approved by the Therapeutic Goods Administration (TGA) for use in Australia is available here. Testing kits are available in supermarkets and pharmacies as well as online. Testing kits are not covered by Medicare and cost approximately $50 for five test kits.
Whilst there is no requirement for health practitioners to carry out rapid antigen testing, the TGA suggests that for employers, rapid antigen testing should be performed under the supervision of a health practitioner, medical practitioner, paramedic or a person trained in the correct use and interpretation of the test. If using rapid antigen testing in the workplace, employers should ensure that an employee is designated and trained in their correct use, and that a nurse or pharmacist is readily available on the phone or by video conference in order to provide assistance if required. The TGA has published further guidance on rapid antigen testing for employers seeking to use it in the workplace.
Rapid antigen testing can be used as a tool to monitor and control the spread of COVID-19 in the workplace. Whilst it is one appropriate measure, it should be used as part of a broader work health and safety minimisation strategy which also includes undertaking a risk assessment of the workplace, physical distancing practices, hygiene and cleaning, and encouragement of COVID-19 vaccinations or, where applicable, enforcing mandatory COVID-19 vaccinations.
Many states and territories have introduced public health orders or directions requiring that employees be vaccinated against COVID-19 in order to attend for work at an office or various premises. The obligation often lies with employers to collect vaccination information of an employee in order to permit them to attend for work and to ensure compliance with those orders or directions. Vaccination information includes the following:
Various public health orders and directions require that employers collect, hold and store vaccination information of their employees. This can be done in a number of ways including by merely sighting vaccination information and making a record against that employee that they comply with the relevant public health order or direction.
An employer may collect and store vaccination information but should be aware of the specific obligations around maintaining privacy and security of the information as set out below.
As a general guide, employers should seek to collect, use or disclose the minimum amount of vaccination information required to meet their legal obligations.
The Privacy Act 1998 (Cth) (Privacy Act) and Australian Privacy Principles (APPs) cover Australian Government agencies and private sector organisations with an annual turnover of more than $3 million, and some other smaller private sector organisations (such as those which provide health services).
Those employers should be mindful that vaccination information is considered sensitive information under the Privacy Act. Whilst the employee records exemption applies after the collection of sensitive information from an employee, the initial collection of such information is tightly controlled and employers need to be aware of the APPs that govern that collection, namely:
Once the vaccination status information has been collected it may form part of an ’employee record’ and be exempt from the Privacy Act. Notwithstanding this exemption, the Australian Information Commissioner has indicated that they consider that an employer should treat that information consistently with the obligations imposed by APP 11. The security of information obligations require that the employer take reasonable steps to protect that information from misuse, interference, loss, unauthorised access, modification or disclosure.
Similarly, with vaccination information in the form of COVID-19 certificates or records downloaded from MyGov containing an individual’s healthcare identifier, employers must also be mindful that they are required to comply with the Healthcare Identifiers Act 2010 (Cth) (HI Act). Section 27 of the HI Act provides that an entity must take reasonable steps to protect an individual’s healthcare identifier that an entity holds from misuse, interference, loss, unauthorised access, modification or disclosure. This obligation is couched in similar terms to the obligations under APP 11.
In addition to collecting information from employees, many businesses may also be required to collect information from their contractors and visitors to their premises or offices.
In this context, it is particularly important for employers covered by the Privacy Act to be aware that the ’employee records’ exemption does not apply to information obtained from prospective employees, contractors, subcontractors or volunteers. As such, that information must be collected, held and used in compliance with the Privacy Act and the APPs.
If businesses collect and store vaccination information, reasonable steps and strategies that will assist to mitigate privacy risks include:
Employers should consider how best to implement the above in their workplace if collecting and storing vaccination information.
Gadens is able to assist you with any queries you have in respect of rapid antigen testing, privacy concerns or relevant obligations under public health orders or directions.
For details of all our COVID-19 tips and updates, visit the Gadens COVID-19 Hub.
If you found this insight article useful and you would like to subscribe to Gadens’ updates, click here.
Deivina Peethamparam, Partner
Dudley Kneller, Partner
Nakita Rose, Lawyer