The Australian Health Protection Principal Committee has been requested last month to reconsider its previous decision against mandating COVID-19 vaccinations for aged care workers. Given the most recent outbreaks in New South Wales and Queensland, and the growing call for accelerating the COVID-19 vaccine roll-out in Australia, businesses will need to be aware of the complexity in managing COVID-19 vaccinations.
Further to our article Barber v Goodstart – can employers now mandate vaccinations in the workplace?, we discuss the issues under the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs) that businesses should consider when managing COVID-19 vaccinations as part of their operations.
Businesses should be aware that information about individuals’ COVID-19 vaccination status is health information, which is considered sensitive information under the Privacy Act. Sensitive information imposes higher privacy protections under the Privacy Act.
Businesses are only permitted to collect information about individuals’ COVID-19 vaccination status if the collection is permitted under APP 3. APP 3 sets out the following requirements for collecting sensitive information about an individual, unless required or authorised by law:
Reasonably necessary for a business’s functions or activities
Businesses should have a clear and justifiable reason for collecting individuals’ COVID-19 vaccination status information in order to reach the ‘reasonably necessary’ threshold under APP 3.1 and AP 3.2.
Preventing or managing COVID-19 in the business may be ‘reasonably necessary’ for a business’s functions or activities, however this will depend on the following factors:
Individuals (including employees, contractors, and visitors) must provide adequately informed, voluntary, and current and specific consent to the collection of their COVID-19 vaccination status. This means that businesses must give individuals information as to why the business is collecting this information and the use for that information.
Further, businesses should be aware of the power imbalance between themselves and employees or contractors, and give employees or contractors a genuine opportunity to provide or withhold consent.
Required or authorised by law
There may be limited circumstances where a business may collect sensitive information without consent, as required or authorised by law. Businesses should monitor Commonwealth, State or Territory public health orders to determine whether businesses are required to collect COVID-19 vaccination status of individuals.
If businesses decide to collect COVID-19 vaccination status information, businesses must comply with their obligations under APP 5. APP 5 requires businesses to take reasonable steps to notify employees of certain prescribed information, including:
This requirement is generally met by providing an appropriately drafted privacy collection statement.
The employee records exemption under the Privacy Act only applies to personal information that is directly related to:
Depending on the information a business collects as part of its COVID-19 vaccination status records, not all information relating to its employees may be considered an ’employee record’. Further, businesses should be aware that the employee records exemption does not apply to prospective employees, contractors, subcontractors or volunteers.
We also note that the scope of the employee records exemption was discussed in Lee v Superior Wood  FWCFB 2946. While the subject matter of the case related to whether a direction requiring an employee to consent to biometric scanning is a lawful direction, the Court held that the Australian Privacy Principles apply to employee information from the point of collection, after which the employee records exemption applies. Employers are therefore required to comply with APP 3 and APP 5 in respect of the collection of employees’ personal information.
On this basis, a cautious approach would be to seek the consent of employees prior to collecting COVID-19 vaccination status records, unless there is further guidance released by the Office of the Australian Information Commissioner that a ‘permitted general situation’ exemption applies.
Notwithstanding the employee records exemption where relevant, businesses should apply good privacy practice to their COVID-19 vaccination status records, including to:
Businesses should also beware of making any public statements regarding COVID-19 vaccination status, such as for promotional or advertising communications, which could fall outside the primary purpose for which any relevant personal information was collected from individuals.
For further information, we suggest that businesses review the OAIC’s Coronavirus (COVID-19) Vaccinations: Understanding your privacy obligations to your staff and COVID-19: Vaccinations and my privacy rights as an employee for further guidance.
We are also available to discuss your queries or concerns. For details of all our COVID-19 tips and updates, visit the Gadens COVID-19 Hub.
If you found this insight article useful and you would like to subscribe to Gadens’ updates, click here.
Dudley Kneller, Partner
Raisa Blanco, Senior Associate