COVID-19 | Vaccinations and privacy – what can businesses ask individuals about COVID-19 vaccinations?

7 July 2021
Dudley Kneller, Partner, Melbourne Raisa Blanco, Special Counsel, Melbourne

The Australian Health Protection Principal Committee has been requested last month to reconsider its previous decision against mandating COVID-19 vaccinations for aged care workers. Given the most recent outbreaks in New South Wales and Queensland, and the growing call for accelerating the COVID-19 vaccine roll-out in Australia, businesses will need to be aware of the complexity in managing COVID-19 vaccinations.

Further to our article Barber v Goodstart – can employers now mandate vaccinations in the workplace?, we discuss the issues under the Privacy Act 1988 (Cth) (Privacy Act) and the Australian Privacy Principles (APPs) that businesses should consider when managing COVID-19 vaccinations as part of their operations.

Can businesses ask individuals if they have received COVID-19 vaccinations?

Businesses should be aware that information about individuals’ COVID-19 vaccination status is health information, which is considered sensitive information under the Privacy Act. Sensitive information imposes higher privacy protections under the Privacy Act.

Businesses are only permitted to collect information about individuals’ COVID-19 vaccination status if the collection is permitted under APP 3. APP 3 sets out the following requirements for collecting sensitive information about an individual, unless required or authorised by law:

    1. the collection of the sensitive information is reasonably necessary for one or more of the employer’s functions or activities; and
    2. the employee consents to the collection of the sensitive information.

Reasonably necessary for a business’s functions or activities

Businesses should have a clear and justifiable reason for collecting individuals’ COVID-19 vaccination status information in order to reach the ‘reasonably necessary’ threshold under APP 3.1 and AP 3.2.

Preventing or managing COVID-19 in the business may be ‘reasonably necessary’ for a business’s functions or activities, however this will depend on the following factors:

    1. whether there is public health advice that recommends the collection of COVID-19 vaccination status for managing workplace health and safety;
    2. the health and safety risks in the business’s specific sector or industry; and
    3. applicable workplace laws and contractual obligations.


Individuals (including employees, contractors, and visitors) must provide adequately informed, voluntary, and current and specific consent to the collection of their COVID-19 vaccination status. This means that businesses must give individuals information as to why the business is collecting this information and the use for that information.

Further, businesses should be aware of the power imbalance between themselves and employees or contractors, and give employees or contractors a genuine opportunity to provide or withhold consent.

Required or authorised by law

There may be limited circumstances where a business may collect sensitive information without consent, as required or authorised by law. Businesses should monitor Commonwealth, State or Territory public health orders to determine whether businesses are required to collect COVID-19 vaccination status of individuals.

If businesses are collecting COVID-19 vaccination status records, what notices should businesses provide to individuals?

If businesses decide to collect COVID-19 vaccination status information, businesses must comply with their obligations under APP 5. APP 5 requires businesses to take reasonable steps to notify employees of certain prescribed information, including:

    1. the fact and circumstances of collection;
    2. whether the collection is required or authorised by law; and
    3. the purposes of collection.

This requirement is generally met by providing an appropriately drafted privacy collection statement.

Does the employee records exemption apply to COVID-19 vaccination status records?

The employee records exemption under the Privacy Act only applies to personal information that is directly related to:

    1. the current or former employment relationship between an employer and their employee; and
    2. an employee record held by an employer relating to the employee.

Depending on the information a business collects as part of its COVID-19 vaccination status records, not all information relating to its employees may be considered an ’employee record’. Further, businesses should be aware that the employee records exemption does not apply to prospective employees, contractors, subcontractors or volunteers.

We also note that the scope of the employee records exemption was discussed in Lee v Superior Wood [2019] FWCFB 2946. While the subject matter of the case related to whether a direction requiring an employee to consent to biometric scanning is a lawful direction, the Court held that the Australian Privacy Principles apply to employee information from the point of collection, after which the employee records exemption applies. Employers are therefore required to comply with APP 3 and APP 5 in respect of the collection of employees’ personal information.

On this basis, a cautious approach would be to seek the consent of employees prior to collecting COVID-19 vaccination status records, unless there is further guidance released by the Office of the Australian Information Commissioner that a ‘permitted general situation’ exemption applies.

What other considerations should businesses take into account?

Notwithstanding the employee records exemption where relevant, businesses should apply good privacy practice to their COVID-19 vaccination status records, including to:

    1. limit the collection, use or disclosure of such personal information to what is reasonably necessary to prevent and manage COVID-19;
    2. keep such personal information secure, current and up-to-date; and
    3. only retain such personal information for the period reasonably necessary to prevent and manage COVID-19.

Businesses should also beware of making any public statements regarding COVID-19 vaccination status, such as for promotional or advertising communications, which could fall outside the primary purpose for which any relevant personal information was collected from individuals.

For further information, we suggest that businesses review the OAIC’s Coronavirus (COVID-19) Vaccinations: Understanding your privacy obligations to your staff and COVID-19: Vaccinations and my privacy rights as an employee for further guidance.

We are also available to discuss your queries or concerns. For details of all our COVID-19 tips and updates, visit the Gadens COVID-19 Hub.


If you found this insight article useful and you would like to subscribe to Gadens’ updates, click here.

Authored by:

Dudley Kneller, Partner
Raisa Blanco, Senior Associate

This update does not constitute legal advice and should not be relied upon as such. It is intended only to provide a summary and general overview on matters of interest and it is not intended to be comprehensive. You should seek legal or other professional advice before acting or relying on any of the content.

Get in touch