News

The Latest from Automic Group

Collection of COVID-19 Vaccination status – What employers need to know

what employers need to know about collection of covid-19 vaccination status

Written by Stuart Hutton, Anita Luo and Victoria-Jane Otavski.

With the return to office premises and places of work now underway, businesses are asking whether they can require their employees, contractors, clients and visitors to provide evidence of their COVID-19 vaccination status and whether they can collect that information.  On the other hand, employees, contractors, clients and visitors want to know – do businesses have a right to collect health information and what are businesses doing to protect individual privacy?

The cryptic yet onerous government mandates and NSW Public Health Orders (PHO) relating to specific freedoms for fully vaccinated individuals has led to widespread speculation and analysis of the rights of businesses to collect such information across all industries.

The primary legislation in Australia that deals with requesting, collecting, holding and using personal information is the Privacy Act 1988 (Cth) (Privacy Act). Information about one’s vaccination status falls under a particular subcategory of personal information in the Privacy Act called “sensitive information”.

Does the Privacy Act permit businesses to collect this sensitive information? Well, it depends.

Unless an exception under the Privacy Act applies, businesses should only collect vaccination status information if:

  • the person consents to its collection; and
  • the information collected is reasonably necessary for the functions and activities of the business.

One exception is where the collection is required or authorised by law.

There are a few questions that businesses should ask before collecting the vaccination status of those concerned.

1. When does the Privacy Act apply to businesses?

Generally speaking, the Privacy Act only applies to organisations generating annual revenues in excess of $3 million per annum. It is important to ascertain whether your organisation is covered by the Privacy Act, as it imposes ongoing obligations such as maintaining a compliant Privacy Policy. If you are uncertain about whether your business has an obligation to comply with the Privacy Act, the Automic Legal team can help you assess your situation and privacy obligations.

2. Can my business collect vaccination information about its customers?

The latest NSW PHOs have identified a range of businesses that must take reasonable steps to ensure unvaccinated adults are not on their premises.[1]

Businesses in these industries have the right to request proof of COVID-19 vaccination and are obliged to refuse entry to persons who are unvaccinated, regardless of whether the Privacy Act applies to them. Those businesses may collect COVID-19 vaccination status information of their clients, customers or visitors if it is reasonably necessary for them to comply with the PHO.

3. What if my business is not in an industry listed in the PHO?

Businesses which are not specifically covered by the NSW PHO’s may face additional barriers under the Privacy Act if they plan to collect COVID-19 vaccination status information of their employees and customers.

There are a few things that you can do to protect your business from contravening privacy laws.

Merely sight proof of vaccination

The Privacy Act provisions will only apply where data is collected and held by an entity. If you merely sight the proof of a COVID-19 vaccination certificate and make no formal record of the result, the Privacy Act provisions will not apply.

This may be useful in certain situations where individuals infrequently visit your premises (for example your clients), but what about your employees who may be attending their workplace frequently?

Justifying the collection of COVID-19 vaccination status

If you have individuals who frequently attend your premises it may be more convenient for you to collect and hold information relating to their COVID-19 vaccination status. The Privacy Act allows for the collection of vaccination data if it is reasonably necessary for one of the functions or activities of the business. Whether it is reasonably necessary for a business to collect such data will require consideration of whether the business faces a higher risk of COVID-19 transmission in the workplace (such as those that require on-site attendance as opposed to remote working) and[1] will need to be considered for employees on a case-by-case basis. For example, an organisation should separately consider employees that are regularly client facing as part of their role or interact with vulnerable individuals (for example, children and the elderly) from those who are not client facing or work from home. The determination involves an objective assessment by the organisation and will differ depending on the different roles within an organisation.

4. So can my business collect vaccine information about its employees?

Workers in industries such as healthcare, hotel quarantine and those involved in the provision of residential aged care are already required to be fully COVID-19 vaccinated. Workers in these industries must provide evidence of their COVID-19 vaccination status if requested by their employer.[1]

If the business is listed in the PHO, it can collect evidence of COVID-19 vaccination status from its employees for the same reason it can collect that information from its customers or clients – to ensure that the business is compliant with the relevant PHO. Employees covered by the NSW PHO who are not fully vaccinated are also not permitted to enter their work premises, unless this is not reasonably practicable.

Businesses not listed in the PHO may collect their employees’ COVID-19 vaccination status only if the employee consents and it is reasonably necessary for the functions or activities of the business.

5. Can an employer require its employees to be vaccinated?

Some industries have mandatory vaccination requirements, for example in healthcare, residential aged care staff and hotel quarantine.

In the absence of a PHO, or a term of any employment contract or enterprise agreement mandating the COVID-19 vaccination, employers may only require employees to be vaccinated where such a direction is lawful and reasonable.

The lawfulness and reasonableness of an employer’s direction should be determined on a case-by-case basis. The Fair Work Ombudsman has created a ‘work tier’ approach to provide guidance on whether individuals can be compelled to be vaccinated by their employers. The tiers are based on a range of factors including whether employees are required to interact with vulnerable people as a part of their employment. Further information on the tiers can be found here.

Organisations should seek legal advice prior to implementing a mandatory vaccination policy due to potential discrimination and employment law consequences. Any such policy will be required to prove the need for the COVID-19 vaccination on a case-by-case basis.

6. What must businesses do before they collect vaccination information?

If a business has determined that it will collect COVID-19 vaccination status information, it must obtain the consent of the individuals whose COVID-19 vaccination information it wishes to collect.

Prior to receiving consent, businesses should inform the individual what data will be collected, why the data is required and what it will be used for. Businesses should also make clear to the individual what happens if they refuse to provide proof of vaccination, for example, whether the individual will be allowed to enter the business premises, and that they may find out more information about their rights under the organisational Privacy Policy.

7. What obligations does a business have once it collects vaccination information?

Information about an employee’s COVID-19 vaccination status may be subject to the Employee Records Exemption in the Privacy Act after it is collected, assuming that the information directly relates to the employment relationship.

This means that after the information has been collected, the Privacy Principles under the Privacy Act no longer apply to the information. However, many organisations will have a privacy policy which governs the use of such information. It is prudent to maintain the requisite safeguards for this information to reduce the likelihood of any harm to employees from a data leak or other unauthorised access, which can include significant penalties for failing to have requisite safeguards or permitting a data breach.

The information of non-employees must still be kept in accordance with the principles of the Privacy Act. This includes ensuring adequate safeguards to prevent unauthorised access, keeping no more information than is necessary to achieve the needs of the business and deleting information after it no longer becomes useful or required.

Once information is collected it may only be disclosed for the purpose for which it was collected. That is, businesses cannot use or disclose COVID-19 vaccination information for another purpose unless the individual gives consent to the information being used for that disclosed purpose.  Some exceptions include where the use or disclosure is required by law, for example, if an authorised officer or law enforcement officer requires that a business provide evidence of its customers’ or employees’ COVID-19 vaccination status to ensure that the business is complying with a PHO.

The Office of the Australian Information Commissioner has recently released the “National COVID‑19 Privacy Principles”, a guide for businesses and individuals to understand their privacy rights and obligations in relation to COVID-19. A link to this guide can be found here.

How can we help?

If your organisation requires any assistance with implementing a tailored privacy policy, or you would like any further information regarding your privacy obligations generally, please contact Automic Legal on (02) 8072 1400. Alternately, click here to be contacted by one of our Legal team members.

Learn more about Automic Group’s professional services capabilities here.

 


1 Relevant businesses that must take reasonable steps to ensure unvaccinated adults are not on the premises include entertainment facilities, major recreation facilities, hospitality venues, places of public worship, premises at which a significant event is being held, hairdressers, spas, nail salons, beauty salons, waxing salons, tanning salons, tattoo parlours, massage parlours, indoor recreation facilities, public swimming pools, information and education facilities, retail premises, business premises that are auction houses, business premises that are betting agencies, gaming lounges, markets that do not predominantly sell food, and properties operated by the National Trust or the Historic Houses Trust.
2 Public Health (COVID-19 Aged Care Facilities) Order 2021; Public Health (COVID-19 Vaccination of education and Care Workers) Order 2021.