Since the rollout of the COVID-19 vaccine from February this year, the Fair Work Ombudsman and Safe Work Australia have issued guidance for employers in respect of the COVID-19 vaccinations, as discussed in our article here.
As employers are now considering the impact of the COVID-19 vaccination on their obligations under relevant employment law, the Office of the Australian Information Commissioner (OAIC) has also released guidance for employers in respect of their privacy obligations when seeking to collect details of their employees’ ‘vaccination status’.
This article provides guidance to entities regulated by the Privacy Act 1988 (Cth) (Privacy Act) to assist them navigate through their obligations under the Australian Privacy Principles (APPs) when collecting, using, storing, and disclosing employee health information related to the COVID-19 vaccine.
Does the Privacy Act apply and if so, does it apply to you?
The Privacy Act applies to entities, including an Australian government agency or a private sector organisation (including all private health service providers) (APP entities). Exemptions apply in certain circumstances for some small business operators, which are organisations with an annual turnover of $3 million or less.
APP entities need to ensure that they are handling personal information appropriately, to meet their obligation to maintain a safe workplace for staff and visitors in compliance with their obligations under the Privacy Act.
It is likely and expected, in order to prevent or manage COVID-19 in the workplace, agencies and private sector employers (including private health service providers) will need to collect, use and disclose personal information (including employee health information relating to the COVID-19 vaccine). For example, disclosure may include notifying staff members who may be at risk so necessary precautions can be taken in respect of potential COVID-19 cases.
Employers need to be cautious to ensure that only personal information which is reasonably necessary to prevent or manage COVID-19 in the workplace is collected, used or disclosed.
APP entities must actively take steps to protect the privacy of their employees by complying with the APPs when collecting personal information (including vaccination status information). However, once vaccination status information about an employee is collected, that information will form part of their employee record. For private sector employers, certain APPs (including in respect of the use and disclosure of personal information) may not apply in circumstances where the Privacy Act employee records exemption applies. In order for the employee records exemption to apply, information must be directly related to an employment relationship between an employer and employee, have been lawfully collected and held in an employee record. The employee records exemption does not apply to prospective employees, contractors, sub-contractors and volunteers but the APPs will apply when dealing with the personal information of these individuals.
How can employers collect, use and disclosure information about their employees’ vaccination status?
It is important to be aware that an employee’s vaccination status is considered sensitive health information under the Privacy Act and higher privacy protections apply.
Generally, agencies and private sector employers can collect health information about individuals if (APP 3.3(a)):
Notwithstanding this, consent is not necessary if the collection is required under or authorised by Australian law (APP 3.4(a)). This could include an Act of the Commonwealth, or of a state or territory, or regulations or any other instrument made under such an Act.
By way of example, a public health order may require employers to collect employee COVID-19 vaccination information in certain circumstances. However, as at the date of this article, no such public health orders requiring the COVID-19 vaccination status of employees have been made. There are a limited number of other exceptions to the requirement to obtain consent under APP 3.3(a) which are set out under APP 3.4, including if a “permitted general situation” exists (APP 3.4(b)). Examples of a “permitted general situation” include where the collection is undertaken to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.
Use and disclosure
Except in circumstances where the employee records exemption applies, if an APP entity holds personal information about an individual that was collected for a particular purpose (primary purpose), the entity must not use or disclose the information for another purpose (secondary purpose) unless the individual has consented to the use or disclosure of the information or another exception applies under APPs 6.2 or 6.3 – for example, where the individual would reasonably expect the APP entity to use or disclose the information for the secondary purpose and the secondary purpose is directly related to the primary purpose (APP 6).
Things to be aware of when collecting employees’ vaccination status information
Employers should only collect information about an employee’s vaccination status if they are satisfied that this collection is permitted under APP 3 (collection of solicited personal information). If the employer determines they can collect vaccination status information from their employees in compliance with their obligations under the Privacy Act, the employer must be transparent with its employees about the specific reasons for doing so. The employer must take reasonable steps to notify employees of the matters set out in APP 5 (notification of the collection of personal information), including the purposes of collection and how the information may be used or disclosed.
If consent is required (as in most cases subject to the exceptions under APP 3.4) to collect vaccination status information, employers must comply with the following four key elements of consent set out by the OAIC:
Employers need to take care not to cause their employees to feel pressured or obligated to provide consent, given the potential imbalance of power in the employment relationship.
Employers must have clear and justifiable reasons for collecting their employees’ vaccination status information. It may not be sufficient for employers to collect this information on a ‘just in case’ basis (for example if collecting vaccination status information for monitoring purposes only), or if they can achieve their purpose without collecting this information.
There are a number of factors that may assist an employer to determine whether the collection of vaccination status information from employees is reasonably necessary to prevent or manage COVID-19, including:
Practical tips to manage health information of employees
Notwithstanding whether the employee records exemption applies, the following practical tips assist employers to respectfully manage the health information of their employees:
The key takeaways (which have also been summarised by the OAIC in their recent guidance notes accessible here) for employers are:
Authors: Andrew Hynd & Olivia Fielding
The information in this publication is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this article is accurate at the date it is received or that it will continue to be accurate in the future.