Businesses across Australia continue to grapple with ways to prevent and manage COVID-19 in the workplace, including compliance with ever-changing Government mandated vaccine requirements and implementing workplace vaccination policies.

As a result, businesses continue to collect sensitive information about employees, contractors and other visitors to the workplace, including vaccination status information and medical certificates.

Information about a person’s vaccination status and medical certificates are ‘personal information’ which must be collected, used and disclosed according to Australian privacy laws, including the Privacy Act 1988 (Cth) (Privacy Act) and associated Australian Privacy Principles. The following outlines the key principles to be aware of and considered regarding privacy obligations when collecting this type of information.

In what circumstances can businesses collect vaccination status information about employees, labour hire workers, contractors, volunteers, candidates and other visitors?

Vaccination status information is ‘sensitive information’ about an individual and is afforded higher protection under the Privacy Act. This means, generally speaking, a person’s vaccination status must only be collected if:

  • the information is necessary for one or more of the business’ functions or activities; and
  • the individual has consented.

Businesses may need to collect vaccination status information to prevent and manage COVID-19 in the workplace. When considering worker vaccination information, applicable workplace laws and contractual obligations will impact whether collecting vaccination status information is necessary for a business’ functions or activities.Vaccination information collected ‘just in case’ or for a purpose achievable without the information, will be harder to justify.

There are circumstances when consent is not required, including where:

  • collection is required or authorised under Australian law; or
  • information is necessary to prevent or lessen a serious threat to the life, health, safety or welfare of any individual or to public health or safety (and is impracticable to obtain consent).

Laws requiring and authorising the collection of vaccination status information can include public health orders and directions made by State Governments.

When relying on the “required or authorised by law” exemption, the law will dictate what information is to be collected. In most cases, it will be sufficient to sight an individual’s immunisation certificate or history statement confirming full or partial vaccination status and make a record of doing so. It is not necessary (nor recommended) that businesses collect and store a copy of the certificate/statement.

In summary, worker vaccination status information may be collected if a public health order or direction is in place requiring that information. If neither applies, where a lawful and reasonable vaccination direction has been given to workers, you can request evidence of vaccination if you consider this reasonably necessary and you have obtained their consent.

In all other cases, businesses may collect vaccination status information if necessary for one or more of the business’ functions or activities (including preventing and managing COVID-19 in the workplace) and the individual consents.

These principles apply equally to other sensitive information, including medical certificates provided by individuals who have a medical contraindication and may be exempt from vaccination requirements under law.

Collection notice and transparency

It is essential for businesses to be transparent about why vaccination information is being collected and to comply with Australian Privacy Principle 5 (APP 5).

APP 5 requires businesses that collect personal information to take reasonable steps to either notify the individual of certain matters about the collection or to ensure the individual is aware of those matters at the time personal information is collected (or as soon as practicable thereafter).

Compliance can be achieved by providing a Collection Notice, which is a statement that sets:

  • why the information is being collected;
  • how it will be used;
  • who it will be disclosed to;
  • whether it will be disclosed overseas; and
  • whether the collection is required or authorised by law.

Importantly from an HR perspective, employers cannot rely on the employee records exemption to exclude them from providing a Collection Notice to employees. The Full Bench of the Fair Work Commission has previously confirmed that the employee records exemption does not apply until after the information has been collected and held within the employee record.

Businesses must distribute a Collection Notice to all employees, contractors, labour hire workers, volunteers, candidates for employment and visitors to the workplace when collecting vaccination status information. It can also help obtain valid and informed consent, where required.

What should businesses do now?

While vaccination in the workplace directions can be confusing, the associated privacy obligations are relatively straightforward.

If your business chooses to or is required to collect vaccination status information about employees, contractors and other visitors to the workplace, we recommend the following :

  • always provide a Collection Notice (APP 5 compliant) to individuals whose information is collected (including employees);
  • only collect personal information necessary to prevent or manage COVID-19 or that is required by law;
  • once collected, personal information should only be used or disclosed within and outside your business on a “need-to-know” basis and for the purposes outlined in the Collection Notice;
  • have clear policies and parameters for destroying/retaining personal information and only retain for as long as necessary and for the purpose it was collected (do not hold indefinitely); and
  • ensure the information is securely stored.

Rigby Cooke’s Privacy & Data Protection team can assist businesses with understanding your requirements or provide practical advice to help your business comply with its obligations under the Privacy Act, State Directions or public health orders.

Ian Rosenfeld
Partner – Corporate & Commercial
T: +61 3 9321 7850

Emma Simpson
Senior Associate – Corporate & Commercial
T: +61 3 9321 7805