Coronavirus (COVID-19) Vaccinations: Understanding your privacy obligations to your staff
This privacy guidance is intended to help entities[i] regulated by the Privacy Act 1988 (Cth) (Privacy Act) to understand their obligations when collecting, using, storing, and disclosing (‘handling’) employee health information related to the COVID-19 vaccine. It complements the OAIC COVID-19 Guidance for employers which provides more general information about employer’s privacy obligations in the context of the pandemic.
Privacy is only one of many factors to consider when asking employees whether they have received a COVID-19 vaccination (their ‘vaccination status’). Further information about COVID-19 vaccinations and the workplace is available from the Fair Work Ombudsman and Safe Work Australia.
- Employers can only collect information about employee’s vaccination status in particular circumstances where the employee consents and the collection is reasonably necessary for your workplaces’ functions and activities.
- You must have clear and justifiable reasons for collecting employee vaccination status information for it to be reasonably necessary. If you do not have clear and justifiable reasons, you should not collect vaccination status information.
- You can collect vaccination status information without consent only in circumstances where the collection is required or authorised by law (including a state or territory public health order or direction).
- Only the minimum amount of personal information reasonably necessary to maintain a safe workplace should be collected, used or disclosed.
- Vaccination status information should only be used or disclosed on a ‘need-to-know’ basis.
- You must inform employees about how their vaccination status information will be handled.
- Ensure you take reasonable steps to keep employee vaccination status and related health information secure.
Should you collect information about an employee’s vaccination status?
You should only collect information about an employee’s vaccination status if you are satisfied that this collection is permitted under Australian Privacy Principle (APP) 3. An employee’s vaccination status is considered sensitive health information under the Privacy Act and higher privacy protections apply.
You must only collect health information if your employee consents and the collection is reasonably necessary for your functions or activities (which may include preventing or managing COVID-19) unless an exception applies.
Consent to collecting vaccination status information must be freely given and constitute valid consent. You must make sure that your employees understand why you need to collect this information, what you will use it for, and give them a genuine opportunity to provide or withhold consent. You should exercise caution in seeking consent in these circumstances given the imbalance of power in the employment relationship that may cause employees to feel pressured or obligated to provide their consent.
You must have clear and justifiable reasons for collecting your employees’ vaccination status information. If you have no specified use for this information, are recording it on a ‘just in case’ basis, or if you can achieve your purpose without collecting this information, you are unlikely to be able to justify that the collection is reasonably necessary. For example, if you are collecting vaccination status information for monitoring purposes only, it will be difficult to demonstrate the necessity of collecting this information. In such cases where you do not have a clear and justifiable reason, vaccination status information should not be collected.
The same considerations apply to any proposed collection of vaccination status information from persons related to or living with your employees. You should be cautious and not assume that you can collect vaccination status information from your employee’s relatives or household contacts just because you can collect information from your employee.
Public health advice will be useful to inform what information, including vaccination status information, is reasonably necessary to prevent or manage COVID-19. Applicable workplace laws and contractual obligations will also influence whether the collection of vaccination status information would be considered reasonably necessary for your activities or functions.
Where you have provided a lawful and reasonable direction to your employee to be vaccinated, you can also ask your employee to provide evidence of their vaccination if you are satisfied that this is reasonably necessary and you have obtained the employee’s consent. More information about lawful and reasonable directions is available from the Fair Work Ombudsman’s website.
If there is a term in the enterprise agreement, other registered agreement or employment contract between you and your employee that requires COVID-19 vaccination, it is likely to be reasonably necessary for you to collect information about your employee’s vaccination status. However, you will still need to obtain your employee’s consent to the collection.
If you decide that you can collect vaccination status information, you must be transparent with your employees about the reasons for doing so. You must take reasonable steps to notify employees of the matters set out in APP 5, including the purposes of collection and the ways in which the information may be used or disclosed. You must collect the information using fair and lawful means. For example, you cannot use any form of intimidation or deception to obtain an employee’s vaccination status information.
Required or authorised by law
There are some circumstances where you may collect health information without consent, such as where the collection is required or authorised by Australian law. This could include an Act of the Commonwealth, or of a State or Territory, or regulations or any other instrument made under such an Act, including public health orders or directions.
State and territory public health orders are continually being updated to respond to the COVID-19 pandemic. You should monitor these developments and review the specific requirements of any relevant orders or directions issued by your state and territory health authority to determine your obligations to collect vaccination status information from your employees. Consult your relevant Department of Health to find out about any relevant requirements to collect proof of vaccination.
You are a private sector employer. What else should you consider?
If you are a private sector employer, the employee records exemption will apply in many instances after you lawfully collect your employee’s information. This means that the APPs will not apply to the handling of the information, once it has been collected and is held in an employee record, where it is directly related to the employment relationship. The employee records exemption does not apply to prospective employees, contractors, sub-contractors and volunteers. You must comply with the APPs when dealing with the personal information of these individuals.
However, as a matter of best privacy practice you should respect the health information of your employees and ensure that you:
- Accurately record the information that you collect, keep it up-to-date and store it securely.
- Limit the use and disclosure of employee vaccination status information to what is necessary to prevent and manage COVID-19. Don’t disclose vaccination status among colleagues unless you have a legitimate and compelling reason to do so.
- Regularly review whether you still need to retain this information as the vaccination roll-out progresses and more people receive the vaccine. This should include monitoring the latest government and health advice about the vaccine roll-out and COVID-19 restrictions.
You must also handle any information you collect in accordance with any applicable requirements as set out in the relevant public health order.
You are an Australian Government employer. What else should you consider?
The Privacy Act applies to the records of current and past Australian Government agency[ii] and Norfolk Island administration employees.
If you are deciding whether you can collect vaccination status information, you should undertake a threshold assessment to see if you need to complete a Privacy Impact Assessment (PIA). A PIA provides a useful framework to screen for unexpected privacy issues and will help to address the privacy risks associated with the collection of vaccination status information by your agency. Agencies are required to undertake a PIA for all high privacy risk projects or initiatives that involve new or changed ways of handling personal information.
In addition to helping you decide if the collection of vaccination status is necessary for your functions and activities a PIA could also consider how you will:
- be transparent with employees and take reasonable steps to notify the employee of the matters set out in APP 5, including the purposes of collection, and the ways in which the information may be used or disclosed.
- accurately record the information that you collect and ensure that it is complete and kept up-to-date.
- collect information securely and ensure that it is stored securely.
- limit the use and disclosure of employee vaccination status information to what is necessary to prevent and manage COVID-19.
Further information is available from the Australian Public Service Commission.
[i] The Privacy Act covers Australian government agencies and private sector organisations (including all private health service providers). Some small business operators (organisations with an annual turnover of $3 million or less) are exempt under the Privacy Act. For private sector employers, the employee records exemption will apply to the handling of an employee’s personal information once that information has been collected and forms part of an employee record, where the handling is directly related to the employment relationship.