Coronavirus (COVID-19) Vaccinations: Understanding your privacy obligations to your staff

23 February 2021
Tags: COVID-19

This privacy guidance is intended to help entities[i] regulated by the Privacy Act 1988 (Cth) (Privacy Act) to understand their obligations when collecting, using, storing, and disclosing employee health information related to the COVID-19 vaccine. It complements the OAIC COVID-19 Guidance for employers which provides more general information about employer’s privacy obligations in the context of the pandemic.

Privacy is only one of many factors to consider when asking employees whether they have received a COVID-19 vaccination (their ‘vaccination status’). Further information about COVID-19 vaccinations and the workplace is available from the Fair Work Ombudsman and Safe Work Australia.

Key points

  • Employers will only be able to collect information about employees' vaccination status in very limited circumstances
  • Only the minimum amount of personal information reasonably necessary to maintain a safe workplace should be collected, used or disclosed
  • You must only collect vaccination status information if the employee consents and the collection is reasonably necessary for your functions and activities, unless an exception applies
  • One exception that may allow collection without the employee’s consent is circumstances where the collection is required or authorised by law
  • If vaccination status information is collected, you must advise employees how this information will be handled
  • Vaccination status information should be used or disclosed on a ‘need-to-know’ basis
  • Ensure you take reasonable steps to keep employee vaccination status and related health information secure

Frequently asked questions

Should you collect information about an employee’s vaccination status?

You should only collect information about an employee’s vaccination status if you are satisfied that this collection is permitted under Australian Privacy Principle (APP) 3. An employee’s vaccination status is considered sensitive health information under the Privacy Act and higher privacy protections apply.

You must only collect health information if your employee consents and the collection is reasonably necessary for your functions or activities (which may include preventing or managing COVID-19) unless an exception applies.

Consent to collecting vaccination status information must be freely given and constitute valid consent. You must make sure that your employees understand why you need to collect this information, what you will use it for, and give them a genuine opportunity to provide or withhold consent. You should exercise caution in seeking consent in these circumstances given the imbalance of power in the employment relationship that may cause employees to feel pressured or obligated to provide their consent.

You must have clear and justifiable reasons for collecting your employees’ vaccination status information. If you have no specified use for this information, are recording it on a ‘just in case’ basis, or if you can achieve your purpose without collecting this information, you are unlikely to be able to justify that the collection is reasonably necessary. For example, if you are collecting vaccination status information for monitoring purposes only, it will be difficult to demonstrate the necessity of collecting this information.

Public health advice will be useful to inform what information, including vaccination status information, might be reasonably necessary to prevent or manage COVID-19. The health and safety risks in your work sector, applicable workplace laws and contractual obligations, will also influence whether the collection of vaccination status information would be considered reasonably necessary for your activities or functions. Further information is available from the Fair Work Ombudsman and Safe Work Australia

Required or authorised by law

There are some limited circumstances where you may collect health information without consent, such as where the collection is required or authorised by Australian law. This could include an Act of the Commonwealth, or of a state or territory, or regulations or any other instrument made under such an Act. For example, a public health order may require employers to collect employee COVID-19 vaccination information in certain circumstances. At the time of writing this FAQ, no public health orders requiring COVID-19 vaccination have been made. Our information will be updated if any orders are made.

You are a private sector employer. What else should you consider?

If you decide that you can collect vaccination status information, you must be transparent with your employees about the reasons for doing so. You must take reasonable steps to notify employees of the matters set out in APP 5, including the purposes of collection and the ways in which the information may be used or disclosed. You must collect the information using fair and lawful means. For example, you cannot use any form of intimidation or deception to obtain an employee’s vaccination status.

If you are a private sector employer, the employee records exemption will apply in many instances after you lawfully collect your employee’s information. This means that the APPs will not apply to the handling of the information, once it has been collected and is held in an employee record, where it is directly related to the employment relationship. The employee records exemption does not apply to prospective employees, contractors, sub-contractors and volunteers. You must comply with the Australian Privacy Principles when dealing with the personal information of these individuals.

However, as a matter of best privacy practice you should respect the health information of your employees and ensure that you:

  • accurately record the information that you collect, keep it up-to-date and store it securely
  • limit the use and disclosure of employee vaccination status information to what is necessary to prevent and manage COVID-19. Don’t disclose vaccination status among colleagues unless you have a legitimate and compelling reason to do so
  • regularly review whether you still need to retain this information as the vaccination roll-out progresses and more people receive the vaccine. This should include monitoring the latest government and health advice about the vaccine roll-out and COVID-19 restrictions.

You are an Australian Government employer. What else should you consider?

The Privacy Act applies to the records of current and past Australian Government agency[ii] and Norfolk Island administration employees. 

If you are deciding whether you can collect vaccination status information, you should undertake a threshold assessment to see if you need to complete a Privacy Impact Assessment (PIA). A PIA provides a useful framework to screen for unexpected privacy issues and will help to address the privacy risks associated with the collection of vaccination status information by your agency. Agencies are required to undertake a PIA for all high privacy risk projects or initiatives that involve new or changed ways of handling personal information.

In addition to helping you decide if the collection of vaccination status is necessary for your functions and activities a PIA could also consider how you will:

  • be transparent with employees and take reasonable steps to notify the employee of the matters set out in APP 5, including the purposes of collection, and the ways in which the information may be used or disclosed
  • accurately record the information that you collect and ensure that it is complete and kept up-to-date
  • collect information securely and ensure that it is stored securely
  • limit the use and disclosure of employee vaccination status information to what is necessary to prevent and manage COVID-19.

Further information is available from the Australian Public Service Commission.


[i] The Privacy Act covers Australian government agencies and private sector organisations (including all private health service providers). Some small business operators (organisations with an annual turnover of $3 million or less) are exempt under the Privacy Act. For private sector employers, the employee records exemption will apply to the handling of an employee’s personal information once that information has been collected and forms part of an employee record, where the handling is directly related to the employment relationship.

[ii] https://www.oaic.gov.au/privacy/australian-privacy-principles-guidelines/chapter-b-key-concepts/

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au