COVID-19: Vaccinations and my privacy rights as an employee

The information in this FAQ is intended to help employees understand how the Privacy Act 1988 (Privacy Act) will apply to protect their personal information relating to COVID-19 vaccinations in the workplace.

The Privacy Act does not apply to all organisations and government agencies. You can find information about whether this information might apply to your employment here. Individuals employed by state or territory government agencies should consult the privacy regulator in their relevant jurisdictions for information. You can find further information here.

More information about COVID-19 vaccinations and the workplace is available from the Fair Work Ombudsman and Safe Work Australia.

1. Can my employer require me to disclose information about my vaccination status?

Your employer can only require you to provide information about your vaccination status in very limited circumstances.  Your employer must be satisfied that this collection is permitted under Australian Privacy Principle (APP) 3.

Information about your vaccination status is sensitive information and is afforded a higher degree of protection under the Privacy Act, including APP 3. Generally, your employer must seek your consent in order to collect your vaccination status information and the collection of this information must be reasonably necessary for one or more of your employer’s functions or activities, unless an exception applies.

Consent must be freely given and constitute valid consent. This means that your employer cannot pressure or intimidate you to provide information about your vaccination status.  Your employer should provide you with adequate information about what information will be collected, why it is required and what it will be used for, prior to you giving consent. Your employer should also tell you whether the information will be disclosed to any third parties.  

Your employer must also be able to justify the collection of your vaccination status information as being reasonably necessary for one or more of their functions or activities, or for agencies only, directly related to their functions or activities (which may include preventing or managing COVID-19). The health and safety risks in your work sector, applicable workplace laws and contractual obligations will impact whether the collection of your vaccination status information is reasonably necessary for your employer’s activities or functions. If your employer is requiring you to disclose information about your vaccination status on a ‘just in case’ basis, or if they can achieve their purpose without collecting this information, it will be harder for them to demonstrate that the collection is reasonably necessary.

Required or authorised by law

In some limited circumstances your employer may be able to require you to disclose information about your vaccination status without consent if collection of this information is required or authorised by an Australian law. This includes any Act of the Commonwealth, of a state or territory, or regulations or any other instrument made under such an Act, including public health orders or directions.

State and territory public health orders are continually being updated to respond to the COVID-19 pandemic. You should monitor these developments and review the specific requirements of any relevant orders or directions issued by your state and territory health authority to determine if you may need to disclose information about your COVID-19 vaccination status to your employer. Consult your relevant Department of Health to find out about any relevant requirements to provide proof of vaccination.

2. If I chose not to have the COVID-19 vaccine, can my employer require me to provide my reasons or other medical evidence?

Your reasons for choosing to not have the COVID-19 vaccination and medical evidence related to this decision is also considered to be sensitive information under the Privacy Act. As with vaccination status information, your employer can generally only collect this information with your consent, and the collection must be reasonably necessary for your employer’s functions or activities.

However, if there is an Australian law – such as a public health order – that requires your employer to collect your vaccination status information and reasons for non-vaccination, you may be required to provide your employer with your reasons or medical evidence exempting you from vaccination. This will depend on the requirements contained in the relevant law.

3. Is my employer required to tell me why they are requesting my vaccination status information and what they are going to do with my information?

If your employer requests your consent to collect vaccination status information, they are required to be transparent about why the information is being collected, and how it will be used, in line with APP 1.

Your employer must take reasonable steps to notify you of the matters set out in APP 5. These include:

  • the purpose of collection
  • the consequences if you refuse to consent to the collection
  • if the collection is required or authorised by law,
  • how your employer may use or disclose information about your vaccination status, and
  • that their APP privacy policy contains information about how you may access your personal information, seek correction of your personal information, make a complaint about a breach of the APPs and how your employer will deal with such a complaint.

Your employer should provide you with this information before they collect information about your vaccination status or, if this is not practicable, as soon as practicable after collection occurs.

4. If I disclose information about my vaccination status to my employer, will my information be protected by the Privacy Act?

Private sector employees

If your employer is a private organisation and information about your vaccination status has been collected by them lawfully, the employee records exemption in the Privacy Act will apply in many instances. This means that the APPs will not apply to the handling of your information once it has been collected and is held in an employee record, where it is directly related to the employment relationship between you and your employer. The OAIC has developed guidance for private sector employers on privacy best practice when handling information about employee vaccination status. You may wish to suggest that your employer review this guidance before collecting your information.

Public sector employees

If your employer is a Commonwealth or Norfolk Island Government agency, the privacy protections in the Privacy Act and the APPs will continue to apply to your vaccination status information once it has been collected and included in your employee record.

Further information is available from the Australian Public Service Commission.

5. What if I’m a contractor, volunteer or applying for a job?

If you are a contractor, subcontractor or volunteer then the employee records exemption will not apply. This is also the case if you are applying for a job and are subsequently not employed by your prospective private sector employer. The information you provide about your vaccination status to a private sector organisation as a contractor, subcontractor, volunteer, or prospective employee will continue to be covered by the Privacy Act and the APPs.

6. If my information is protected by the Privacy Act what are my employers’ obligations in respect of my information?

 If the employee records exemption does not apply to you, your employer must accurately record your vaccination status information and ensure that it is complete and kept up-to-date. You must be provided with an opportunity to access your information and request correction if the information is inaccurate. Your employer must have appropriate security systems to protect your vaccination status information from misuse, interference, loss, unauthorised access, modification or disclosure.  Your employer should also limit the use and disclosure of your vaccination status information to the purpose for which they advised you it has been collected. Finally, your employer should destroy this information when it is no longer required. More information about these obligations is available here.

7. Can I make a complaint if I think my employer is misusing my vaccination status information?

If you think your employer is misusing your vaccination status information, you should contact your employer in the first instance to try to resolve the issue with them.

If you are not satisfied with your employer’s response, you can lodge a complaint with the OAIC if your employer is a  Commonwealth or Norfolk Island Government agency or an organisation covered by the Privacy Act. The Privacy Act covers organisations with an annual turnover of more than $3 million and some other organisations, such as:

  • private sector health service providers
  • businesses that sell or purchase personal information
  • contracted service providers for an Australian Government contract.

If the employee records exception applies, you may be able to make a complaint about the collection practices of your employer, such as the fact that your employer has asked to collect your vaccination status information where it is not necessary or in relation to the APP 5 information that they have provided to you. This is because the employee records exemption only exempts personal information from the Privacy Act once it has been included in an employee record.

You can find more information about our complaints process here.

Was this page helpful?

Thank you.

If you would like to provide more feedback, please email us at websitefeedback@oaic.gov.au