Publication date: 9 August 2021

The information below is intended to help employees understand how the Privacy Act 1988 will apply to protect their personal information relating to COVID-19 vaccinations in the workplace.

The Privacy Act does not apply to all organisations and government agencies. You can find information about whether this information might apply to your employment here. Individuals employed by state or territory government agencies should consult the privacy regulator in their relevant jurisdictions for information. You can find further information here.

More information about COVID-19 vaccinations and the workplace is available from the Fair Work Ombudsman and Safe Work Australia.

Can your employer require you to disclose information about your vaccination status?

Your employer can only require you to provide evidence of your vaccination status in particular circumstances.

If your employer intends to collect your vaccination status into a record, they must be satisfied that this collection is permitted under Australian Privacy Principle (APP) 3.

Information about your vaccination status is sensitive information and is afforded a higher degree of protection under the Privacy Act. Generally, your employer must seek your consent in order to collect your vaccination status information and the collection of this information must be reasonably necessary for one or more of your employer’s functions or activities, unless an exception applies.

Consent must be freely given and constitute valid consent. This means that your employer cannot pressure or intimidate you to provide information about your vaccination status where they are relying on your consent as the lawful basis for collecting it. Your employer should provide you with adequate information about what information will be collected, why it is required and what it will be used for, prior to you giving consent. Your employer should also tell you whether the information will be disclosed to any third parties.

If your employer is a private sector organisation, they must also be able to justify the collection of your vaccination status information as being reasonably necessary for one or more of their functions or activities.

If your employer is an Australian Government agency, they must also be able to justify that the collection of your vaccination status information is directly related to their functions or activities (which may include preventing or managing COVID-19).

Applicable workplace laws and contractual obligations will impact whether the collection of your vaccination status information is reasonably necessary for your employer’s functions or activities. If your employer is requiring you to disclose information about your vaccination status on a ‘just in case’ basis, or if they can achieve their purpose without collecting this information, it will be harder for them to demonstrate that the collection is reasonably necessary.

The same considerations apply to any proposed collection of vaccination status information from persons related to you or living with you. Employers should be cautious and not assume that they can collect vaccination status information from your relatives or household contacts just because they can collect information from you.

Where your employer has provided a lawful and reasonable direction to you to be vaccinated, your employer can ask you to provide evidence of your vaccination, if this is reasonably necessary. Your employer must also obtain your consent. More information about lawful and reasonable directions is available from the Fair Work Ombudsman’s website.

If there is a term in your enterprise agreement, other registered agreement or employment contract that requires COVID-19 vaccination, it is likely to be reasonably necessary for your employer to collect information about your vaccination status. However, your employer will still need to obtain your consent to the collection.

Required or authorised by law

Your employer may be able to require you to disclose information about your vaccination status without consent if the collection of this information is required or authorised by an Australian law. This includes any Act of the Commonwealth, of a state or territory, or regulations or any other instrument made under such an Act, including public health orders or directions.

State and territory public health orders are continually being updated to respond to the COVID-19 pandemic. You should monitor these developments and review the specific requirements of any relevant orders or directions issued by your state and territory health authority to determine if you may need to disclose information about your COVID-19 vaccination status to your employer. Consult your relevant Department of Health to find out about any relevant requirements to provide proof of vaccination.

If you choose not to have the COVID-19 vaccine, can your employer require you to provide reasons or other medical evidence?

Your reasons for choosing to not have the COVID-19 vaccination and medical evidence related to this decision is also considered to be sensitive information under the Privacy Act. As with vaccination status information, your employer can generally only collect this information with your consent, and the collection must be reasonably necessary for your employer’s functions or activities.

However, if there is an Australian law – such as a public health order or direction – that requires your employer to collect your vaccination status information and reasons for non-vaccination, you may be required to provide your employer with your reasons or medical evidence exempting you from vaccination. The information collected should be limited to what is specified in the relevant law, or to what is reasonably necessary in circumstances where it is collected by consent.

Is your employer required to tell you why they're requesting your vaccination status information and what they're going to do with your information?

If your employer requests your consent to collect vaccination status information, they are required to be transparent about why the information is being collected, and how it will be used, in line with APP 1.

Your employer must also take reasonable steps to notify you of the matters set out in APP 5. These include:

  • the purpose of collection
  • the consequences if you refuse to consent to the collection
  • if the collection is required or authorised by law
  • how your employer may use or disclose information about your vaccination status, and
  • that their APP privacy policy contains information about how you may access your personal information, seek correction of your personal information, make a complaint about a breach of the APPs and how your employer will deal with such a complaint.

Your employer should provide you with this information before they collect information about your vaccination status or, if this is not practicable, as soon as practicable after collection occurs.

If you disclose information about your vaccination status to your employer, will your information be protected by the Privacy Act?

Private sector employees

If your employer is a private sector organisation and information about your vaccination status has been collected by them lawfully, the employee records exemption in the Privacy Act will apply in many instances. This means that the APPs will not apply to the handling of your information once it has been collected and is held in an employee record, where it is directly related to the employment relationship between you and your employer. The OAIC has developed guidance for private sector employers on privacy best practice when handling information about employee vaccination status. You may wish to suggest that your employer review this guidance before collecting your information.

Your employer must also handle your information in accordance with any applicable requirements or privacy protections set out in a relevant public health order.

Public sector employees

If your employer is a Commonwealth or Norfolk Island Government agency, the privacy protections in the Privacy Act and the APPs will continue to apply to your vaccination status information once it has been collected and included in your employee record.

Your employer must also handle your information in accordance with any applicable requirements or privacy protections set out in a relevant public health order.

For more information see the Australian Public Service Commission.

What if you're a contractor, volunteer or applying for a job?

If you're a contractor, subcontractor or volunteer then the employee records exemption will not apply. This is also the case if you are applying for a job as a prospective employee. The information you provide about your vaccination status to a private sector organisation as a contractor, subcontractor, volunteer, or prospective employee will continue to be covered by the Privacy Act and the APPs.

If your information is protected by the Privacy Act what are your employers’ obligations in respect of your information?

If the employee records exemption does not apply to you, and where your employer is legally permitted to collect your vaccination status, they must accurately record your vaccination status information and ensure that it is complete and kept up-to-date. You must be provided with an opportunity to access your information and request correction if the information is inaccurate. Your employer must have appropriate security systems to protect your vaccination status information from misuse, interference, loss, unauthorised access, modification or disclosure.  Your employer should also limit the use and disclosure of your vaccination status information to the purpose for which they advised you it has been collected. Finally, your employer should destroy this information when it is no longer required. More information about these obligations is available here.

Can you make a complaint if you think your employer is misusing your vaccination status information?

If you think your employer is misusing your vaccination status information, you should contact your employer in the first instance to try to resolve the issue with them.

If you are not satisfied with your employer’s response, you can lodge a complaint with the OAIC if your employer is a Commonwealth or Norfolk Island Government agency or an organisation covered by the Privacy Act. The Privacy Act covers organisations with an annual turnover of more than $3 million and some other organisations, such as:

  • private sector health service providers
  • businesses that sell or purchase personal information
  • contracted service providers for an Australian Government contract.

If the employee records exemption applies, you may be able to make a complaint about the collection practices of your employer, such as the fact that your employer has asked to collect your vaccination status information where it is not necessary or in relation to the APP 5 information that they have provided to you. This is because the employee records exemption only exempts personal information from the Privacy Act once it has been included in an employee record.

Find more about lodging a complaint.

OAIC logo
Contact us 1300 363 992

Monday to Thursday 10 am to 4 pm (AEST/AEDT)

Acknowledgement of Country

The OAIC acknowledges Traditional Custodians of Country across Australia and their continuing connection to land, waters and communities. We pay our respect to First Nations people, cultures and Elders past and present.

© Commonwealth of Australia