- Employee's health information (including both vaccination status AND medical contraindications) is sensitive information of a person.
- Businesses covered by the Privacy Act will need to comply with the Australian Privacy Principles.
- Other employers should be careful with how they obtain, record and use this information.
When collecting information, and recording it, businesses must be able to justify it as "reasonably necessary". If an employment contract or industrial instrument (EBA) requires an employee to have a vaccination (or disclose their vaccination status), then this is likely to be considered reasonably necessary and therefore lawful. In addition, where government directions (such as those being made under the Public Health Act 2016 (WA)) require an employer to know and record that information, it is likely this will be seen as reasonably necessary, as well as required or authorised by law.
Where an employee is not vaccinated but has a valid medical exemption (as listed on the Immunisation Register) or other exemption, then an employer can also require an employee to disclose this information (in particular where required to keep a record of exemptions by the directions).
Businesses should generally also get valid voluntary and informed consent, without pressuring or intimidating employees, and must provide employees with adequate information about what is being collected, the purpose for collection and how it will be used (and whether it will be disclosed to third parties).
The information must only be used for the purpose it was collected (ie to show emergency officers or to demonstrate compliance with the relevant government directions), and not be used for any other purpose.
Employers should assess whether they need to keep a record (either the actual "vaccination passport" or a list of vaccinated/unvaccinated employees) or can simply sight the proof and not record that information anywhere. The former counts as "storing" the information and therefore the Privacy Act must be complied with. The latter does not but does not comply with the directions released so far which require employers to "take all reasonable and lawful steps to collect and maintain a record of the vaccination status of each [worker]" and must produce it to an emergency officer (Chief Health Officer or other authorised officer) immediately upon request.
They should also assess how long they must keep the records for and put in place processes to ensure destruction at the relevant time (eg. When and if the directions are cancelled or records are no longer required to be kept).
In short, the question businesses need to consider is whether it is a lawful or reasonable direction to require an employee to provide the information. Failure to comply with the Privacy Act (where not exempted) will likely make the direction "unlawful" and any termination or other adverse cation based on it illegal. Compliance with a government direction is likely to make the request lawful and reasonable.
Employers must be careful with how they communicate with employees about the issue, so as to ensure they not providing incorrect or inaccurate information about the vaccinations or offering inappropriate incentives (as this may be a breach of the Therapeutic Goods Act). There is a careful line between "informing" your employees about the vaccine and the requirement for them to have it, and an employer's obligation to provide accurate information.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.