Since the rollout of the COVID-19 vaccine from February this year, the Fair Work Ombudsman and Safe Work Australia have issued guidance for employers in respect of the COVID-19 vaccinations, as discussed in our article here.
As employers are now considering the impact of the COVID-19 vaccination on their obligations under relevant employment law, the Office of the Australian Information Commissioner (OAIC) has also released guidance for employers in respect of their privacy obligations when seeking to collect details of their employees' 'vaccination status'.
This article provides guidance to entities regulated by the Privacy Act 1988 (Cth) (Privacy Act) to assist them navigate through their obligations under the Australian Privacy Principles (APPs) when collecting, using, storing, and disclosing employee health information related to the COVID-19 vaccine.
Does the Privacy Act apply and if so, does it apply to you?
The Privacy Act applies to entities, including an Australian government agency or a private sector organisation (including all private health service providers) (APP entities). Exemptions apply in certain circumstances for some small business operators, which are organisations with an annual turnover of $3 million or less.
APP entities need to ensure that they are handling personal information appropriately, to meet their obligation to maintain a safe workplace for staff and visitors in compliance with their obligations under the Privacy Act.
It is likely and expected, in order to prevent or manage COVID-19 in the workplace, agencies and private sector employers (including private health service providers) will need to collect, use and disclose personal information (including employee health information relating to the COVID-19 vaccine). For example, disclosure may include notifying staff members who may be at risk so necessary precautions can be taken in respect of potential COVID-19 cases.
Employers need to be cautious to ensure that only personal information which is reasonably necessary to prevent or manage COVID-19 in the workplace is collected, used or disclosed.
APP entities must actively take steps to protect the privacy of their employees by complying with the APPs when collecting personal information (including vaccination status information). However, once vaccination status information about an employee is collected, that information will form part of their employee record. For private sector employers, certain APPs (including in respect of the use and disclosure of personal information) may not apply in circumstances where the Privacy Act employee records exemption applies. In order for the employee records exemption to apply, information must be directly related to an employment relationship between an employer and employee, have been lawfully collected and held in an employee record. The employee records exemption does not apply to prospective employees, contractors, sub-contractors and volunteers but the APPs will apply when dealing with the personal information of these individuals.
How can employers collect, use and disclosure information about their employees' vaccination status?
It is important to be aware that an employee's vaccination status is considered sensitive health information under the Privacy Act and higher privacy protections apply.
Generally, agencies and private sector employers can collect health information about individuals if (APP 3.3(a)):
- the individual gives consent (express or implied) to its collection
- the information is reasonably necessary, or directly related to, one or more of its functions or activities, such as to prevent or manage COVID-19 in the workplace.
Notwithstanding this, consent is not necessary if the collection is required under or authorised by Australian law (APP 3.4(a)). This could include an Act of the Commonwealth, or of a state or territory, or regulations or any other instrument made under such an Act.
By way of example, a public health order may require employers to collect employee COVID-19 vaccination information in certain circumstances. However, as at the date of this article, no such public health orders requiring the COVID-19 vaccination status of employees have been made. There are a limited number of other exceptions to the requirement to obtain consent under APP 3.3(a) which are set out under APP 3.4, including if a "permitted general situation" exists (APP 3.4(b)). Examples of a "permitted general situation" include where the collection is undertaken to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.
Use and disclosure
Except in circumstances where the employee records exemption applies, if an APP entity holds personal information about an individual that was collected for a particular purpose (primary purpose), the entity must not use or disclose the information for another purpose (secondary purpose) unless the individual has consented to the use or disclosure of the information or another exception applies under APPs 6.2 or 6.3 - for example, where the individual would reasonably expect the APP entity to use or disclose the information for the secondary purpose and the secondary purpose is directly related to the primary purpose (APP 6).
Things to be aware of when collecting employees' vaccination status information
Employers should only collect information about an employee's vaccination status if they are satisfied that this collection is permitted under APP 3 (collection of solicited personal information). If the employer determines they can collect vaccination status information from their employees in compliance with their obligations under the Privacy Act, the employer must be transparent with its employees about the specific reasons for doing so. The employer must take reasonable steps to notify employees of the matters set out in APP 5 (notification of the collection of personal information), including the purposes of collection and how the information may be used or disclosed.
If consent is required (as in most cases subject to the exceptions under APP 3.4) to collect vaccination status information, employers must comply with the following four key elements of consent set out by the OAIC:
- the individual is adequately informed before giving consent. Employers must make sure that their employees understand why they need to collect this information, what the employer will use it for, and give them a genuine opportunity to provide or withhold consent
- the individual gives consent voluntarily
- the consent is current and specific
- the individual has the capacity to understand and communicate their consent.
Employers need to take care not to cause their employees to feel pressured or obligated to provide consent, given the potential imbalance of power in the employment relationship.
Employers must have clear and justifiable reasons for collecting their employees' vaccination status information. It may not be sufficient for employers to collect this information on a 'just in case' basis (for example if collecting vaccination status information for monitoring purposes only), or if they can achieve their purpose without collecting this information.
There are a number of factors that may assist an employer to determine whether the collection of vaccination status information from employees is reasonably necessary to prevent or manage COVID-19, including:
- public health advice
- the health and safety risks in the particular work sector
- applicable workplace laws and contractual obligations that may apply.
Practical tips to manage health information of employees
Notwithstanding whether the employee records exemption applies, the following practical tips assist employers to respectfully manage the health information of their employees:
- accurately record the information collected, keeping it up-to-date and storing it securely
- limit the use and disclosure of employee vaccination status information to what is necessary to prevent and manage COVID-19
- regularly review (including by monitoring the latest government and health advice about the vaccine rollout and COVID-19 restrictions) whether they still need to retain this information as the vaccination rollout progresses and more people receive the vaccine.
The key takeaways (which have also been summarised by the OAIC in their recent guidance notes accessible here) for employers are:
- employers will only be able to collect information about their employees' vaccination status in very limited circumstances
- only the minimum amount of personal information that is reasonably necessary to maintain a safe workplace should be collected, used or disclosed
- unless an exception applies (including where the collection is required or authorised by law or if a permitted general situation exists), employers must only collect vaccination status information if the employee consents and the collection is reasonably necessary for the employers' functions and activities
- if vaccination status information is collected, employers must be transparent with employees in respect of how this information will be handled
- vaccination status information should be used or disclosed on a 'need-to-know' basis
- employers must ensure they take reasonable steps to keep employee vaccination status and related health information secure.
This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.