We note that as part of the Victorian Government's Roadmap for the easing of restrictions released several weeks ago it announced that once 80% of the community is fully vaccinated (anticipated to be around 5 November) then staff who have been working from home will be able to return to their offices if they are fully vaccinated.

This raises the question of how employers go about obtaining information from their employees about their vaccination status and what obligations employers need to comply with under the Commonwealth Privacy Act.

The Privacy Act and the associated Australian Privacy Principles established by that legislation apply to businesses with an annual turnover of at least three million dollars.

An employee's vaccination status is considered sensitive health information under the Privacy Act and higher privacy protections apply.

The Privacy Act is administered by the Office of the Australian Information Commissioner. It has issued guidance stating that an employer must only collect information about an employee's vaccination status if the collection of such information is reasonably necessary for the employer's functions or activities (and which may include preventing or managing Covid-19). If an employer was looking to re-open its workplace or office in November for fully vaccinated workers then requesting evidence of an employee's vaccination status would appear justified.

However employees need to freely consent to providing information concerning their vaccination status and evidence of same such as their MyGov vaccination certificate.

Threats on the part of the employer to impose disciplinary action or to terminate the employee unless they provide the information would not amount to valid consent. For instance in a 2019 Fair Work Commission unfair dismissal case (Lee v Superior Wood Pty Ltd) an employee was sacked for not agreeing to provide his fingerprints for finger scanning on entry and exit to his workplace. All other employees within the workplace had agreed. The Full Bench of the Fair Work Commission held that the employer had committed various breaches of the Privacy Act. For instance, by not having a privacy policy in place and not issuing a valid collection notice to the employee. The Full Bench also stated that if the employee had consented to the collection of his fingerprint data under threat of termination that would not have amounted to a valid consent. As a consequence, the termination was held to be unfair and the employee succeeded in his unfair dismissal claim.

The takeout from this case is that employers seeking to obtain evidence of their employee's vaccination status ought have a privacy policy in place which specifically deals with and addresses the issue of vaccination information. For instance why the information is needed, how the information will be used and how it will be sought to be collected by the employer.

Novel questions of law could arise if an employer bound by the Privacy Act had employees who refused to provide evidence of their vaccination. If the position under the Privacy Act is that employees have an absolute right not to provide evidence of their vaccination unless they provide their informed consent then that could be regarded as a "workplace right" of the employee for the purposes of the general protections provisions of the Fair Work Act. If the employee is sacked for not providing evidence of their vaccination then the employee could conceivably bring a general protections claim asserting that they were dismissed on account or in connection with their exercise of a workplace right. General protections claims are inherently difficult for employers to defend as there is no cap on the damages which can be awarded and a reverse onus of proof applies whereby the burden is on the employer to demonstrate that they did not terminate for that prohibited reason.

If an employer bound by the Privacy Act has lawfully collected information from its employees regarding their vaccination status then from that point on then it will constitute an employee record and the "employee records" exemption in the Privacy Act will apply to the use of the information from that time on. That is the Australian Privacy Principles won't apply to the use of the information from then on. The reason why the "employee records" exemption doesn't apply at the time that the employer seeks to collect information from the employee it because it is the employee's data or sensitive health information at that time and not a record created or held by the employer.

Query what the position is if an employer does not specifically ask employees for evidence of their vaccination status but merely relies upon a government QR code system to enable or prevent access to the workplace? That is, fully vaccinated staff would be able to check in via the QR code system when arriving at the office. In this scenario, the employer is not necessarily receiving from the employee the information concerning the employee's vaccination status as the information is uploaded to the government app and not able to be accessed by the employer. However we expect most employers will wish to ask employees in advance whether they are fully vaccinated and able to return to the office. Such employers will need to be cognisant of their obligations under the Privacy Act.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.