Many clients have asked for advice about the collection of employees’ vaccination information. Recent commentary and Fair Work Commission decisions have also recognised that there are complicated privacy obligations regarding this information. This EMA Note provides a summary and some guidance on rights and obligations regarding vaccination information for organisations that are covered by the Privacy Act 1988 (Cth).
This is a complex area and this note cannot be relied upon in place of specific advice. We have provided some links to relevant guidance from the Office of the Australian Information Commissioner (“OAIC”). We recommend, in addition to reviewing this note and the OAIC’s relevant guidance, that you seek legal advice if you are unsure about your organisation’s rights and obligations in relation to the collection of information about an individual’s vaccination status.
This note is specific to rights and obligations under the Privacy Act. To determine whether you are covered by the Privacy Act, we recommend you speak with a privacy lawyer or read the Office of the Australian Information Commissioner's general guidance on rights and responsibilities under the Privacy Act. A company's rights and obligations under the Privacy Act in relation to an individual's vaccination status will vary depending on the reason for requesting an employee's vaccination status. This note focuses on the following two reasons:
that the organisation is required by a government direction or public health order to collect evidence about an employee’s vaccination status for the employee to perform work; and
that the organisation has implemented, or is seeking to implement, its own internal policy to manage COVID-19 under workplace health and safety laws.
VACCINATION STATUS IS SENSITIVE
Vaccination status is likely ‘health information’ under section 6FA of the Privacy Act, being personal information about an individual’s health and a health service that has been provided to them. Health information about an individual constitutes ‘sensitive information’, for which there are strict protections and requirements under the Privacy Act. In general, an organisation can only collect sensitive information from an individual if the individual consents and the information is reasonably necessary for one or more of the organisation’s functions or activities. There are various exemptions that apply, only one of which is described in this note (in relation to government directions and public health orders). If you want to determine whether an exemption applies to your organisation, you should seek legal advice.
GOVERNMENT DIRECTIONS AND PUBLIC HEALTH ORDERS
If a state or territory government direction or public health order applies to an organisation and requires the organisation to collect an individual’s vaccination information, the direction will ordinarily set out what specific information must be collected. In that case, the collection of the information is likely authorised by the Privacy Act, as it will be ‘required or authorised by or under an Australian law’. It is crucial for organisations to carefully read any directions that apply to them. If the organisation is unsure what evidence is required under a direction, they should contact the relevant state regulator or seek legal advice. COMPANY POLICIES Things become more complicated if a company is relying on its own internal policy rather than a state or territory government direction. Vaccination status – general In general, not only must an employee consent to providing the information, but the information must also be reasonably necessary for the organisation to perform one of its functions or activities. Therefore, if an organisation wants to collect vaccination status merely out of curiosity or without any real plan or direction, it is unlikely to be authorised by the Privacy Act even if the individual consents. If an employer needs to collect vaccination information about employees to comply with or implement a workplace health and safety policy, the collection may then be valid. Complications may arise where employees do not consent to the collection of sensitive information, and questions may then arise as to whether a requirement to provide evidence of vaccination status is a ‘reasonable and lawful direction’. In Construction, Forestry, Maritime, Mining and Energy Union v Mt Arthur Coal Pty Ltd the Fair Work Commission recently set out some of the considerations when determining whether such a requirement would be reasonable and lawful in a COVID vaccination context. For employees, once a record has been obtained, it will likely fall within the general ‘employee records’ exemption of the Privacy Act, but this will not occur until the record is held—that is, the exemption does not appear to apply to the collection of sensitive information because until the information is collected, it is not held as a record. For general guidance on your obligations to your employees in relation to the collection of vaccination information, see the OAIC’s guidance on privacy obligations for employers. If employees have queries, an organisation can usefully also direct the employees to the OAIC’s guidance on employees’ privacy rights in relation to COVID-19. What evidence can be collected and the issue of individual health identifiers If an organisation has determined that it reasonably requires evidence of vaccination status of an individual in accordance with a workplace health and safety policy, it must then also determine what evidence it can require from individuals. As described above, an organisation can only require vaccination information that is reasonably necessary for the performance of the organisation’s functions or activities. Therefore, the organisation will likely be able to go no further than collecting information necessary to confirm an individual’s vaccination status. The way in which the organisation collects the information must also comply with the Australian Privacy Principles. Vaccination certificates provided by Medicare include an individual’s ‘individual healthcare identifier’. This is a unique identifier used for health service providers so they can access patients’ health records. It is very unlikely that it would be reasonably necessary for an employer to require this information. For general information about the individual health care identifier, from a privacy perspective, please see the OAIC’s guidance. Recently, the Australian Licensed Aircraft Engineers Association and Virgin Airlines agreed before the Federal Court that Virgin would delete all vaccination documents it held and find alternative means to collect evidence of vaccination status that did not include employees’ individual health identifiers. In general, to comply with your privacy obligations, we recommend going no further than reasonably necessary to collect vaccination status. Simple options could include (for example only):
viewing an individual’s vaccination certificate, record of receiving vaccinations, or digital vaccination certificate (for example on a linked COVID-19 check-in app) and recording only the individual’s name and their vaccination status;
collecting a copy of an individual’s vaccination certificate with information that the organisation does not need (such as the individual health identifier, the specific vaccine received, etc) redacted; or
collecting a screenshot copy of the digital certificate available from Medicare for use on Covid check-in apps.
While employee records, from this point, will likely be exempt from the requirements of the Australian Privacy Principles under the 'employee records' exemption, we still recommend these records are stored and secured in the same secure way that non-employee records would be stored and secured. For individuals who are not employees (for example, contractors, clients, and service providers), additional obligations apply regarding the storage, use, and disclosure of the information. The OAIC provides useful guidance on how business should collect and handle clients' and visitors' COVID-19 vaccination information. Require further information/assistance? This is a complicated area of the law. Organisations must remember that the purpose of the Privacy Act and its rules are to safeguard and provide certainty around an individual’s personal information. We recommend organisations review the OAIC’s website to guide how they collect, store, and use individuals’ personal information and seek advice from a specialist in privacy law where they are unsure of their obligations. If you require further information or advice in relation to employees, please contact your Consultant.
 Privacy Act 1988 (Cth) s 6 (definition of 'sensitive information') ("Privacy Act").  Privacy Act sch 1 cl 3.3.  Privacy Act sch 1 cl 3.4(a).   FWCFB 6059 , 3 December 2021  See Lee v Superior Wood Pty Ltd  FWCFB 2946.  Order of Perry J in Australian Licensed Aircraft Engineers Association v Virgin Australia Airlines Pty Ltd (Federal Court of Australia, NSD1040/2021, 30 November 2021).
EMA Consulting is not a law firm and therefore does not provide legal advice or services. The information contained within this document and associated material is general in nature and should not be relied upon. If you require specific advice on a particular matter, we recommend that you contact EMA Consulting on 08 8203 1700. Subject to the matter at hand, your EMAC Consultant may recommend that you obtain formal legal advice. If formal legal advice is required, upon your written instruction EMAC will brief your matter to a legal practitioner for this purpose. The contents of this document and associated materials do not represent legal advice.