It has become commonplace for employers to collect and store data relating to the vaccination status of their employees. When doing so, it is important for employers to be mindful of the obligations that may arise under the Privacy Act 1988 (Cth) (Privacy Act). We explain below the scope and application of the Privacy Act in respect of information about employees’ vaccination status.
Is information about vaccination status within the scope of the Privacy Act?
Australian Privacy Principles (APPs) are located in Schedule 1 of the Privacy Act, and work to govern the standards, rights and obligations around the collection, use and disclosure of personal information. Breaching an APP is considered an interference with the privacy of an individual, and can invoke regulatory action or penalties.
Information about a person’s vaccination status is considered to be personal information, and is therefore subject to the APPs. This is because information about an individual’s vaccination status falls within the meaning of ‘health information’ as defined within section 6FA of the Privacy Act. Health information is classified under the Privacy Act as ‘sensitive information’ so information about vaccination status is afforded a higher standard of protection.
Do all employers have to comply with the APPs?
The APPs apply to any ‘APP entity’, that is, any organisation or agency regulated by the Privacy Act that:
- had an annual turnover of over $3 million for the previous financial year; or
- provides a health service or otherwise holds health information; or
- discloses or collects personal information about another individual for a benefit, service or advantage; or
- is a contract service provider for a Commonwealth contract or a credit reporting body.
Registered political parties and state or territory authorities are not considered to be APP entities.
APP 3: When is it appropriate for employers to collect information about vaccination?
An APP entity may collect employee information relating to vaccination status if the collection is authorised by an Australian law, court/tribunal order, or public health order.
If the collection of information relating to vaccination status has not been authorised, an employer can only collect this information if the employee consents to its collection, and the information is reasonably necessary for the entity’s functions or activities.
If an employee does not consent to the collection of information relating to their vaccination status, and employer may still collect this information if one of the seven exemptions located in s 16A of the Privacy Act apply. For example, per exemption one, employers are able to collect information about the vaccination status of an employee where collection of the information is necessary to prevent or lessen a serious threat to the life, health, or safety of any individual, or to public health and safety.
It is important to note that employers can only collect information using lawful and fair means, and the information must come directly from the individual unless an exemption applies.