With a rising number of employees claiming that asking for their vaccination status is a ‘breach of their privacy’, it is important for employers to understand their rights and obligations under the Privacy Act.
It comes as no surprise that many employers across Australia have commenced collecting their employees’ COVID‑19 vaccination status. However, on 30 November 2021, Virgin Australia entered into Federal Court consent orders to delete all proof of certain COVID-19 vaccination documents.
In this article, we explain who the Privacy Act 1988 (Cth) applies to, when employers can collect an employee’s vaccination status, and what employers must do with the information they collect.
We also discuss why Virgin Australia was required to delete all proof of COVID-19 digital certificates and Immunisation History Statements, and how employers can avoid making the same mistake.
Does the Privacy Act apply to vaccination status?
The Australian Privacy Principles (APP) in the Privacy Act apply to the collection, use and disclosure of personal information. An employee’s COVID-19 vaccination status is personal information because it constitutes health information about an identified individual that is considered sensitive information.
Who must comply with the APPs?
An employer’s organisation is an ‘APP entity’ and must comply with the APPs if it:
- had an annual turnover of over $3 million for the previous financial year
- provides a health service and holds any health information (e.g. most medical centres)
- discloses personal information about another individual for a benefit, service or advantage
- is a contracted service provider for a Commonwealth contract or a credit reporting body.
An organisation includes an individual, body corporate, partnership, other unincorporated association, or trust.
If an employer is not an APP entity, it will only need to ensure that employees have voluntarily consented to the collection and storage of their vaccination status (the below requirements will not apply).
Collecting an employee’s vaccination status (APP 3)
An employer can collect an employee’s vaccination status if the employee consents and collection is reasonably necessary for the employer’s functions or activities.
If an employee does not consent, an employer can still require collection of the employee’s vaccination status if they reasonably believe that the collection is necessary to lessen or prevent a serious threat to the life, health or safety of any individual or to public health and safety. Employers can also collect an employee’s vaccination status if collection is required or authorised by an Australian law, including a public health direction.
Notifying employees of the collection of their vaccination status (APP 5)
Before or as soon as practicable after collecting an employee’s vaccination status, employers must take reasonable steps to notify the employee of the following:
- whether the collection is required or authorised by law
- the purpose of the collection
- the consequences if the employee’s vaccination status is not collected
- how the employer may use or disclose the employee’s vaccination status
Storing an employee’s vaccination status
Once an employee’s vaccination status is collected, the ‘employee records exemption’ applies to the storage of the information. Employers can store an employee’s vaccination status on the employee’s personnel file, and the usual rules in the Privacy Act regarding the use or disclosure of, or access to, personal information do not apply.
However, as a matter of best practice, employers should still store an employee’s vaccination status securely and limit the use and disclosure of the information.
Virgin Australia deletes COVID-19 digital certificates and Immunisation History Statements
Virgin Australia required workers to prove their vaccination status with a copy of their COVID-19 digital certificate or Immunisation History Statement. These documents contained the worker’s individual healthcare identifier (IHI), which is a 16-digit number used by healthcare providers to access patient records in the My Health Record system.
The Australian Licenced Aircraft Engineers Association raised concerns about Virgin Airlines’ privacy statement, which stated that it would hold vaccination information and may use it to ‘manage our relationship with you, including payroll, rostering, disciplinary action and any workers’ compensation claims’. Collecting a worker’s IHI would enable Virgin Australia to access the worker’s medical history for these reasons.
In Federal Court consent orders, Virgin Australia agreed to delete all COVID-19 digital certificates and Immunisation History Statements that had been provided by workers and verified.
Virgin Australia agreed that in the future, if employees did not wish to provide a document containing their IHI, they could provide a screenshot of their Apple/Android wallet COVID-19 digital certificate, which does not display IHIs. Virgin Australia also agreed to delete documents within 48 hours of reviewing them and making a record of the worker’s vaccination status.
Lessons for employers
While employers can collect and store an employee’s vaccination status in some circumstances, it is important that policies and procedures comply with the Privacy Act. Employers should only collect information that is necessary to verify an employee’s vaccination status and should avoid requesting documentation containing an employee’s IHI.