If an employer is an organisation subject to the Privacy Act 1988 (Cth) (which for private sector organisations must mean they have an annual turnover of not less than $3 million), the employer must not do an act or engage in a practice that breaches an Australian Privacy Principle (APP).
Complying with the APPs when collecting vaccination histories
The collection of an employee’s vaccination history brings into play APP 3.3. Vaccination history is sensitive information, and an organisation must not collect sensitive information about an individual unless the requirements set out in APP 3.3(a) and 3.3(a)(ii) are met.
Those requirements are that:
- the individual consents; and
- the information is reasonably necessary for one or more of the organisation’s functions or activities.
Exceptions are set out in APP 3.4. These are where:
- collection of the information is required or authorised by an Australian law (including public health orders or directions); and
- the organisation reasonably believes that the collection is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.
What is valid consent?
The Australian Information Commissioner has expressed the view that consent can be express (e.g. the employee indicates agreement to provide the information either in writing or by spoken words) or implied (e.g. the information is given following implementation of a requirement to do so).
In addition, according to the Commissioner, for consent to be valid, the following requirements must be met:
- the individual must be given adequate information about why it is necessary to collect the information and how it will be used;
- the individual must give consent freely and voluntarily;
- the consent must be current and specific;
- the individual must have the capacity to understand and communicate their consent; and
- the individual must have been given a genuine opportunity to provide or withhold consent, i.e. the imbalance of power in the employment relationship does not cause employees to feel pressured or obligated to provide their consent.
When is the collection reasonably necessary?
The Australian Information Commissioner states whether collection of vaccination history from employees is reasonably necessary to manage risk of COVID-19 infection in the workplace will depend on public health advice on what vaccination status information is reasonably necessary, along with applicable workplace laws and contractual obligations. If the requirement that the employee be vaccinated is a lawful and reasonable direction, the provision of evidence of their vaccination will be reasonably necessary.
Application in the Fair Work Commission (FWC)
In CFMMEU v BHP Coal (2022), unions contended – on behalf of their members at the Mt Arthur coal mine – that an employee’s consent to supply their vaccination history is vitiated by the employer’s threat that, if they do not consent, they may be disciplined or have their employment terminated.
The unions relied on a previous FWC ruling in Lee v Superior Wood (2019) that a direction in relation to the provision of sensitive information was unlawful and unreasonable because it was contrary to the Privacy Act 1988 (Cth), and stated that any consent by the employee in that case would likely have been vitiated by the threat of termination of his employment.
The FWC rejected this argument in the BHP Coal decision. Unlike the employer in the Lee case, BHP Coal had met all the other applicable APP requirements, and had extensively consulted with the unions and employees about the implementation of the requirement. Employees were not being forced to provide sensitive information. While they may be subject to economic and social pressure to meet the requirement, this is not coercion that overcomes their choice about whether or not to provide the information.
The FWC also concluded the information is reasonably necessary for, or directly related to, one or more of the organisation’s functions or activities. The requirement was being implemented to lessen or prevent a serious threat to the life, health and safety of individuals on worksites, and to public health and safety.
Find out more about the APPs in the Employment Law Practical Handbook chapter Privacy and data protection.