An employer that seeks to implement a policy for its employees regarding COVID-19 vaccination and wearing a mask needs to understand the obligations imposed by applicable privacy laws.
Private sector employees and Commonwealth public sector employees need to have regard to their privacy obligations under the Privacy Act 1988 (Cth) (Privacy Act). State or territory government agencies (and in some cases their service providers) are required to comply with privacy laws at a state level, and will need to have regard to privacy principles under the relevant legislation in that state or territory.
A fair and effective policy about vaccinations and masks will inevitably involve the collection of information from employees about their vaccination status or, if they seek to be exempted from the policy, medical information. This personal information is in the category of sensitive health information. Privacy laws require employees to give genuine and informed consent to the collection of this information.
The Privacy Act will not apply to private sector organisations with an annual turnover of less than $3 million. If annual turnover exceeds this threshold, the Privacy Act doesn’t apply when the organisation handles personal information about a current or former employee stored in a record for a purpose directly related to the employment relationship. However, this exemption doesn’t apply to public sector agencies. Moreover, it is arguable the exemption doesn’t apply when a private sector organisation collects personal formation from an employee for inclusion in an employee record.
Why is sensitive information required?
Genuine and informed consent by an employee to the collection of their health information to support a policy about vaccinations and masks requires that the employer set out in the policy (or by other means) why the employer needs the information and the consequences if it is not collected. For example, it must be explained if the basis for the policy is:
- to meet work health and safety obligations;
- required or authorised by a public health order (which should be named);
- to meet the demand of customers or clients.
The Office of the Australian Information Commissioner has developed privacy guidance (available on its website) to assist employers with best practice methods to properly handle information once it has been collected.
Key requirements in relation to COVID-19 are:
- the sensitive medical information collected should be limited in scope to what is necessary to maintain a safe workplace;
- employers should ensure they take reasonable steps to securely store employee vaccination status records and medical evidence exempting employees from vaccination or mask wearing;
- subsequent use and disclosure of this information should be limited to when absolutely necessary;
- all information held should be reviewed and updated as required; and
- employers should monitor whether such information is still required to be maintained as public health orders and government advice change.