Home - Privacy considerations for COVID-19 risk-reduction measures

UpdatesSep 16, 2021

Privacy considerations for COVID-19 risk-reduction measures

An employer that seeks to implement a policy for its employees regarding COVID-19 vaccination and wearing a mask needs to understand the obligations imposed by applicable privacy laws.

Private sector employees and Commonwealth public sector employees need to have regard to their privacy obligations under the Privacy Act 1988 (Cth) (Privacy Act). State or territory government agencies (and in some cases their service providers) are required to comply with privacy laws at a state level, and will need to have regard to privacy principles under the relevant legislation in that state or territory.

A fair and effective policy about vaccinations and masks will inevitably involve the collection of information from employees about their vaccination status or, if they seek to be exempted from the policy, medical information. This personal information is in the category of sensitive health information. Privacy laws require employees to give genuine and informed consent to the collection of this information.

The Privacy Act will not apply to private sector organisations with an annual turnover of less than $3 million. If annual turnover exceeds this threshold, the Privacy Act doesn’t apply when the organisation handles personal information about a current or former employee stored in a record for a purpose directly related to the employment relationship. However, this exemption doesn’t apply to public sector agencies. Moreover, it is arguable the exemption doesn’t apply when a private sector organisation collects personal formation from an employee for inclusion in an employee record.

Why is sensitive information required?

Genuine and informed consent by an employee to the collection of their health information to support a policy about vaccinations and masks requires that the employer set out in the policy (or by other means) why the employer needs the information and the consequences if it is not collected. For example, it must be explained if the basis for the policy is:

If a client requires that persons providing services on behalf of the employer organisation to be vaccinated, and this means the vaccination status of employees is supplied to the client, the employees must be informed of this. The employees should be referred to the organisation’s privacy policy, which must comply with applicable privacy laws.

Privacy guidance

The Office of the Australian Information Commissioner has developed privacy guidance (available on its website) to assist employers with best practice methods to properly handle information once it has been collected.

Key requirements in relation to COVID-19 are:


In your cart



View cart
View Cart