Many businesses are still facing the ongoing effects of the COVID-19 pandemic in 2021. As the vaccine continues to rollout, businesses should ensure that they are complying with privacy law in regard to employee health information and vaccination status. The Office of the Australian Information Commissioner released a set of guidelines on 23 February 2021 outlining employer privacy obligations under the Privacy Act 1988 related to the COVID-19 vaccine. This article will summarise the privacy law guidelines on employee health information related to the COVID-19 vaccine and the privacy obligations of employers.
Can I collect information about an employee’s vaccination status?
An employee’s vaccination status is considered sensitive health information under the Australian privacy law. As such, employers can only collect information about an employee’s vaccination where:
- The collection is reasonably necessary for the functions or activities of your workplace and the employee consents to the collection, or
- The collection is required or authorised by Australian law, such as by a public health order. In these circumstances, an employee is not required to give consent. At the present stage, there are no public health orders requiring vaccination information to be collected by employers.
When will collecting employee vaccination status information be ‘reasonably necessary’?
To comply with Australian privacy law, an employer must have justifiable reasons for collecting an employee’s vaccination status information and cannot simply do so for an unspecified use. Whether collecting vaccination status information from an employee may be reasonably necessary for the functions or activities workplace will depend on:
- The industry or work sector you are in
- The contractual obligations of the employee
- The relevant workplace laws
What do I need to consider when collecting vaccination status information from employees?
If you collect vaccination status information from your employees, you must advise them how the information will be used. To comply with Australian privacy law, the information should only be used or disclosed where it is an absolute necessity.
- To comply with Australian privacy law, employers can only collect vaccination status information from employees in limited circumstances: where it is reasonably necessary for the operation of your business or when it is required by law.
- Employers must receive consent from employees before collecting their vaccination status information and the information must only be used or disclosed where it is a necessity.