Employer poked and prodded over COVID-19 vaccination privacy concerns

In current COVID-19 news, vaccination status in the workplace is a topic of great debate. As some businesses enforce mandatory vaccination (for more information about this, see our previous alert here and here), it is important to take a step back and evaluate the privacy concerns that any business trying to implement a fully vaccinated workforce will inevitably face. 

Partner Hayden Delaney, Senior Associate Hannah Fas and Solicitor Tom Copley briefly look at court proceedings brought by the Australian Licensed Aircraft Engineers’ Association (ALAEA) against Virgin Australia. 

As many businesses have done, Virgin Australia had asked workers to confirm their COVID-19 vaccination status.  ALAEA raised concerns that some forms of vaccination certificates (including immunisation history records and COVID-19 digital certificates) had the potential to contain individual healthcare identifiers (IHI). An IHI is a unique number used by healthcare professionals to access a patient’s medical history in the My Health Record system. 

Settlement was ultimately reached with Virgin Australia and ALAEA agreeing on verification methods that satisfied the concerns of the union. This mutual agreement between the parties included the requirement that Virgin Australia delete all COVID-19 digital certificates and immunisation history statements provided at that time. 

This article outlines a brief overview of the privacy obligations of which employers need to be mindful, when navigating the murky and ever-shifting waters of COVID-19 policies and procedures.

Boost your understanding of the Privacy Act and APPs

The Australian Privacy Principles (or APPs) are created under the Privacy Act 1988 (Cth) (Privacy Act). The APPs set out specific requirements for the collection and storage of personal information for APP entities. Under the Privacy Act, an APP entity is an individual, body corporate, partnership, trust or any other unincorporated association that: 

  • is not a small business operator. Whether an organisation is a “small business operator” depends on its financial position – a small business has a turnover of less than $3,000,000 in the previous financial year; 
  • provides health services or handles medical information (e.g. private hospitals, medical practitioners, pharmacists, allied health, gyms, child care centres, private schools); 
  • sells or purchases personal information; 
  • is a contracted service provider for an Australian government contract; or 
  • is a credit reporting body (e.g. providers of credit information, analysis and reports); or 
  • is a credit provider (e.g. a business that supplies goods and services where payment is deferred for seven days or more).

To collect and store employees’ sensitive information, small business operators are simply required to gain the informed consent of their employees. Sensitive information includes personal information which contains details regarding a person’s health, political opinions or associations, sexual orientation or criminal history. 

Fortunately for non-APP entities, the APPs are relatively easy to understand and follow. We often recommend best practice is to comply, where you are able to do so. 

Employers intending to collect vaccination status information from employees must consider the application of two key APPs:

  • APP 3.3, which sets out the requirement that any collection of sensitive information must be:
    • reasonably necessary for the business’ functions or activities; and 
    • done with the individual’s informed consent (in most cases); 
  • APP 5, which ensures that APP entities must inform the individual their data has been collected and why the collection is necessary at, or as soon as reasonably practicable after, the time of collection.

Unmasking the key privacy issues 

Employees in certain industries (including domestic and international airlines) are clearly at increased risk of contracting COVID-19, and ensuring workers are fully vaccinated is a reasonable step for many employers to take in order to continue conducting business.

We understand the contention in this case was the scope of the information collected. The union announced in a statement they had no issue with the policy itself, but considered the personal information Virgin Australia had initially proposed to collect exceeded what was necessary to verify employees’ vaccination status. 

In our experience advising clients in matters of this nature, other issues which are frequently raised in the collection of vaccination information include:

  • Whether individuals are providing informed consent to collection of sensitive information in accordance with APP 3.3. That is, has the individual been adequately informed before giving consent; is the consent given voluntarily; is the consent current and specific; and does the individual has the capacity to understand and communicate their consent?
  • How the “employee records exemption” applies to the storage of employees’ COVID-19 vaccination status. In the private sector, employers’ handling of employee records in relation to current and former relationships is exempt from the APPs in certain circumstances – meaning the usual rules regarding the use, disclosure of, or access to personal information do not apply. There could be an argument the “employee records exemption” applied where an employer’s actions were directly related to:
    • either a current or former employment relationship between the employer and the individual; and
    • an employee record held by the employer relating to the individual.

Arm yourself for compliance

We recommend businesses:

  • are selective when it comes to collecting personal information, and particularly limit the collection of sensitive information (e.g. avoid requesting documentation containing an employees’ IHI); 
  • collect only what is necessary to confirm the vaccine has been administered. The more personal information APP entities collect means the greater responsibility they have in managing, storing and protecting said data whilst simultaneously increasing the risk that the personal information might be misused; 
  • consider adopting a model where the only information about an employee’s vaccination status that is recorded is confirmation their proof of vaccination certificate has been sighted (rather than the certificate itself). This process minimises the amount of primary personal information that is collected, though this system can be unreliable and difficult to implement; 
  • store information about an employee’s vaccination status securely, and limit the use and disclosure of the information on a “need to know” basis; and 
  • ensure their privacy documentation is transparent and specific about the collection, use and disclosure of individuals’ personal information. This protects the employer from over-stepping their boundaries and the employee’s right to privacy. 

Given the increased focus on privacy and individual rights, and the rapidly evolving nature and general inconsistency of legislation addressing COVID-19, it is very important to seek up-to-date and informed advice.

A special thanks to Tom Kelman for his assistance in putting this article together.