It is important that employers understand their responsibilities and their employee’s rights when it comes to requesting Covid-19 vaccination status information.
The Privacy Act 1998 (Cth) regulates the way individuals’ personal information is handled. Australian Government Agencies and organisations with an annual turnover of more than $3 million have responsibilities under the Privacy Act. Organisations are defined as sole traders, body corporates, partnerships, trusts and any other incorporated associations.
What if you have an annual turnover of less than $3 million?
If you are a small business or an organisation with a turnover of less than $3 million you are exempt and do not need to comply with the Privacy Act. As a matter of best practice, we recommend that you still act in accordance with the Privacy Act when collecting employee vaccination status information.
Requesting and Collecting Employee Vaccination Status Information
An employee’s vaccination status is considered sensitive health information under the Privacy Act and high privacy protections apply. Employers should only request and collect information about an employee’s vaccination status if they are satisfied that the collection is permitted under the Australian Privacy Principle (APP) 3. For the collection to be permitted, the employee must consent to the collection, and it must be reasonably necessary for the employer’s functions or activities. For the collection to be reasonably necessary, employers must have clear and justifiable reasons. The only time vaccination status information can be requested without consent is where collection is required or authorised by law.
Notifying Employees of Collection
As an employer, if it is decided that you can collect vaccination status information, you must communicate with your employees the reason for doing so and take reasonable steps to notify employees of the matters set out in APP 5 which include:-
- The purpose and circumstances of collection;
- How the information may be used and disclosed;
- If the collection is required or authorised by law;
- The consequences if the information is not collected; and
- Information and access to the privacy policy.
As an employer you should notify your employees before collecting the information or if that is not practicable, as soon as practicable after collection occurs.
Storing Vaccination Status Information
As a private sector employer, once vaccination status information has been collected and is being held on the employee record, the employee records exemption in the Privacy Act applies in most instances. This means that the usual rules in the Privacy Act regarding the use of, or access to, personal information do not apply. An employee record is a record of information relating to employment, examples of which include health information.
However, as a matter of best privacy practice, employers should still store personal information securely, limit the use and disclosure of the information to what is necessary to prevent and manage covid-19 and regularly review whether retaining the information is required.
What now?
Employers should ensure that they act in accordance with the Privacy Act when requesting and collecting employee’s vaccination status information. A breach of an Australian Privacy Principle can lead to regulatory action and penalties.
If you require assistance with regard to your Covid-19 policies, then please contact our office for advice.
