Breaking down an employer’s ability to collect and store an employee’s vaccination status under the Privacy Act

With a growing number of employees claiming that asking for their vaccination status is an “invasion of their privacy”, it is important that employers understand their rights and obligations under the Privacy Act.

It is no surprise that many employers across Australia have started collecting the COVID‑19 vaccination status of their employees. However, on November 30, 2021, Virgin Australia entered into consent orders from the Federal Court to remove all evidence from certain COVID-19 vaccination documents.

In this article, we tell you who Privacy Act 1988 (Cth) applies, when employers can collect an employee’s vaccination status, and what employers should do with the information they collect.

We also discuss why Virgin Australia had to remove all evidence of digital COVID-19 certificates and vaccination history records, and how employers can avoid making the same mistake.

Is the Privacy Act apply to vaccination status?

The Australian Privacy Principles (APPLICATION) in the Privacy Act apply to the collection, use and disclosure of personal information. An employee’s COVID-19 vaccination status is personal information because it constitutes health information about an identified individual that is considered sensitive information.

Who must comply with APPs?

An employers’ organization is an “APP entity” and must comply with APPs if it:

  • achieved annual revenue of over $3 million for the prior fiscal year
  • provides a health service and holds health information (e.g. most medical centers)
  • discloses personal information about another person for a benefit, service or benefit
  • is a contract service provider for a commonwealth contract or credit reporting agency.

An organization includes an individual, corporation, partnership, other unincorporated association, or trust.

If an employer is not an APP entity, they will only need to ensure that employees have voluntarily consented to the collection and retention of their vaccination status (requirements below will not apply).

Collect the vaccination status of an employee (APP 3)

An employer may collect an employee’s immunization status if the employee consents and the collection is reasonably necessary for the employer’s duties or activities.

If an employee does not consent, an employer may still require the collection of the employee’s vaccination status if it reasonably believes that the collection is necessary to mitigate or prevent a serious threat to life, health or safety of an individual or public health and safety. Employers may also collect an employee’s vaccination status if the collection is required or permitted by Australian law, including a public health directive.

Notify employees of the collection of their vaccination status (APP 5)

Before or as soon as possible after collecting an employee’s vaccination status, employers must take reasonable steps to inform the employee of the following:

  • whether collection is required or permitted by law
  • the purpose of the collection
  • the consequences if the employee’s vaccination status is not collected
  • how the employer can use or disclose the employee’s vaccination status
  • information about the employer’s privacy policy.

Record an employee’s vaccination status

Once an employee’s vaccination status is collected, the “employee records exemption” applies to storing the information. Employers can record an employee’s vaccination status in the employee’s personnel file, and the usual rules in the Privacy Act regarding the use, disclosure or access to personal information do not apply.

However, as part of best practice, employers should always securely maintain an employee’s vaccination status and limit the use and disclosure of this information.

Virgin Australia removes digital COVID-19 certificates and vaccination history records

Virgin Australia has required workers to prove their vaccination status with a copy of their COVID-19 digital certificate or vaccination history record. These documents contained the worker’s individual medical identifier (IHI), which is a 16-digit number used by healthcare providers to access patient records in the My Health Record system.

The Australian Licensed Aircraft Engineers Association has raised concerns about Virgin Airlines’ privacy statement, which stated that it would contain information on vaccination and may use it for ‘manage our relationship with you, including payroll, registration, disciplinary action and workers’ compensation claims‘. Collecting a worker’s IHI would allow Virgin Australia to access the worker’s medical history for these reasons.

In Federal Court consent orders, Virgin Australia agreed to delete all digital COVID-19 certificates and vaccination history records that had been provided by workers and verified.

Virgin Australia has agreed that in the future, if employees do not wish to provide a document containing their IHI, they may provide a screenshot of their Apple/Android wallet COVID-19 digital certificate, which does not display the IHI. Virgin Australia also agreed to delete the documents within 48 hours of reviewing them and to record the worker’s vaccination status.

Lessons for employers

Although employers may collect and store an employee’s vaccination status under certain circumstances, it is important that policies and procedures comply with Privacy Act. Employers should only collect the information necessary to verify an employee’s vaccination status and should avoid requesting documents containing an employee’s IHI.