Collecting proof of vaccination – How to navigate an employer’s privacy obligations


Collecting proof of vaccination – How to navigate an employer’s privacy obligations

As we emerge out of covid lockdowns and return to the workplace, many employers will be turning their minds to how they can maintain a covid-safe environment for their employees. Requiring employees to be fully vaccinated against covid is one way employers can ensure a safe place of work. However, mandating vaccination in the workplace raises vexed questions about how an employer can obtain proof of an employee’s vaccination status and whether collecting this information puts employers in breach of privacy laws? Orders made in the Federal Court of Australia, which required Virgin Australia to delete proof of certain vaccination documents, is a stark reminder for employers to remain alert to their privacy obligations. Below we navigate the intricacies of an employer’s privacy obligations and how they apply to an employee’s vaccination status.

Virgin Australia ordered to delete COVID-19 vaccination documents

On 30 November 2021 the Federal Court of Australia ordered, by consent, that Virgin Australia delete all proof of COVID-19 digital certificates and Immunisation History Statements provided by employees and verified. Virgin Australia had asked workers to prove their vaccination status with copies of their immunisation history statement or COVID-19 digital certificate. The Australian Licenced Aircraft Engineers Association commenced proceedings against Virgin Australia alleging that it was illegal under the Privacy Act 1988 (Cth) (Privacy Act) for it to collect this information. This was because the documents obtained by the airline included an employee’s Individual Healthcare Identifiers (IHI) numbers, which are used by health professionals to verify a patient’s medical history. Collecting an employee’s IHI would enable Virgin Australia to access the worker’s medical history for these reasons.

Under the consent orders, employees could prove their vaccination via a digital card in their Apple or Android wallets that did not display an IHI. In addition, employees who previously had submitted a document with their IHI on it can substitute it for the card, and Virgin has promised not to distribute the number to any other party.

Privacy Act and Vaccination Documents

The situation faced by Virgin Australia is a stark reminder to ensure employers assess the type of vaccination information they collect from employees and potential risks of a breach of privacy.

The Australian Privacy Principles (APP) contained in the Privacy Act regulate the collection, use and disclosure of personal information. All “APP entities” must comply with the APP. An APP entity includes an employer organisation with an annual turnover of over $3 million for the previous financial year. Small businesses with an annual turnover of less than $3 million must also comply with the APP if the business:

  • operates another business with a turnover of $3 million or more;
  • provides a health service or is a contracted service provider for a Commonwealth contract;
  • provides a health service and holds any health information; or
  • discloses personal information about another individual for a benefit, service or advantage.

Health information is considered “sensitive information” under the Privacy Act which is defined as any information or opinion about:

  • a person’s health, including an illness, disability or injury;
  • a health service provided, or to be provided, to an individuals; or
  • the provision of a health service to an individual.

Based on the above definition, vaccination information such as an employee’s immunisation history or information about an employee medical exemption is considered sensitive information.

APP 3

An employer must comply with APP 3 in order to collect sensitive information. To collect information about an employee’s vaccination status:

  • an employer should seek the consent of the employee; and
  • the information must be reasonably necessary for the employer’s functions or activities.

If consent cannot be obtained, an employer may still collect information about an employee’s vaccination status if:

  • it is unreasonable or impracticable to obtain consent;
  • the collection of the information is authorised or required by law; or
  • the collection of the information is necessary to lessen or prevent a serious threat to life, health or safety of any individual or to public health or safety.

APP 5

Before or as soon as practicable after collecting information about an employee’s vaccination status, an employer must take reasonable steps to notify the employee of certain matters including the following:

  • the employer’s identity and contact details;
  • whether the collection is required or authorised by law;
  • the purposes of collection;
  • the consequences if vaccination information is not collected;
  • how the vaccination information may be used or disclosed by the employer;
  • information about the employer’s privacy policy; and
  • whether the employer is likely to disclose personal information to overseas recipients, and if practicable, the countries where they are located.

Once an employer has lawfully collected information about an employee’s vaccination status, the information falls within the employee records exemption in the Privacy Act. This will mean that in most cases (if used and disclosed in a way that is directly related to the employment relationship), the employer does not need to comply with the APP regarding the use or disclosure of, or access to, personal information. However, the best practice is to ensure such information is stored securely, is current and only used and disclosed as is needed.

Employers should be mindful of the following key takeaways:

  • Only request the minimum information reasonably necessary to prove and verify an employee’s vaccination status.
  • Avoid requesting documents which endorse an employee’s IHI.
  • Obtain and record the employee’s consent to the collection of personal information.
  • Best practice suggests that sighting proof of vaccination without collecting or recording any information is preferred to avoid issues with breach of privacy.
  • Employers should ensure they maintain an up-to-date privacy policy which is circulated to employees.

Please contact our office for further information or a confidential discussion about your privacy obligations.

Article prepared by: Sarah Cappello, Partner, Joey Tass, Senior Associate & Margaret Gotsopoulos, Lawyer.

Our Lawyers