Can a business keep records about their workers’ vaccination status?

Businesses with an annual turnover of $3 million or less are exempt from the Australian Privacy Principles (APP) legislated under the Privacy Act 1998 (Cth) (Privacy Act). For everyone else, vaccination information is “collected” for the purposes of the APPs if it is included in an employee record, such as a copy of their immunisation certificate or a tick box on their file.

Businesses need to remember that the employee records exemption does not apply when a business is collecting an employee’s vaccination information which means in most cases the employer will need prior valid consent: Jeremy Lee v Superior Wood Pty Ltd [2019] FWCFB 2946.

Valid Consent

To seek valid consent, the employer should ensure that consent is:

  • reasonably necessary in relation to the entity’s functions and activities e.g. staff frequently work with clients who are vulnerable
  • supported by adequate information to staff
  • voluntary
  • current and specific
  • understood by the impacted staff

It appears that some businesses are proactively recruiting new staff on an employment or services contract that lawfully requires the provision of vaccination information as a condition of employment or engagement. It is likely that many more businesses going forward will include such clauses for new staff. When doing so, these businesses should ensure that they have obtained valid consent.

Moreover, mandated collections of information should be carefully managed to avoid legal claims by staff for unfair dismissal, discrimination and possibly as adverse action under general protections laws. While the Privacy Act is not a “workplace law”, an employee may potentially make a complaint in relation to his or her employment: s 341(1)(c)(ii), Fair Work Act 2009 (Cth) and allege that they have been treated adversely because of that complaint.

If a business decides to collect vaccination information by seeking consent, it should ensure that it is transparent about the reasons for its collection and the use of that information by notifying the affected staff:

  • of its reasons for collecting the information;
  • of the consequences of refusing to provide the information;
  • if the collection is required or authorised by law;
  • how the information will be used or disclosed; and
  • how concerns will be dealt with.

The safest strategy is to obtain express consent from staff.

Benefits and Incentives

In business circumstances where vaccination is not mandated, businesses may face difficulties to get consent from all staff, so it may be easier to encourage consent to the collection of vaccination information as part of a work-provided vaccination benefit or incentive.

But beware. Any offers of benefits or rewards to vaccinated staff are subject to strict conditions. For example, offers may only be made to staff who are partly or fully vaccinated in accordance with Australian government requirements, staff must not participate except on the advice of a health practitioner, and the offer must not promote a particular vaccine.

Ultimately, when deciding whether vaccination information is going to be collected, a business should first consider why it wishes to do so, and whether it is really necessary.

Julian Roffe

Practice Manager

Ezra Legal

Categories: Blog

Leave a Comment

Your email address will not be published.

Scroll to Top