COVID-19 Vaccinations: navigating the complexities of privacy law in discharging health and safety duties

As protection against COVID-19 is becoming more of a tangible reality, it brings with it a hopeful path forward to end the pandemic. We know that vaccines produce protection against the disease as a result of developing an immune response to the virus. There is also the likely added benefit of being less infectious and this means people who are vaccinated are also protecting those around them. Since employers have a duty of care to their workers and others to ensure their health and safety so far as is reasonably practicable, vaccinations are one important control mechanism as people start to return to their workplaces. Having workers vaccinated is one effective way to collectively minimise the risks associated with COVID-19.

However, hurdles arise when assessing an organisation’s exposure risk because who is and is not vaccinated is a relevant factor to the risk level. As crucial as vaccination status is, in ensuring compliance with health and safety obligations, organisations also have obligations in relation to privacy and the collection of personal information. Under the Privacy Act 1988 (Cth) (Privacy Act), one’s vaccination status is sensitive information and attracts a higher level of privacy obligations. Generally, unless one of a few exceptions apply, these additional obligations restrict the collection and use of that information to situations where the consent of the individual has been obtained and the collection can be justified as necessary for one or more of the organisation’s functions or activities. Once collected, the obligations around the handling and security of this sensitive information is also at a higher level than for personal information that is not sensitive information. While often considered as exempt from the Privacy Act under the employee records exemption, this is not correct and care must be taken to ensure compliance with the applicable legal obligations under the Privacy Act.

The potential for mandatory vaccinations

One step an organisation can take when managing the health and safety of workers is to consider whether vaccinations should be made mandatory so that workers are collectively benefiting from increased protection against COVID-19 as well as a likely decrease in the risk of infecting others. Mandating vaccinations is one step an organisation can take in an effort to ensure, so far as is reasonably practicable, the health and safety of workers and to ensure that other persons are not put at risk from work carried out as part of the business.

Organisations  should consider whether there is any law or public health order in place which mandates that an employee must receive the COVID-19 vaccine relevant to their industry or workplace. For example, the COVID-19 Testing and Vaccination Requirements (Contact by Health Workers with Cases) Direction (which was effective from 31 March 2021 to 12 May 2021) made it mandatory that various defined health service employees and contractors had to receive the Pfizer or Astra Zeneca vaccine. Currently, the general position of the Federal, State, and Territory governments is that the mandating of vaccinations for workplaces will be left to private sector businesses. Where this is the case, and there is no law or public health order, organisations should undertake a thorough and considered risk assessment as to whether mandating vaccinations would constitute a lawful and reasonable direction.

What constitutes a reasonable and lawful direction will depend on the specific circumstances relevant at the time of the direction. There are a number of factors to consider, including:

• the public health situation at the location of the workplace;
• the nature of the work undertaken;
• the likelihood of the hazard or risk eventuating; and
• the availability and suitability of other ways to eliminate or minimise the risk.

These factors also feed into an organisation’s assessment of what is reasonably practicable, which forms part of the general duty owed to workers and other persons discussed above.

Where an organisation considers that making vaccinations mandatory is a lawful and reasonable direction, it is important to be mindful of anti-discrimination laws, particularly where a worker is unable or unwilling to be vaccinated on medical or other protected grounds. People may have medical conditions or others may oppose vaccines on political or religious grounds. Adverse action should not be taken against workers on the basis of a protected attribute.

Organisations should therefore undertake a risk-based approach when implementing any policy or procedure in relation to mandating COVID-19 vaccinations to ensure that any such action is formulated on the basis of a documented risk assessment and that measures are commensurate with the level of risk. Please refer to our article here where we discuss mandatory vaccinations and a risk-based approach in the context of discrimination.

Privacy obligations – caution when managing COVID-19 risk

The implementation of any policy mandating vaccines should involve genuine consultation with workers and follow a thought-through risk assessment process. Where a policy on mandating vaccinations is implemented, privacy considerations become relevant in determining how an organisation will verify the vaccination status of its workforce without contravening its obligations under the Privacy Act and its objectives of minimising impacts on the privacy of individuals and transparency.

The Australian Privacy Principles (APPs) (under the Privacy Act) govern how data is collected, used, and disclosed. The APPs (and the Privacy Act) generally apply to Federal public sector organisations as well as private sector businesses that have (or in a group have) an annual turnover of more than $3,000,000 or where the business is a contracted service provider to the Federal government. The APPs also apply to all credit reporting bodies, health service providers, and businesses that trade in personal information, no matter what their turnover is. Businesses obliged to comply with the APPs are known as ‘APP entities’.

An APP entity can only collect personal information if the information is reasonably necessary for one or more of the entity’s functions or activities. In addition, where sensitive information is concerned, the individual’s consent is also required to the collection, use, and disclosure of that information. As an individual’s vaccination status is ‘sensitive information’, employers cannot force an employee to provide that information or circumvent their consent, unless one of the few exemptions apply (most relevantly, where a law or court order requires or authorises collection). This adds another layer of complexity to discharging health and safety duties where you need to reasonably collect such information (as opposed to checking it) because any act or practice by an APP entity that breaches the APPs could result in significant penalties.

Guidance by the Office of the Australian Information Commissioner (OAIC), consistent with the law, stipulates that APP entities should collect as little information as possible, only where absolutely required, and accessed on a need-to-know basis, which may include the need to maintain a safe workplace. However, companies must justify why they need to collect rather than check or sight this information, especially where no law requires or authorises such collection. For example, in the recently amended Public Health (COVID-19 Additional Restrictions for Delta Outbreak) Order 2021 (NSW), an obligation was imposed on construction site occupiers to satisfy itself that any workers from a local government area of concern has been appropriately vaccinated. This is an obligation to check the vaccination status and not an authorisation to record or collect the sensitive information. The OAIC also confirms that the employee’s consent should be obtained for collection of sensitive information. Transparency is also required by the APPs. In particular, employees should be advised why their vaccination status information is required and how it will be handled. In this regard, we suggest the use of a standalone employee vaccination status privacy collection statement.

The Fair Work Ombudsman (FWO) has also recently updated its guidance on an employer seeking to know the vaccination status of employees. In circumstances where an employer has implemented a mandatory vaccination policy for COVID-19 in accordance with a ‘lawful and reasonable direction’ discussed above, the FWO’s position is that the employer can also direct the employee to provide evidence of their vaccination. Importantly, the FWO’s position does not confirm that collection of that information is authorised. The FWO also confirms that where a business seeks to discharge its health and safety duties and does not have a mandatory vaccination policy in place, an employer may direct an employee to provide evidence of their vaccination status without raising privacy obligations if it checks rather than collects that information. That is, the employer sights this information but does record or make a copy of it. We note the FWO’s guidance in this respect applies whether or not the business has implemented a mandatory vaccination policy.

As the FWO has reminded us, consent to collection is not required if the collection is required or authorised by law (for example, a public health order applies). However, we caution businesses to scrutinise any reliance on a law or order that may appear to authorise collection. As discussed above, the recently amended Public Health (COVID-19 Additional Restrictions for Delta Outbreak) Order 2021 (NSW) imposes an obligation to check the vaccination status and is not an authorisation to collect sensitive information. Any organisation that relies on this public health order to collect (and store) the vaccination status of workers without the consent of each individual may face legal challenges.

A risk-based approach to dealing with COVID-19

As discussed above, organisations should be taking a risk-based approach to its policies and procedures for COVID-19. That is, organisations should carry out privacy and risk assessments to determine the appropriate risk management method. From a practical perspective, the privacy considerations above mean that it may be a viable option for organisations to collect employees’ vaccination statuses with consent when it is done as part of discharging health and safety duties and is reasonably necessary for its functions. Once there is a good understanding of the risk levels, organisations can start to consider appropriate control measures. These could include:

• maintaining flexible working arrangements so social distancing can be achieved with lower levels of personnel in the office;
• increasing education and awareness for the management of COVID-19 risks (such as maintaining social distancing, capacity limits in certain areas, and encouragement of voluntary vaccination); and
• developing a corporate program to incentivise voluntary vaccinations (such as providing on-site vaccinations to make the process hassle-free).

Ultimately, organisations should ensure that all risk management is based on a tailored approach and that all relevant factors are taken into consideration based on the industry, workplace and types of workers concerned.

How we can help

As we have highlighted above, organisations operate in a complex environment with overlapping legal regimes to consider. We can assist your business in navigating this territory in a number of ways, including:

1. providing advice and assistance on the introduction of a mandatory vaccination policy, including consultation processes and a communication strategy;
2. guiding you through a best practice risk-based approach to managing risks associated with COVID-19, discrimination and privacy; and
3. undertaking comprehensive risk and privacy assessments taking a holistic approach that is legally compliant and tailored to your workplace.

For further information on how we can achieve the above for your organisation, or for any other assistance, please contact Kiri Jervis (details below) or your usual Clyde & Co contact to see how we can assist you in navigating the complex legal and regulatory framework in a COVID-19 landscape.

For more information on the issues raised in this article, please join us for our webinar on Tuesday 31 August at 12.30pm.

COVID-19 – It’s not a privacy “get out of jail free” pass (but clever privacy compliance now can make you prosilient)

Click here to register