Fair Work Commission Decision Supports Employers Collecting Vaccination Information On The Basis That Key Privacy Requirements Were Met

The Fair Work Commission (FWC) has handed down its decision in Construction, Forestry, Maritime, Mining and Energy Union & Ors v BHP Coal Pty Ltd T/A BHP Billiton Mitsubishi Alliance/BMA & Ors [2022] FWC 81 finding that a vaccine mandate (imposed as a site access requirement) to employees at BHP’s Queensland coal mines was (a) a lawful and reasonable direction and (b) not in breach of privacy law as regards the collection of certain sensitive information which BHP argued was necessary to implement that direction. It’s this last element (ie privacy compliance) that this article will focus on.

While we have previously seen what factors the FWC generally considers to find a vaccination mandate a lawful and reasonable direction,[1] the ‘value add’ of this decision is in relation to the FWC’s analysis of and guidance on the privacy law requirements as regards the collection of sensitive information. In particular, as regards the collecting of specific sensitive (i.e. health) information for the effective implementing of the site access requirement/vaccination mandate. In this case, the parties were not actually arguing about the lawfulness of a vaccination mandate per se but were mostly focused on the lawfulness of the collection of the relevant sensitive information by BHP to ‘implement’ the site access requirement/vaccine mandate (SAR).

Summary of facts

BHP manages 14 sites in Queensland including 12 coal mines. Many of its employees are fly‑in‑fly‑out coal mine workers who typically reside in camp style accommodation on site sharing messes and frequently using the facilities in the surrounding regional communities such as sporting facilities, retail outlets, clubs and pubs.

On 7 October 2021 the employees at BHP’s Queensland coal mines were informed of the introduction of the SAR which would be a condition of entry to the Queensland sites. This SAR required employees to (a) be fully vaccinated against COVID-19 by 31 January 2022 and (b) provide specified evidence of their vaccination status (i.e. their sensitive/health information) including, the type of vaccinations and the date they were received (VSI). It was this condition, the collection of the VSI, that was the main focus of the privacy related submissions.

The CFMMEU, CEPU and AMWU (Unions) sought a determination from the FWC as to whether the SAR was a lawful and reasonable direction having regard to (a) collection of the VSI under the Privacy Act 1988 (Cth) (Privacy Act) and (b) the right to bodily integrity. As regards the Privacy Act issue, in summary it was whether BHP was, under the Privacy Act, justified and entitled to collect the type and extent of sensitive information it specified (i.e. the VSI) in the manner it specified that such collection was to take place.

Summary of privacy submissions

The Unions submitted that the collection of the VSI was not reasonably necessary for the implementation of the SAR and was thus in breach of the Privacy Act (i.e. it was an unreasonable invasion of the privacy of employees). That is, the Unions submitted that by collecting the VSI BHP was not complying with its legal obligations under the Privacy Act in respect of the collection of sensitive information.

Other grounds advanced by the Unions included infringement of the right to bodily integrity and that the vaccine mandate underpinning the SAR had been imposed despite there already being COVID-19 control measures at the mine sites and that BHP ignored other and more effective means to control any risk presented at workplaces by COVID-19 (such as rapid antigen testing). However, as noted above and the focus of this discussion is, the primary contention put forward by the Unions was that the collection of the VSI for the purposes of the SAR breached the Privacy Act.

The CFMMEU and CEPU also submitted that the collection of the VSI with the threat that the employees would be disciplined or have their employment terminated if they did not consent to this collection vitiated any employee consent required under the Privacy Act. That is, employees should not have to (or be ‘forced’ to) consent to this collection of VSI in order to keep their jobs when there are other reasonable means to establish employee vaccination status. For example, employees should be permitted to verify their vaccination status by showing the QR Check-In App which displayed a green tick each time they entered a site to ‘prove’ their vaccination status, thus avoiding the need for the collection of the VSI by BHP.

BHP countered that the collection of sensitive information under the SAR did not violate the Privacy Act as the collection of the VSI was (a) only done with the informed consent of the employee and (b) most importantly in our opinion, necessary to lessen or prevent a serious threat to the life, health or safety of any individual or to public health and safety (i.e. to effectively implement the SAR). The collection of the VSI was also to assist BHP to detect fraudulent vax status information (of which there had been some examples) by allowing checks to occur more easily against the collected and held VSI. Finally, although not the focus of this article, BHP argued successfully that the right to bodily integrity was not violated by the SAR because the SAR did not confer authority on anyone to perform a medical procedure on anyone and did not involve coercion in the legal sense such as would vitiate an employee’s consent in this regard.

Summary of the decision

The FWC found that, in the circumstances, BHP’s collection of the VSI did not breach the Privacy Act as (a) BHP did not force employees to provide the VSI, it was still subject to employee informed consent and employees could decline to provide it (and their consent could be withdrawn at any time); and (b) the VSI was reasonably necessary for BHP to carry out its functions and activities (i.e. effectively implement the SAR). The FWC referred to these two aspects as the ‘two limbs of APP 3.3’.

The FWC also found that the proposed alternative vax status confirmation method put forward by the Unions (i.e. avoiding collection of the VSI), having employees show a green tick on their QR Check-In App each time they entered the site, would make the sites/workplace more susceptible to human error being neither safe nor reasonable for verifying vaccination status and was impracticable day-to-day. The FWC concluded that, if the Unions’ alternative was used, the SAR would cease to be effective to manage the hazards posed by COVID-19 and instead become, at best, “an exercise in putting out bushfires”.

The privacy bits

The Unions challenged on each limb of APP 3.3 being, as summarised above, (a) the attaining of informed consent and (b) that the VSI was reasonably necessary for the implementation of the SAR.

Consent issue: In essence the FWC rejected that the “threat” of disciplinary action or loss of one’s job  for refusal to provide the VSI vitiated the consent of the employees to its collection under the Privacy Ac in this case. The FWC rejected the Unions’ application of Lee v Superior Wood Pty Ltd [2019] FWCFB 2946 (Lee) in this regard noting that in Lee there was evidence of a lack of a relevant privacy policy as required by APP 1, no privacy collection notice has been provided to Mr Lee under APP 5 and there were real concerns about the security of Mr Lee’s sensitive information (i.e. his thumb print) to be held by the company. In this case the FWC found no such concerns about BHP’s privacy practices had been raised and, in addition, following Mt Arthur that it is not coercion in a legal sense where economic and/or social pressure is exerted on employees to provide the VSI and this does not vitiate the required consent under the Privacy Act of the employee obtained when providing the VSI.

Also, simply having no alternative to the provision of their VSI was not sufficient grounds to vitiate the consent obtained from the employees at the point when they provided the VSI to BHP.

Reasonably necessary issue: The FWC pointed out that consent was, of course, only one of two limbs required under the Privacy Act (ie APP 3.3) in order to collect sensitive information and proceeded to address the Unions’ concerns and arguments with respect to the second limb, whether the VSI is reasonably necessary to implement the SAR.

In reaching its decision the FWC noted that the green tick on the QR Check-In App was not appropriate for use by BHP in these circumstances as it was “designed for hospitality and retail establishments” where it was appropriate for use by random customers using the facility by choice (i.e. they were responsible to a large extent for their own safety). In contrast, mine sites were clearly workplaces under BHP’s control in relation to which there was imposed on BHP “a broad range of statutory and common law obligations to ensure the health and safety of all persons who access them”. Accordingly, in the circumstances, it was reasonably necessary for BHP to collect the VSI in order to effectively implement the SAR. Together with obtaining the informed consent of each employee who provided the VSI to BHP, the FWC was satisfied that the Privacy Act requirements for the sensitive information collected to be reasonably necessary for the relevant activity (e.g. the SAR) had been met in this case.

Whether or not one agrees with the FWC’s conclusion that the VSI was reasonably necessary for the implementation of the SAR, the FWC did consider this issue (i.e. the second limb of APP 3.3) at length when so many organisations do not. In summary, the FWC’s key findings in respect of this second limb (i.e. reasonable necessity) and our brief [comments] are as follows:

• It was not unreasonable for BHP to reject the alternative methods proposed by the Unions and employees during the consultation process and these proceedings as a way of confirming vaccination status without collecting the VSI as impracticable.
• It is the sensitive information itself that must be “reasonably necessary” under this second limb of APP 3.3. That is, it is not the “means of collection” per se that must be reasonably necessary. [Perhaps it is due to a non-privacy focus, but this is an area where we believe the FWC may have been side-tracked for no significant gain. Whether or not the relevant sensitive information being collected is reasonably necessary, privacy law (outside of APP 3.3) also regulates the method or means of such collection and does impose certain obligations to be met (e.g. lawfulness and fairness) in the collection process (or method). These requirements are not avoided by the VSI being found reasonably necessary under APP 3.3.]
• It is logical that knowledge of the vaccination types that employees have received and the dates on which those vaccines were given would inform future decisions to mitigate and manage the effects of COVID 19. For example, the FWC noted that if a new strain of the virus emerged in the future which was more responsive to a particular type of vaccine then BHP would be positioned to assess the risks to employees based on the VSI. [This is perhaps where workplace and privacy law diverge the most. Collecting information on the possibility of future events occurring is not generally permissible under privacy law. At the current time the relevant approved vaccines for which a certification is provided to reflect one is legally fully vaccinated are all those approved by the TGA and which are legally available in Australia. From a public health (as well as privacy) point of view, it may be controversial for BHP to go against the existing law in this regard and decide one or other brand of approved vaccine is not acceptable to it (i.e. does not meet the ‘fully vaccinated’ threshold in its view). Thus, if only a future possibility, this does not justify the collection of that sensitive information at this time (i.e. it is not reasonably necessary now).]
• The FWC also found that the VSI was necessary to manage both actual and potential vax status fraud. [Again, while this appears to be a plausible purpose for collection, like the “quality and training” statement with respect to recorded calls in other sectors, once the VSI has been confirmed (i.e. the relevant checks done) then there is no longer a need to keep that specific information in that form (i.e. it is no longer reasonably necessary for this purpose). Also, pursuant to APP 11.2, once the purpose of confirming whether or not the details provided are fraudulent has been fulfilled (i.e. checked) then the “reasonable necessity” for keeping the information would appear to drop away and APP 11.2 legally requires its deletion. There must be some reasonable steps taken within a reasonable time to confirm the veracity or otherwise of the VSI provided and then the VSI deleted. One cannot justify the collection of sensitive information for fraud detection on the off chance that at some time in the future one may decide to do a check of the veracity of the VIS provided by an employee. In our view, the FWC should have considered a time period by which any checks of the VSI should have been done and that thereafter the VSI be deleted in favour of some less intrusive recording in the BHP systems].
• Finally, the FWC considered that the VSI was reasonably necessary to ensure that both BHP and the employees complied with their obligations under the Coal Mining Safety and Health Act 1999 (Qld).

Key privacy conclusions

Even with employee consent for the collection of sensitive information, this case clearly confirms the Privacy Act requirement that the collection of the specific sensitive information must also be reasonably necessary (and able to be justified as such) for the relevant activity (i.e. implementing the SAR in this case).

As noted above, while not addressed in this FWC decision, it is important to apply a similar reasonable necessity test to the keeping of the relevant sensitive information beyond any consented to purpose for its collection and to keep in mind the APP 11.2 obligation to delete or de‑identify personal information once used for the stated purpose for its collection (i.e. as consented to by the employee). What is reasonably necessary today may not be reasonably necessary tomorrow (e.g. when the SAR or, hopefully, COVID-19 end). Privacy obligations never are, were or will be static (or ‘set and forget’) and an organisation’s privacy settings must be regularly revisited and updated in order to remain compliant.

Key takeaways

Privacy

• You need, at least:
  • informed consent; and
  • for it to be reasonably necessary for the relevant activity,

              to collect sensitive information from your employees.

• You should be able to justify the reasonable necessity of the collection and retention of the specific sensitive information and why less intrusive approaches are not practicable in the circumstances.
• With the collection of sensitive information comes a proportionately greater legal obligation to secure it (greater than BAU information).
• While not addressed in the decision, the collection/holding of the sensitive information will not be reasonable for ever, may not be reasonable when the circumstances change and must be part of an appropriate (and APP 11.2 compliant) document/information deletion or de‑identification program. That is, it must be deleted/de-identified once used for its consented to purpose and is no longer required by law to be kept.

Lawful and Reasonable Directions – Vaccination Mandates

This decision, which sits alongside the Mt Arthur decision, provides useful guidance generally in relation to how the FWC will consider a challenge to whether an employer’s decision to implement a mandatory vaccination policy was lawful and reasonable. As we have gleaned from these decisions, the FWC will give strong consideration to whether a direction was “lawful” and ensure compliance with all obligations, including those under the Fair Work Act 2009 (Cth), work health and safety laws (see Mt Arthur for extensive discussion regarding the obligation to consult workers on health and safety matters) and the Privacy Act. As we can see, there is a strong intersection between these disparate sources of obligation. As this decision shows, consultation also needs to involve providing information as to how sensitive health information is going to be collected and stored and the safeguards that will be put in place to ensure its security and confidentiality.

We also note the FWC’s position on other common arguments which are levelled against workplace mandatory vaccination directives, such as the argument that a mandatory vaccination directive violates the right to bodily integrity, which was not accepted.

Accordingly, ahead of implementing a mandatory vaccination policy, employers need to give serious consideration to the various sources of their legal obligations (including employment, work health and safety, privacy and anti-discrimination laws). To ensure that a defensible position is maintained, each of these obligations needs to be a primary consideration and not an afterthought.

How we can help

At Clyde & Co we have assisted numerous clients with the development and implementation of their mandatory vaccination policies together with the issues that arise under workplace, health and safety and privacy laws. Our multi-disciplinary team of health and safety, workplace and privacy lawyers can assist you to get it right the first time and/or practically and efficiently address any shortcomings in either your mandatory vaccination policy or its implementation.

Please do not hesitate to reach out if you would like to discuss an evaluation of your current mandatory vaccination policy or implementation, to assist you to develop or implement such or to assist you to deal with any concerns or complaints that have arisen with respect to such.