The Fair Work Commission (FWC) has handed down its decision in Construction, Forestry, Maritime, Mining and Energy Union & Ors v BHP Coal Pty Ltd T/A BHP Billiton Mitsubishi Alliance/BMA & Ors  FWC 81 finding that a vaccine mandate (imposed as a site access requirement) to employees at BHP’s Queensland coal mines was (a) a lawful and reasonable direction and (b) not in breach of privacy law as regards the collection of certain sensitive information which BHP argued was necessary to implement that direction. It’s this last element (ie privacy compliance) that this article will focus on.
While we have previously seen what factors the FWC generally considers to find a vaccination mandate a lawful and reasonable direction, the ‘value add’ of this decision is in relation to the FWC’s analysis of and guidance on the privacy law requirements as regards the collection of sensitive information. In particular, as regards the collecting of specific sensitive (i.e. health) information for the effective implementing of the site access requirement/vaccination mandate. In this case, the parties were not actually arguing about the lawfulness of a vaccination mandate per se but were mostly focused on the lawfulness of the collection of the relevant sensitive information by BHP to ‘implement’ the site access requirement/vaccine mandate (SAR).
BHP manages 14 sites in Queensland including 12 coal mines. Many of its employees are fly‑in‑fly‑out coal mine workers who typically reside in camp style accommodation on site sharing messes and frequently using the facilities in the surrounding regional communities such as sporting facilities, retail outlets, clubs and pubs.
On 7 October 2021 the employees at BHP’s Queensland coal mines were informed of the introduction of the SAR which would be a condition of entry to the Queensland sites. This SAR required employees to (a) be fully vaccinated against COVID-19 by 31 January 2022 and (b) provide specified evidence of their vaccination status (i.e. their sensitive/health information) including, the type of vaccinations and the date they were received (VSI). It was this condition, the collection of the VSI, that was the main focus of the privacy related submissions.
The CFMMEU, CEPU and AMWU (Unions) sought a determination from the FWC as to whether the SAR was a lawful and reasonable direction having regard to (a) collection of the VSI under the Privacy Act 1988 (Cth) (Privacy Act) and (b) the right to bodily integrity. As regards the Privacy Act issue, in summary it was whether BHP was, under the Privacy Act, justified and entitled to collect the type and extent of sensitive information it specified (i.e. the VSI) in the manner it specified that such collection was to take place.
The Unions submitted that the collection of the VSI was not reasonably necessary for the implementation of the SAR and was thus in breach of the Privacy Act (i.e. it was an unreasonable invasion of the privacy of employees). That is, the Unions submitted that by collecting the VSI BHP was not complying with its legal obligations under the Privacy Act in respect of the collection of sensitive information.
Other grounds advanced by the Unions included infringement of the right to bodily integrity and that the vaccine mandate underpinning the SAR had been imposed despite there already being COVID-19 control measures at the mine sites and that BHP ignored other and more effective means to control any risk presented at workplaces by COVID-19 (such as rapid antigen testing). However, as noted above and the focus of this discussion is, the primary contention put forward by the Unions was that the collection of the VSI for the purposes of the SAR breached the Privacy Act.
The CFMMEU and CEPU also submitted that the collection of the VSI with the threat that the employees would be disciplined or have their employment terminated if they did not consent to this collection vitiated any employee consent required under the Privacy Act. That is, employees should not have to (or be ‘forced’ to) consent to this collection of VSI in order to keep their jobs when there are other reasonable means to establish employee vaccination status. For example, employees should be permitted to verify their vaccination status by showing the QR Check-In App which displayed a green tick each time they entered a site to ‘prove’ their vaccination status, thus avoiding the need for the collection of the VSI by BHP.
BHP countered that the collection of sensitive information under the SAR did not violate the Privacy Act as the collection of the VSI was (a) only done with the informed consent of the employee and (b) most importantly in our opinion, necessary to lessen or prevent a serious threat to the life, health or safety of any individual or to public health and safety (i.e. to effectively implement the SAR). The collection of the VSI was also to assist BHP to detect fraudulent vax status information (of which there had been some examples) by allowing checks to occur more easily against the collected and held VSI. Finally, although not the focus of this article, BHP argued successfully that the right to bodily integrity was not violated by the SAR because the SAR did not confer authority on anyone to perform a medical procedure on anyone and did not involve coercion in the legal sense such as would vitiate an employee’s consent in this regard.
The FWC found that, in the circumstances, BHP’s collection of the VSI did not breach the Privacy Act as (a) BHP did not force employees to provide the VSI, it was still subject to employee informed consent and employees could decline to provide it (and their consent could be withdrawn at any time); and (b) the VSI was reasonably necessary for BHP to carry out its functions and activities (i.e. effectively implement the SAR). The FWC referred to these two aspects as the ‘two limbs of APP 3.3’.
The FWC also found that the proposed alternative vax status confirmation method put forward by the Unions (i.e. avoiding collection of the VSI), having employees show a green tick on their QR Check-In App each time they entered the site, would make the sites/workplace more susceptible to human error being neither safe nor reasonable for verifying vaccination status and was impracticable day-to-day. The FWC concluded that, if the Unions’ alternative was used, the SAR would cease to be effective to manage the hazards posed by COVID-19 and instead become, at best, “an exercise in putting out bushfires”.
The Unions challenged on each limb of APP 3.3 being, as summarised above, (a) the attaining of informed consent and (b) that the VSI was reasonably necessary for the implementation of the SAR.
Also, simply having no alternative to the provision of their VSI was not sufficient grounds to vitiate the consent obtained from the employees at the point when they provided the VSI to BHP.
Reasonably necessary issue: The FWC pointed out that consent was, of course, only one of two limbs required under the Privacy Act (ie APP 3.3) in order to collect sensitive information and proceeded to address the Unions’ concerns and arguments with respect to the second limb, whether the VSI is reasonably necessary to implement the SAR.
In reaching its decision the FWC noted that the green tick on the QR Check-In App was not appropriate for use by BHP in these circumstances as it was “designed for hospitality and retail establishments” where it was appropriate for use by random customers using the facility by choice (i.e. they were responsible to a large extent for their own safety). In contrast, mine sites were clearly workplaces under BHP’s control in relation to which there was imposed on BHP “a broad range of statutory and common law obligations to ensure the health and safety of all persons who access them”. Accordingly, in the circumstances, it was reasonably necessary for BHP to collect the VSI in order to effectively implement the SAR. Together with obtaining the informed consent of each employee who provided the VSI to BHP, the FWC was satisfied that the Privacy Act requirements for the sensitive information collected to be reasonably necessary for the relevant activity (e.g. the SAR) had been met in this case.
Whether or not one agrees with the FWC’s conclusion that the VSI was reasonably necessary for the implementation of the SAR, the FWC did consider this issue (i.e. the second limb of APP 3.3) at length when so many organisations do not. In summary, the FWC’s key findings in respect of this second limb (i.e. reasonable necessity) and our brief [comments] are as follows:
Even with employee consent for the collection of sensitive information, this case clearly confirms the Privacy Act requirement that the collection of the specific sensitive information must also be reasonably necessary (and able to be justified as such) for the relevant activity (i.e. implementing the SAR in this case).
As noted above, while not addressed in this FWC decision, it is important to apply a similar reasonable necessity test to the keeping of the relevant sensitive information beyond any consented to purpose for its collection and to keep in mind the APP 11.2 obligation to delete or de‑identify personal information once used for the stated purpose for its collection (i.e. as consented to by the employee). What is reasonably necessary today may not be reasonably necessary tomorrow (e.g. when the SAR or, hopefully, COVID-19 end). Privacy obligations never are, were or will be static (or ‘set and forget’) and an organisation’s privacy settings must be regularly revisited and updated in order to remain compliant.
to collect sensitive information from your employees.
Lawful and Reasonable Directions – Vaccination Mandates
This decision, which sits alongside the Mt Arthur decision, provides useful guidance generally in relation to how the FWC will consider a challenge to whether an employer’s decision to implement a mandatory vaccination policy was lawful and reasonable. As we have gleaned from these decisions, the FWC will give strong consideration to whether a direction was “lawful” and ensure compliance with all obligations, including those under the Fair Work Act 2009 (Cth), work health and safety laws (see Mt Arthur for extensive discussion regarding the obligation to consult workers on health and safety matters) and the Privacy Act. As we can see, there is a strong intersection between these disparate sources of obligation. As this decision shows, consultation also needs to involve providing information as to how sensitive health information is going to be collected and stored and the safeguards that will be put in place to ensure its security and confidentiality.
We also note the FWC’s position on other common arguments which are levelled against workplace mandatory vaccination directives, such as the argument that a mandatory vaccination directive violates the right to bodily integrity, which was not accepted.
Accordingly, ahead of implementing a mandatory vaccination policy, employers need to give serious consideration to the various sources of their legal obligations (including employment, work health and safety, privacy and anti-discrimination laws). To ensure that a defensible position is maintained, each of these obligations needs to be a primary consideration and not an afterthought.
At Clyde & Co we have assisted numerous clients with the development and implementation of their mandatory vaccination policies together with the issues that arise under workplace, health and safety and privacy laws. Our multi-disciplinary team of health and safety, workplace and privacy lawyers can assist you to get it right the first time and/or practically and efficiently address any shortcomings in either your mandatory vaccination policy or its implementation.
Please do not hesitate to reach out if you would like to discuss an evaluation of your current mandatory vaccination policy or implementation, to assist you to develop or implement such or to assist you to deal with any concerns or complaints that have arisen with respect to such.