It's easy to overlook the privacy implications
by Kelly Dickson, Managing Principal Lawyer – Dandenong, Macpherson Kelley and Greta Walters, Lawyer, Macpherson Kelley
While businesses in Victoria are familiarising themselves with the recently issued Directions regarding the vaccination status of employees and customers, the privacy implications of collecting vaccination records can easily be overlooked or misunderstood.
Businesses need to be aware of privacy law requirements for collecting, using, and disclosing vaccination status information about its employees, contractors, customers/clients, and other workplace visitors. This is particularly important because health information is afforded special protections under Australian privacy laws.
The Victorian Government recently announced that authorised workers needed to be vaccinated to work onsite, with their first vaccine dose by Friday, 15 October and second dose by Friday, 26 November (subject to limited exceptions). As such, businesses will be required to collect vaccination information from its employees, contractors, and other visitors to site, such as the employees of trading partners.
In other circumstances, businesses are required to view and collect proof of customers’ vaccination status prior to them entering the place of business (such as a hairdresser).
Employment law issues arising from mandatory vaccines have been widely discussed but with the lack of precedence, employers are struggling to determine best practice. Forexample, can you direct an employee to get vaccinated, or stand down an employee for not complying?
Privacy considerations, however, have not received the same buzz though the compliance obligations are just as serious. Consider what might happen if an employee or customer’s vaccination information is not handled in a lawful and secure manner by the business? Given the sensitivity of the information, businesses must give genuine thought as to how they are handling and storing the information.
Read more: Fair Work awards $30K compensation to employee fired by ex-husband
Private-sector businesses with an annual turnover of $3 million or more, and health service providers, generally owe obligations under the Federal Privacy Act 1988 (Cth) (Federal Privacy Act). The Federal Privacy Act sets out thirteen Australian Privacy Principles (APPs) which detail how “personal information” may be collected, used, disclosed, stored and destroyed. The APPs also address how an individual may gain access to, or make complaints about, the personal information held about them.
Businesses who have obligations under the Federal Privacy Act will need to comply when collecting vaccination information about their employees or customers. As vaccination information is deemed “sensitive information” under the Federal Privacy Act, special rules will apply.
The States and Territories also have separate privacy legislation, which often imposes obligations on businesses that collect health information about individuals (eg. in Victoria, the Health Records Act 2001 (Vic) (Victorian Health Records Act)).
Importantly, if a business does not have obligations under the Federal Privacy Act (if its annual turnover does not reach the threshold), it still may have obligations under State or Territory privacy legislation.
Read more: Fair Work finds workplace bullying goes both ways
The collection of vaccination information can be a sensitive issue for many and it is therefore imperative that businesses are mindful of their obligations. Businesses should collect, use, hold, disclose, store and destroy the information in a compliant manner. They need to be aware of and respond to any concerns or queries from employees and customers alike (or even authorities and regulatory bodies).
Whilst the particular obligations may vary slightly between the Federal Privacy Act and the State or Territory privacy legislation, there are some common concepts and ‘best practice’ steps that businesses can take to support compliance:
If an individual does not provide consent to the collection of information about their vaccination status, a business still may be permitted to collect or disclose such information without the individual’s consent where required or authorised by law. All things considered, we recommend that you seek legal advice if you are unsure about this avenue, or any privacy law matters.