While businesses in Victoria are familiarising themselves with the recently issued Directions regarding the vaccination status of employees and customers, the privacy implications of collecting vaccination records can easily be overlooked or misunderstood.
Businesses need to be aware of privacy law requirements for collecting, using, and disclosing vaccination status information about its employees, contractors, customers/clients, and other workplace visitors. This is particularly important because health information is afforded special protections under Australian privacy laws.
Collection of vaccination information
The Victorian Government recently announced that authorised workers needed to be vaccinated to work onsite, with their first vaccine dose by Friday, 15 October and second dose by Friday, 26 November (subject to limited exceptions). As such, businesses will be required to collect vaccination information from its employees, contractors, and other visitors to site, such as the employees of trading partners.
In other circumstances, businesses are required to view and collect proof of customers’ vaccination status prior to them entering the place of business (such as a hairdresser).
Key privacy considerations
Employment law issues arising from mandatory vaccines have been widely discussed but with the lack of precedence, employers are struggling to determine best practice. For example, can you direct an employee to get vaccinated, or stand down an employee for not complying?
Privacy considerations, however, have not received the same buzz though the compliance obligations are just as serious. Consider what might happen if an employee or customer’s vaccination information is not handled in a lawful and secure manner by the business? Given the sensitivity of the information, businesses must give genuine thought as to how they are handling and storing the information.
Who needs to comply with Federal legislation?
Private-sector businesses with an annual turnover of $3 million or more, and health service providers, generally owe obligations under the Federal Privacy Act 1988 (Cth) (Federal Privacy Act). The Federal Privacy Act sets out thirteen Australian Privacy Principles (APPs) which detail how “personal information” may be collected, used, disclosed, stored and destroyed. The APPs also address how an individual may gain access to, or make complaints about, the personal information held about them.
Businesses who have obligations under the Federal Privacy Act will need to comply when collecting vaccination information about their employees or customers. As vaccination information is deemed “sensitive information” under the Federal Privacy Act, special rules will apply.
Obligations under State or Territory legislation
The States and Territories also have separate privacy legislation, which often imposes obligations on businesses that collect health information about individuals (eg. in Victoria, the Health Records Act 2001 (Vic) (Victorian Health Records Act)).
Importantly, if a business does not have obligations under the Federal Privacy Act (if its annual turnover does not reach the threshold), it still may have obligations under State or Territory privacy legislation.
Practical steps for businesses
The collection of vaccination information can be a sensitive issue for many and it is therefore imperative that businesses are mindful of their obligations. Businesses should collect, use, hold, disclose, store and destroy the information in a compliant manner. They need to be aware of and respond to any concerns or queries from employees and customers alike (or even authorities and regulatory bodies).
Whilst the particular obligations may vary slightly between the Federal Privacy Act and the State or Territory privacy legislation, there are some common concepts and ‘best practice’ steps that businesses can take to support compliance:
- Seek individuals’ consent when collecting, using and disclosing their vaccination information (unless the collection is otherwise required or permitted by law).
- Only collect the minimum amount of information that is necessary for the business’ functions or activities (which may include preventing or managing the risks posed by COVID-19).
- Implement measures to securely protect the personal information held and restrict access and/or availability.
- Implement measures to destroy or de-identify the personal information when it is no longer needed.
If an individual does not provide consent to the collection of information about their vaccination status, a business still may be permitted to collect or disclose such information without the individual’s consent where required or authorised by law. All things considered, we recommend that you seek legal advice if you are unsure about this avenue, or any privacy law matters.