An employer has an obligation to provide a safe place of work for its staff and visitors. This is particularly relevant as we emerge from the fog of COVID lockdowns. Many employers will now be turning their mind to whether they should require employees to be vaccinated in order to comply with that obligation (see our earlier article on those considerations - COVID-19: Updated Vaccination Guidelines for Employers), as a few large corporations have recently announced.

Does the request for, and collection of, information on employee vaccination status put employers in breach of privacy laws?

With the government not willing to generally mandate vaccinations for workplaces, most employers are grappling with the vexed issue of how to ensure a safe place of work and not fall foul of workplace laws. The other side of that coin is the privacy issue.  Employers collect many data points on their employees, but the collection of vaccination information is a new and emotive area for many.

In those sectors where vaccination is mandated by a public health order, like aged care and some health settings, an employer may collect this information, without the employee’s consent and will not be in breach of privacy laws.

Where vaccination is not required by a public health order, which is the case in most office settings, this information may be collected by an employer so long as the collection is reasonably necessary for the employer’s activities or functions and consent of the employee has been obtained.

Providing a COVID-safe place of work, which arguably also protects an employer from continual disruption of lockdowns, is likely an ‘activity or function’ of most employers in the current environment, assuming the place of work is not completely distributed and involves various groups of colleagues coming together in the same office or facility. It is, therefore, open to most employers to simply ask; to seek the consent of employees to collect vaccination status information. Consent must be informed and voluntary, and specific as to why and for what uses and disclosures the information is being collected.

Once an employer has lawfully collected this information, the employee records exemption in the Privacy Act 1988 (Cth) (Privacy Act) will mean, in most cases (if used and disclosed in a way that is directly related to the employment relationship), that the Australian Privacy Principles do not apply to it. Best practice, however, suggests that the information should still be kept secure and up-to-date and only for as long as it is needed.

And what if consent cannot be obtained? If it is unreasonable or impracticable to obtain consent from an employee, and the risks involved with the particular employee represent a serious threat to the health or safety of the broader workforce, then consent may not be required.

However, in a recent statement releasing a new set of ‘National COVID-19 Privacy Principles’, the Australian Privacy Commissioner, Angelene Falk, provided some much needed clarity to employers by recognising that another way forward is possible by adopting a data minimisation approach. In determining who is and isn’t vaccinated, employers may avoid issues with privacy laws by simply sighting proof of vaccination without collecting or recording any information. In this way, the Privacy Act will not be applicable. The statement and principles from the national privacy regulators should provide confidence that businesses can provide a safe workplace while also staying on the right side of their privacy obligations.


Authors: Shelia McGregor and Melissa Fai

Expertise Area