COVID-19 vaccine information for employers: privacy and employment law

With the first phase of the COVID-19 vaccination rollout now underway in Australia recently, employers may have queries as to how it will affect them. Two main queries are whether employers can require employees to get the vaccination, and what are the employer’s obligations surrounding employee privacy.

Can employers require employees to receive the COVID-19 vaccine?

For now, the answer is “probably not, but it depends”. We recommend that employers request, rather than direct, that employees be vaccinated and lead by example.

There are limited circumstances where an employer could lawfully require their employees to be vaccinated against COVID-19, and there is no “one size fits all” solution. The main situations where employers could require employees to be vaccinated are outlined below:

1 – If a specific law requires employees to be vaccinated:
Currently no such law exists, and the Federal Government’s vaccination policy states that the COVID-19 vaccine will not be mandatory. This position seems unlikely to change.

SafeWork Australia has also published information to the effect that employers could not rely on WHS duties as a basis for requiring workers to be vaccinated.

It is more likely that a state or territory government may make a public health order requiring the vaccination of employees in particular workplaces identified as being at high risk.

If this occurs, employers could rely on these orders to require vaccinations from those employees covered by the relevant order. However, there is currently no indication that the Tasmanian state government intends to make such an order.

2 – If there is an enforceable contractual provision requiring vaccination:
Existing contractual terms could require employees to be vaccinated against COVID-19, however, the individual circumstances will still need to be considered. Employers would not be able to rely on a term that refers to other types of vaccinations, such as influenza. To be enforceable, a contractual term that requires vaccination against COVID-19 must not offend an anti-discrimination law. This includes not discriminating where an employee is unable to receive the vaccine due to a medical condition.

3 – If it is ‘lawful and reasonable’ to direct employees to be vaccinated:
If there is no applicable law or contractual provision that provides for the employer to require vaccination, the question is then whether a direction to be vaccinated for COVID-19 is a ‘reasonable and lawful direction’.

To be lawful, the direction must comply with the law, for example anti-discrimination legislation as outlined above.

Whether a direction is reasonable can only be assessed on a case-by-case basis. The COVID-19 pandemic alone may not make it reasonable for an employer to direct their employees to be vaccinated. Factors that may make a direction more reasonable include the nature of the workplace, requirements of the employee’s role, whether alternative arrangements are available, and the vulnerability of clients and customers.

What are an employer’s obligations under privacy legislation?

An employee’s vaccination status is considered ‘sensitive information’ under the Privacy Act 1988 (Cth) (Privacy Act). Accordingly, employers have obligations under privacy legislation regarding employee vaccination information.

For private sector employers, the employee records exemption will apply to the handling of an employee’s personal information (including health information) after it has been lawfully collected, where:

  • the information forms part of an employee record; and
  • the handling of the information is directly related to a current or former employment relationship.

When this exemption applies, private sector employers will not have obligations under the Privacy Act when handling employee vaccination information.

However, to ensure that employee information is collected lawfully, private sector employers must:

  • collect the information using fair and lawful means (for example, not use intimidation or deception to obtain an employee’s vaccination status);
  • be transparent with employees about the reason for collecting the information; and
  • take reasonable steps to notify employees of the purpose of collection and the ways in which their vaccination information may be used or disclosed.

Despite the employee records exemption applying after the employee’s information has been lawfully collected, the Office of the Australian Information Commissioner (OAIC) recommends that it is best practice for private sector employers to:

  • only collect, use and disclose the minimum amount of personal information necessary to prevent and manage COVID-19 in the workplace;
  • obtain consent from employees; and
  • take reasonable steps to keep employee vaccination status and related information secure.

The employee records exemption does not apply to prospective employees, contractors, sub-contractors and volunteers. Employers must comply with the Privacy Act when dealing with the personal information (including vaccination status information) of these individuals.

If you have any queries or would like further information regarding this article, please contact:

Kathryn Speed
M: 0408 446 013

Joe Mullavey
M: 0416 794 061

Ella Wade
T: (03) 6235 5161

Published: 3 March 2021

Copyright © 2023 Page Seager. Privacy Statement Privacy Policy Page Seager Commitments and Policies