close button

Vaccination Status – A Privacy Dilemma for Employers?

As the Australian vaccine roll-out continues, and employers are contemplating a return to the workplace for many of their employees, employers may wish to ask their employees whether they have received the COVID-19 vaccine.

Before doing so, organisations which are required to comply with the Privacy Act1 should make sure they are aware of their obligations when collecting information regarding the 'vaccination status' of their employees.  Although such records may be exempt from the Privacy Act as ‘employee records’, the request and collection of that information will still need to comply, as will any records in respect of volunteers, contractors or anyone other than ‘employees’.

Example scenarios

Scenario A: Employer in an industry where workers are required by law to be vaccinated

Depending on the legal obligations on the employer, the employer may be legally permitted to obtain and record vaccination status information regardless of the employee’s consent.

Scenario B: Employer seeks vaccination status information as part of a WH&S Risk Assessment

In some cases, employers may seek to collect vaccination status information as part of conducting a risk assessment regarding a return to work for employees. Employers must still comply with Australian Privacy Principle 3 in doing so.  Depending on the particular facts, the consent of the employees may not be needed and the employer may be entitled to take disciplinary action against employees who refuse to provide this information.

Scenario C: Employer wishes to collect vaccination status information but is not proposing to implement any action as a result of that information

In this case, it may be difficult to justify that the collection of the vaccination status is reasonably necessary for the employer’s business functions because the information is not being collected and used for a particular activity. It may also be difficult to take any disciplinary action against employees who refuse to provide their vaccination status under this situation.

Some of the factors influencing an employer’s obligation or ability to collect and record an employee’s vaccination status are discussed below.

Sensitive information

An employee’s vaccination status (including reasons for choosing not to have the COVID-19 vaccination) is health information which is considered sensitive information under the Privacy Act, and is given a higher level of protection than other personal information.

Except for limited exceptions, the Privacy Act specifies that employers may only collect sensitive information if both of the following are true:

  • the employee consents to the collection of the information; and
  • the collection is reasonably necessary for the employer to perform one or more of its functions or activities2.

Any sensitive information that is collected must be the minimum necessary for the relevant purpose and must be destroyed when it is no longer needed for that purpose.

Process to obtain consent

An employee's consent to the collection of their information must be freely and voluntarily given. This means that the employer must ensure that the employee is:

  • adequately informed and understands why the employer needs to collect this information and what it will be used for and provide other information as may be required by Australian Privacy Principle 5, which will depend on the circumstances of each employer.  Ideally, this information should be set out in a privacy statement that is given to the employee; and
  • given a genuine opportunity to provide or withhold consent without feeling pressured or obligated to do so and without the threat of repercussions if they do not consent.  A blanket threat of termination may vitiate that consent.3

Is the collection reasonably necessary?

When determining if the collection of the vaccination status is reasonably necessary for a particular function or activity (for example, the prevention of a COVID-19 outbreak) several factors should be considered, such as the public health advice available at the time, government regulations and the applicable workplace health and safety laws.

Exceptions to the obligation to obtain consent

Employers may be permitted to collect sensitive information even without the employee’s consent if the collection is required or authorised by law. For example, where an employer in a certain industry (such as residential aged care) is required to confirm their workers’ compliance with a government mandates that workers in that industry be vaccinated. Employers should ensure that they monitor new developments regarding the COVID-19 pandemic and any obligations to collect information regarding the vaccination status of their employees.

Employers also have a legal obligation to provide a safe work environment.  Where it is reasonable to do so, employers may need to assess its employee’s vaccination rate as part of that obligation, such as to conduct and implement the results of a risk assessment.  In this case, the consent of the individual employees may not be required.

Some other limited exceptions apply, including where it is both unreasonable to obtain the employee’s consent and it is necessary to lessen or prevent a serious threat to public health or safety.  Whether an employer falls within this category will depend on the relevant facts.

Employee records exception

Once an employer has collected the information, the employee records exception in the Privacy Act4 may apply if the employer is a private sector employer, which means that the employer will not need to comply with the Australian Privacy Principles in respect of such information.

The employee records exemption applies to personal information:

  • after it has been lawfully collected;
  • that is directly related to the current or former employment relationship; and
  • which is held in an employee record.

It is important to note that the employee records exemption does not apply to prospective employees, volunteers, contractors and sub-contractors.

Best practice

Regardless of whether the employee record exemption applies, employers are encouraged to maintain best practices when handling personal information of their employees. This includes:

  • managing personal information in an open and transparent manner;
  • keeping personal information secure;
  • keeping personal information up to date;
  • deleting personal information when it is no longer needed; and
  • only using or disclosing the information for the purposes for which it was collected.

If you require any assistance relating to your privacy or employment obligations in respect of COVID-19 vaccinations, please contact Alex Ninis (Partner), Sarah Gilkes (Partner) or James Simpson (Partner).

Written by Marcus Hannah and Ben Cameron.


1Privacy Act 1988 (Cth)

2Australian Privacy Principle 3

3Jeremy Lee v Superior Wood Pty Ltd [2019] FWCFB 2946

4Section 7B