As an employer, should you be collecting vaccination-status data from your team?
There isn’t a simple “yes or no” answer to this question, as it depends on why you’re collecting the information, and whether it’s “reasonably necessary” to collect the information. You must have “clear and justifiable reasons” for collecting employee vaccination-status information for it to be deemed reasonably necessary. Quite simply, if you don’t have clear and justifiable reasons, you shouldn’t be collecting vaccination-status information.
Keep in mind that dismissals of staff (or prospective staff) who are not vaccinated or who do not wish to provide vaccination information may result in legal claims covering general protections, unfair dismissal and discrimination.
When considering collecting vaccination-status information, take into account these points:
- Vaccination-status information should only be acquired on a ‘need-to-know’ basis
- You must obtain consent where necessary
- You must inform employees about how their vaccination-status information will be handled
- Ensure you keep employee vaccination-status data and related health information secure.
Obtaining Consent
If you have clear and justifiable reasons to be collecting vaccination-status data from employers, the first step is obtaining consent.
You can collect vaccination-status data without consent only in circumstances where the collection is legally required. This could include an Act of the Commonwealth, State or Territory, or public health orders or directions.
Consent to collecting vaccination status information must be freely given. You must make sure that your employees understand why you need to collect this information, what you will use it for, and give them a genuine opportunity to provide or withhold consent.
Australian Privacy Laws
Make sure you don’t breach Australian privacy laws when collecting information about workers’ vaccination status. The Privacy Act 1998 (Cth) (Privacy Act) and the Australian Privacy Principles (APP) apply the collection, usage, storage and disclosure of information relating to staff vaccination status.
The Privacy Act covers Australian government agencies and private sector organisations (including all private health service providers). Some small business operators are exempt.
Although exempt businesses do not need to comply with the APPs, they have other legal obligations, as outlined in the National COVID-19 Privacy Principles (CPP), which provide a framework for government and business to guide a best-practice approach to the collection of information about vaccination status.
Individual Healthcare Identifiers
The Federal Government’s digital vaccine certificates include Individual Healthcare Identifiers (IHIs), which are unique identifying number. Because of the sensitive nature of IHIs, such information is subject to a higher standard of data security requirements.
When it comes to asking for employees’ vaccination status, employers should also be aware of obligations under the Healthcare Identifiers Act (HI Act). The HI Act regulates the use of IHIs and imposes strict criminal and civil penalties, including imprisonment, if such data is mishandled.
So, where does that leave employers who are obligated to see proof of vaccination from their employees? A simple solution is to ask employees to remove their IHI number from their vaccine certificate before providing a copy to the employer.
Employers could also sight vaccine certificates (instead of storing them), recording the time, date, and staff member who sighted it. However – this approach must comply with the requirements under the public health order that mandates vaccinations.
Vaccination-status data collection is definitely a tricky issue for employers to understand and navigate. If you’d like assistance, please get in touch with the HR Dept.