The COVID-19 pandemic has caused many employers across Australia to take a hard look at their employment policies. The scale and type of disruption to businesses has been unpredictable, requiring employers to be adaptable and ultimately engage in an ongoing game of catchup.
Staying ahead of the vaccine and your privacy obligations
With the imminent introduction of the COVID-19 vaccine into workplaces across Australia, it is important for employers to know that their privacy obligations will extend accordingly to employee information related to the vaccine.
Recently, the Office of the Australian Information Commissioner (OAIC) has issued privacy guidance to clarify the effects of the existing Privacy Act 1988 (Cth) (Privacy Act) on employer’s obligations relating to the collection, use, storage and disclosure of employee health information. The OAIC has stated that privacy is just one of the factors that employers should consider when asking employees about the COVID-19 vaccine.
- Employers will only be able to collect information about an employee’s vaccination status in very limited circumstances;
- Only the minimum amount of personal information reasonably necessary to maintain a safe workplace should be collected, used or disclosed;
- Vaccination status information may only be collected if the employee consents and the collection is reasonably necessary for the entity’s functions and activities, unless an exception applies;
- One exception that may allow collection without an employee’s consent is circumstances where the collection is required or authorised by law;
- If vaccination status information is collected, the entity must advise employees’ how this information will be handled;
- Vaccination status information should only be used or disclosed on a “need-to-know” basis; and,
- Entities should ensure they take reasonable steps to keep employee vaccination status and related health information secure.
Essentially, the Privacy Act will continue to permit critical information sharing to ensure employers can adequately meet their obligations, such as to maintain a safe workplace. The OAIC suggests that employers merely limit the collection, use and disclosure of personal information to what is necessary to prevent and manage COVID-19.
Importantly, this will not prevent employers from continuing to implement appropriate controls in the workplace where there is any risk due to COVID-19. From a practical perspective, employers should already have appropriate policies and practices in place to handle employee health information. If not, there may be significant financial penalties imposed on an employer who breaches employee privacy.
If you have any questions about how to manage the introduction of the vaccination into your workplace, please do not hesitate to contact a member of Coleman Greig’s Employment Law Team, who would be more than happy to assist you today.