Employer poked and prodded over COVID-19 vaccination privacy concerns
In current COVID-19 news, vaccination status in the workplace is a topic of great debate. As some businesses enforce mandatory vaccination (for more information about this, see our previous alert here and here), it is important to take a step back and evaluate the privacy concerns that any business trying to implement a fully vaccinated workforce will inevitably face.
Partner Hayden Delaney, Senior Associates Verity Stone and Hannah Fas and Solicitor Tom Copley briefly look at court proceedings brought by the Australian Licensed Aircraft Engineers’ Association (ALAEA) against Virgin Australia.
As many businesses have done, Virgin Australia had asked workers to confirm their COVID-19 vaccination status. ALAEA raised concerns that some forms of vaccination certificates (including immunisation history records and COVID-19 digital certificates) had the potential to contain individual healthcare identifiers (IHI). An IHI is a unique number used by healthcare professionals to access a patient’s medical history in the My Health Record system.
Settlement was ultimately reached with Virgin Australia and ALAEA agreeing on verification methods that satisfied the concerns of the union. This mutual agreement between the parties included the requirement that Virgin Australia delete all COVID-19 digital certificates and immunisation history statements provided at that time.
This article outlines a brief overview of the privacy obligations of which employers need to be mindful, when navigating the murky and ever-shifting waters of COVID-19 policies and procedures.
The Australian Privacy Principles (or APPs) are created under the Privacy Act 1988 (Cth) (Privacy Act). The APPs set out specific requirements for the collection and storage of personal information for APP entities. Under the Privacy Act, an APP entity is an individual, body corporate, partnership, trust or any other unincorporated association that:
To collect and store employees’ sensitive information, small business operators are simply required to gain the informed consent of their employees. Sensitive information includes personal information which contains details regarding a person’s health, political opinions or associations, sexual orientation or criminal history.
Fortunately for non-APP entities, the APPs are relatively easy to understand and follow. We often recommend best practice is to comply, where you are able to do so.
Employers intending to collect vaccination status information from employees must consider the application of two key APPs:
Employees in certain industries (including domestic and international airlines) are clearly at increased risk of contracting COVID-19, and ensuring workers are fully vaccinated is a reasonable step for many employers to take in order to continue conducting business.
We understand the contention in this case was the scope of the information collected. The union announced in a statement they had no issue with the policy itself, but considered the personal information Virgin Australia had initially proposed to collect exceeded what was necessary to verify employees’ vaccination status.
In our experience advising clients in matters of this nature, other issues which are frequently raised in the collection of vaccination information include:
We recommend businesses:
Given the increased focus on privacy and individual rights, and the rapidly evolving nature and general inconsistency of legislation addressing COVID-19, it is very important to seek up-to-date and informed advice.
A special thanks to Tom Kelman for his assistance in putting this article together.