Australia: Privacy and the collection of COVID-19 vaccination data in New South Wales and Victoria
In the aftermath of lengthy lockdowns across Australia, Australia's states and territories, including New South Wales and Victoria, are progressively re-opening for business, with governments counselling that we must 'learn to live with COVID-19'. In that context, many businesses are considering whether they may lawfully collect vaccination data from employees, customers, and other visitors to their premises and how they may use and disclose the data they collect. Angela Flannery and Clare Giugni, from Holding Redlich, provide answers to questions in the context of COVID-19 vaccination data, its collection, disclosure, and storage.
The primary privacy legislation in Australia is the Privacy Act 1988 (No. 119, 1988) (as amended) ('Privacy Act'), which applies to federal government agencies and most private sector organisations, in each case, in relation to their collection, use, and disclosure of personal information. The responses below consider only the Privacy Act and how it applies to private sector organisations.
The circumstances in which vaccination data may be collected and used are impacted by state and territory-based legislation. The below responses consider only the position in New South Wales and Victoria.
What are the rules (if any) surrounding the collection and use of vaccination data?
Collection of vaccination data
Under the Privacy Act, information about an individual's vaccination status is health information. Health information is a type of 'sensitive information' and is subject to greater privacy protections than other types of personal information.
As a general rule, private sector organisations may, under the Privacy Act, only collect sensitive information if it is reasonably necessary for the organisation's functions or activities and if the individual has consented to the collection. There are some exceptions to this requirement, for example, where the collection of the sensitive information is authorised or required by an Australian law, but these exceptions are narrow.
This requirement will, however, only apply where the organisation 'collects' the sensitive information (that is, in this case, the vaccination data). As relevant here, the Privacy Act provides that collection occurs only where the organisation collects the information for inclusion in a record, whether physical or electronic.
Many organisations have adopted the approach of not 'collecting' vaccination data where they have a legal obligation under public health orders to check the vaccination status of individuals entering their premises.
For example, in Victoria (and other relevant Australian jurisdictions), public health orders provide that certain businesses may only open to fully vaccinated customers. Such businesses include exercise facilities (for example, gyms and swimming pools), restaurants and bars, and movie theatres. Those businesses must take reasonable steps to ensure only fully vaccinated persons (and those with medical exemptions or persons under the age of 18) enter their premises. This is typically done by viewing an individual's Australian Government-issued vaccination certificate upon entry to the premises, without ever recording that information. In such a case, the organisation is not 'collecting' that information under the Privacy Act because no information about the individual is ever recorded by the organisation.
Collection of vaccination data typically occurs where an organisation wishes to collect the vaccination status of employees. In some cases, collecting this information is mandated by public health orders. For example, in Victoria, at the current time, a vaccination mandate applies to workers in residential aged care facilities, certain health care workers, and workers in quarantine facilities, as well as workers in other sectors. This means those workers must be vaccinated (and in some cases also receive a booster shot) unless they are working from home. Where vaccination of employees is required by a public health order, particular details are required to be retained by the employer, and this data will therefore be collected for the purposes of the Privacy Act. The type of data that is required to be collected would not include a copy of the vaccination certificate itself. Although an employee may still refuse to provide evidence of vaccination (or evidence of a medical exemption), an employer in one of these mandated sectors is legally obliged not to allow such an employee to be on site in carrying out their work.
The Office of the Australian Information Commissioner ('OAIC') has cautioned organisations, in its guidance material1, to ensure that the dual requirements of the Privacy Act for collection, as mentioned previously, are met when employee vaccination data is collected. That is, consent should be obtained for the collection and, secondly, that collection should be reasonably necessary for the organisation's functions or activities. An organisation cannot collect this sensitive information simply because it believes it might have a future need for it, without identifying what that need is. An example of where such information may be collected with consent would be where the employer organisation had provided a lawful and reasonable direction to its employees to be vaccinated, whether as a result of a vaccination mandate applicable to the relevant industry or sector, or as a result of the voluntary imposition by an employer of such a requirement.
Even where vaccination data may be collected under the Privacy Act, Privacy by Design principles require that this data collection is minimised. This may mean that, for example, personal information is able to be collected as to whether a person is fully vaccinated, but not, for example, information about the type of vaccine or the date on which the vaccination occurred.
Use of vaccination data
Under the Privacy Act, the permitted uses and disclosures of personal information differ depending on whether the relevant information relates to an employee of the organisation or to other individuals.
If the information relates to an employee, the employee records exemption may apply (noting that this exemption is only applicable to private sector organisations, not to federal government agencies). Once collected by the employer for employment-related purposes, personal information about an employee forms part of their 'employee record'. While the Australian Privacy Principles ('APPs') will apply to the initial collection of an employee's personal information, the APPs do not apply to the subsequent use or disclosure of employee information by an employer, provided it is for a purpose that is directly related to the current or former employment relationship between the employer and the individual. If used or disclosed for other purposes, the APPs would apply in the same way that they would apply to the vaccination data of other persons, such as customers.
If the information relates to a person other than an employee (for example, a customer), the APPs, as set out in the Privacy Act, will apply. The APPs provide that, when an organisation collects personal information, including sensitive information, it may generally only use or disclose that information for the purpose for which it was collected (referred to as the primary purpose).
There are some circumstances in which sensitive information may be used or disclosed for a purpose other than the primary purpose, which is referred to as a secondary purpose. As relevant here, these circumstances include:
- where the secondary purpose is directly related to the primary purpose and the individual would reasonably expect their personal information to be used or disclosed in that way;
- where the individual has consented to the secondary purpose; or
- if an organisation is required or authorised under an Australian law to use or disclose the information for the particular purpose.
Given the data in question is vaccination data, it is unlikely that the first exemption would apply as individuals would not reasonably expect that data to be used or disclosed for other purposes.
What would be the appropriate legal basis for such processing?
The Australian Privacy Act does not adopt the terminology of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') of requiring a legal basis for processing personal information.
As set out in the response to the first question, an organisation may collect vaccination information generally only with the consent of the individual and where the collection is reasonably necessary for the organisation's functions or activities.
Is an organisation permitted to ask employees or visitors for their vaccination status prior to permitting them to enter the workplace?
As described in the first response, some organisations have an obligation under public health orders to take reasonable steps to ensure that unvaccinated adults do not enter their premises (noting these rules do not apply to adults with a medical exemption or, in Victoria, persons under the age of 18). Those businesses are in fact legally required to ask both employees and visitors (including customers, but also contractors, such as cleaners and the like) for their vaccination status before allowing them to enter the premises. As also noted in the response to the first question, public health orders applicable in some Australian states and territories also mandate that employees in particular sectors and industries must be vaccinated unless they work from home. Employers in those cases would also be required to ask for evidence of vaccination status of employees.
Over time, these types of public health orders will cease to apply. At that point, an organisation may nonetheless decide to continue to exclude unvaccinated adults (whether employees or visitors) from their premises. In such a case, the organisation may lawfully continue to ask for confirmation of an employee or visitor’s vaccination status provided that this does not breach any other law. For example, some employment-related legal obligations may, depending on the type of business, mean that it is considered unreasonable to ask for proof of an employee’s vaccination status absent a legal obligation.
There are some businesses, such as essential retail (for example, supermarkets) where the ongoing public health orders do not currently apply to require vaccination status of customers to be checked. Typically, those businesses do not ask for proof of vaccination status of customers.
As set out in the first response , it should also be remembered that asking to view an individual’s proof of vaccination does not, of itself, amount to a collection of that information under the Privacy Act. Only where the relevant organisation also keeps a record of the individual's vaccination status will that sensitive information be collected. Therefore, businesses who only ask to see an individual's vaccination certificate upon entry do not collect that information, and the Privacy Act would not apply.
Can an organisation collect or ask for proof of vaccination and/or testing records?
Where a vaccination mandate is in place, employers in the relevant sector or industry are in fact required to collect and store an employee's vaccination data.
However, as noted in the response to the first question, the obligation to collect an employee's vaccination information does not amount to a requirement to collect the document which proves the vaccination status. Organisations may, for example, comply with this requirement by keeping a list of employees and their vaccination status, as well as a description of the document relied on as evidence of that status, without retaining a copy of the document itself. The information required to be collected differs on a state and territory basis.
Where there is no legal obligation in place to collect vaccination information, or where an organisation seeks to collect more than the data that is required for compliance with the relevant vaccination mandate, the organisation will need to comply with the general requirement for the collection of sensitive information. This has been confirmed by a recent decision of the Australian Fair Work Commission (Construction, Forestry, Maritime, Mining and Energy Union v BHP Coal  FWC 81). The Commission concluded that, where an organisation has complied with the relevant requirements under Privacy Act and the collection of proof of vaccination is reasonably necessary in the circumstances (for example, where the business operates in a high-risk setting), it would be appropriate to collect the evidence of vaccination.
Organisations cannot collect testing data, whether of employees or others.
Is an organisation allowed to disclose information on COVID-19 results within the company and/or to health authorities?
The purposes for which information may be disclosed depends on whether the information relates to an employee or another individual. The disclosure of employee information by an employer is not subject to the APPs provided the disclosure is for a purpose directly related to the current or former employment relationship.
Use within the company itself would not be a disclosure under the Privacy Act (whether this was of the vaccination status of employees or other persons). In the case of employee data, use within the company would need to be for a purpose directly related to the employment relationship for the employee records exemption to apply. In the case of other persons, such as customers, use within the organisation would only be permitted for the primary purpose or for a permitted secondary.
Disclosure to health authorities, whether of the vaccination status of employees or of other persons, would generally only be permitted if required by law. This is because this would be considered to be a secondary purpose (see the discussion of primary and secondary purposes in the response on the first question). In relation to employees, the employee records exemption would not apply to such a disclosure, given it is for a non-employment related purpose. Typically, Australian health authorities are not authorised to request such data from organisations and will collect this directly from the relevant individuals.
Testing results are also a type of sensitive health information and are typically collected by health authorities either directly when a PCR test is conducted by a relevant health professional or from the individual when they notify the health authority of a positive rapid antigen test. In New South Wales, it is a mandatory requirement to register a positive rapid antigen test with the relevant government agency. Organisations do not directly collect this data.
How long is an organisation required to keep/store vaccination data?
Where vaccination data is collected by a private sector organisation in relation to its employees for retention in an employee record, that is, where the employee records exemption in the Privacy Act applies, then the Privacy Act does not specify any time period for retention of the employee record. An employer would need to consider whether it was required to retain the record for particular legal purposes, such as to provide evidence of compliance with particular public health orders, in determining how long to retain vaccination data.
Where a private sector organisation collects vaccination data relating to persons who are not employees (for example, customers), the APPs require that it must only store the information for as long as it is needed for the purpose for which it was collected (or for any permitted secondary purposes), unless it is required to retain the data for a longer period under an Australian law, court, or tribunal order. Once the vaccination data is no longer needed, the organisation must take reasonable steps to delete or de-identify the information. Therefore, how long the data should be stored will depend on the purpose for which it was collected.
Any additional information?
In Australia, regulation related to pandemic requirements is typically imposed at a state and territory level. The rules differ on a jurisdiction-by-jurisdiction basis and change over time, sometimes quite often. It is important that organisations keep up to date with those rules and ensure that these are considered when any determination is made as to whether or not to collect vaccination data.
This information is current as of 23 February 2022.