Businesses that are considering implementing mandatory vaccination requirements (outside the scope of the public health orders) will need to carefully consider how they will deal with the privacy law issues arising from their policy, including how they will check employee vaccination status when applying and enforcing the policy.
In many cases, businesses will want to collect this information and store it on some form of database so that a record is retained for future reference (e.g. to meet client/customer requirements). In those circumstances, businesses should try to have employees voluntarily provide the information (i.e. they give their consent). However, you may then run into difficulties where employees do not consent to providing their vaccination status information, and in those cases you would need to rely on a ‘permitted general situation’ existing. Businesses will also need to notify employees of a range of things including the purpose for which they are collecting the information and to whom the business might disclose the information (we recommend that a disclosure / consent statement be provided to employees prior to collecting vaccination information).
A far safer approach would be to ‘sight’ employee vaccination information instead of ‘collecting’ it. Under the Privacy Act, the term ‘collect’ is defined as meaning collecting the personal information ‘for inclusion in a record or generally available publication’. By merely ‘sighting’ vaccination information and not collecting it or making a written record of employees who are vaccinated, businesses are able to side-step the requirements for obtaining employee consent under the Privacy Act. This provides a far cleaner path for businesses to take.
Clearly, the legalities surrounding mandatory vaccination policies remain complex, so businesses should have a clear plan before going down this path.
Please get in touch if you need any assistance navigating the decisions in your workplace by calling 1300 564 309.