COVID-19 data security risk for Employers - how to safely collect data on vaccination status
Posted on November 29, 2021
An employer may require an employee to provide evidence of their vaccination status in particular circumstances. However, it is important for Employers to be aware that the collection and storage of this data comes with strict compliance obligations as set out below. Mishandled data may pose a serious data security risk for employers.
Privacy considerations
Information about an employee’s vaccination status is considered sensitive information and is afforded a higher degree of protection under the Privacy Act 1988 (Cth) (Privacy Act). Generally, the employee must provide consent to the employer to collect vaccination status information and the collection of this information must be reasonably necessary for one or more of the employer’s functions or activities.
Whether the collection of the employee’s vaccination status information is reasonably necessary for the employer’s functions or activities will be impacted by applicable workplace laws and contractual obligations. If the employer could achieve their purpose without collecting the information or if the employer is collecting information for monitoring purposes only, it is unlikely that the collection would be deemed reasonably necessary.
In order to obtain the employee’s consent to collect vaccination status information, the Employer is required to be transparent about why the information is being collected and how it will be used in accordance with the Australian Privacy Principles (APPs).
The employer should only collect the minimum amount of personal information reasonably necessary to maintain a safe workplace and will need to take reasonable steps to keep the information secure.
Information about an employee’s vaccination status which has been collected lawfully will likely be subject to the employee records exemption in the Privacy Act. This means that the APPs will not apply to the handling of the employee information once it has been collected and is held in an employee record, where it is directly related to the employment relationship between the employee and the employer. Employers should note that the employee records exemption will not apply to prospective employees, contractors, sub-contractors and volunteers.
Required or authorised by law
An employer may collect vaccination status information without consent only in circumstances where the collection is required or authorised by law which includes a state or territory public health order or direction.
State and territory public health orders continue to be updated in response to the COVID-19 pandemic. Employers should monitor and review the requirements for any orders that apply to their employees.
Lawful and reasonable direction
If an employer has provided a lawful and reasonable direction to its employees to be vaccinated, the employer can ask employees to provide evidence of their vaccination if this is reasonably necessary. Once this information has been collected the employee records exemption will apply.
If there is a term that requires COVID-19 vaccination in the employee’s enterprise agreement, other registered agreement or employment contract, it is likely to be reasonably necessary for the employer to collect vaccination status information. However, the employer still needs to obtain the employee’s consent.
But wait there’s more…
Employers may not be aware that the Federal Government COVID-19 digital vaccine certificate and vaccination record includes Individual Healthcare Identifiers (IHI) which uniquely identifies Australians for healthcare purposes. This is a very sensitive piece of information which is subject to a higher standard of data security requirements under the Healthcare Identifiers Act 2010 (Cth) (HI Act). This is in addition to the requirements under the Privacy Act. The handling of IHI’s is regulated by the HI Act and Regulations and the Privacy Act.
The HI Act regulates the use of IHI’s and provides that IHI’s may only be accessed, used and disclosed for limited purposes. Any person who uses or disclosures this data in a way that is not permitted under the IHI Act will be subject to strict criminal and civil penalties, including imprisonment, and subject to breaches of the Privacy Act.
Therefore, employers who store this certificate must take reasonable steps to protect the IHI’s from any mishandling of data. This may be implemented through a secure IT system with, for example, encryption or only allowing authorised persons to access IHI’s.
Alternatively, we recommend that employers ask their employees to redact their IHI number from their vaccine certificate before providing a copy or simply sight the employee’s proof of vaccination and make a record.
The space of vaccinations in the workplace is a constantly evolving area, we recommend getting in touch with our workplace relations team if you are unsure of your obligations or rights.
