It's a legal minefield HR needs to be wary of
Vaccination is the topic on everyone’s lips as health authorities struggle to contain Sydney’s latest COVID-19 outbreak.
Getting the jab is the key to the country’s future freedom but the rollout has been anything but smooth. Supply issues, mixed messaging and fears over the AstraZeneca shot have resulted in a slow take-up. But there are also a number of challenges facing employers.
One key area of concern is around employee privacy and the right of an employer to question staff about their vaccination status. Employers have a responsibility to provide a safe workplace and undoubtedly, many will want to know how many workers have been vaccinated against COVID-19. Here, HRD explores some of the legalities around vaccination privacy.
Can employers require employees to say whether they’ve been vaccinated?
Only under very limited circumstances can an employer require its workers to confirm or prove whether they have been vaccinated, such as complying with a health order.
Information about an employee’s vaccination status is considered sensitive, and is protected by the Privacy Act 1988. The Act covers all government agencies and private sector organisations, except small businesses with an annual turnover of less than $3m.
Forcing employees to disclose that information will only be legal in the minority of situations, but employers are legally allowed to ask for health data such as vaccination status. In most cases, employers will only be able to collect health data if:
- The employee consents to handing over the information
- The information is reasonably necessary, or directly related to, the function of the employer or agency
In some instances, such as a healthcare provider asking its employees for their vaccination status to protect the safety of its patients, the necessity of that information is more obvious. But employers with a largely desk-based workforce may also argue that to keep staff safe in the event of an outbreak, they need to know who would be most at risk. It’s an issue that’s likely to arise over the next year as Australia’s vaccination rate increases and workers return to the office.
Read more: Fair Work: How do maximum term contracts work?
When is an employee’s consent needed?
In the vast majority of cases, consent will be required to collect information on a worker’s vaccination status. One example of where it would not be needed is if an employer was complying with an Act made by the Commonwealth, territory or state, such as a health order that allowed collection without consent.
The Australian Privacy Principles (APP 3.4) sets out the other very limited circumstances where consent is not required.
But there are other aspects for an employer to note around consent. Firstly, the employee must be capable of giving consent. They must be adequately informed about what information they are being asked to share, how it will be stored and which third parties may be given access. They must not be coerced or pressured in any way, and must have a genuine opportunity to say no.
Acceptable reasons for disclosure
There is no hard and fast rule on what is defined as an acceptable reason, but what the law does make clear, is that the request for information must be reasonably necessary for the employer’s function.
That may include maintaining the health and safety of the workplace, complying with workplace laws or contractual obligations. But the employer must be able to show the link between the information and how it is necessary for the organisation’s function.
Undoubtedly, like the debate over mandating vaccines, this grey area will throw up legal challenges in future. The first step for HR leaders is to use a risk assessment to identify the risk level within their industry and their workplace. They should also consult the public health advice and any applicable workplace laws.
Read more: Federal Circuit Court fills gaps in hazy employment contract
How to manage health information of employees
Best practice urges employers to be transparent in their handling of personal data. It’s important to communicate why they are asking for the information, how it will be stored, how employees can access or correct that data, and who the data may be passed onto.
A workplace privacy policy is a good way to set out the organisation’s data processes and provide answers to the above questions.
It’s vitally important that employers use a secure method of storing personal information. Data breaches can have significant consequences for both employees and employers.
Workers whose data is lost or stolen risk becoming the victims of fraud, which could lead to serious financial and psychological damage. For employers, breaches often result in serious reputational damage, and exposes weaknesses in their security systems which can also lead to financial loss.
To date, individual compensation for victims have ranged from $1,000 to $20,000 for non-economic loss for each privacy breach, but experts have warned the number of cases brought before the courts will continue to rise.
