Privacy considerations for sensitive COVID-19 employee data collection

Public news

An employer that seeks to implement a policy for its employees regarding COVID-19 vaccination and wearing a mask needs to understand the obligations imposed by applicable privacy laws.

Private sector employees and Commonwealth public sector employees may have concerns over their privacy obligations under the Privacy Act 1988 (Cth) (Privacy Act). State or territory government agencies (and in some cases their service providers) are required to comply with privacy laws at a state or territory level.

A fair and effective policy about vaccinations and masks will inevitably involve the collection of information from employees about their vaccination status or, if they seek to be exempt from the policy, medical information. This personal information is in the category of sensitive health information. Privacy laws require employees to give genuine and informed consent to the collection of this information.

The Privacy Act will not apply to private sector organisations with an annual turnover of less than $3 million. If annual turnover exceeds this threshold, the Privacy Act doesn’t apply when the organisation handles personal information about a current or former employee stored in a record for a purpose directly related to the employment relationship. However, this exemption doesn’t apply to public sector agencies. Moreover, it is arguable the exemption doesn’t apply when a private sector organisation collects personal formation from an employee for inclusion in an employee record.

Genuine and informed consent by an employee to the collection of their health information to support a policy about vaccinations and masks requires that the employer set out in the policy (or by other means) why the employer needs the information and the consequences if it is not collected. For example, it must be explained if the basis for the policy is:

  • to meet work health and safety obligations
  • required or authorised by a public health order (which should be named)
  • to meet the demand of customers or clients.

If a client requires that persons providing services on behalf of the employer organisation to be vaccinated, and this means the vaccination status of employees is supplied to the client, the employees must be informed of this. The employees should be referred to the organisation’s privacy policy, which must comply with applicable privacy laws.

The Office of the Australian Information Commissioner has developed privacy guidance (available on its website) to assist employers with best practice methods to properly handle information once it has been collected.

Key requirements in relation to COVID-19 are:

  • the sensitive medical information collected should be limited in scope to what is necessary to maintain a safe workplace;
  • employers should ensure they take reasonable steps to securely store employee vaccination status records and medical evidence exempting employees from vaccination or mask wearing;
  • subsequent use and disclosure of this information should be limited to when absolutely necessary;
  • all information held should be reviewed and updated as required; and
  • employers should monitor whether such information is still required to be maintained as public health orders and government advice change.

The MTA encourages members to consider requesting information from employees about vaccinations, but notes that care needs to be taken in how this information is collected, stored and used. If members have any queries about this, contact the WR team on 8291 2000 or at