Legal experts answer HR’s COVID-19 vaccination mandate questions
Published 18 November 2021
Since its introduction, a volume of bO2 readers has put some pressing COVID-19 vaccination mandate questions, including privacy laws surrounding employees’ vaccination status, to our Q&A department.
A common display of ambiguity, with the coexistence of opposing attitudes or feelings, certainly calls for more clarity around mandates in Australia’s push to open borders and resume a ‘normal life’.
In response, and due to the limited information available, we investigated what some of our peers are saying and discovered an interesting article published by AHRI (Australian HR Institute) HRM Magazine on 18 November 2021. This article has asked two lawyers to respond to some of their hardest and most frequently asked questions. Here’s what they said.
“Few issues are causing as much confusion and complexity right now as the COVID-19 vaccination mandate.
For companies considering rolling out a vaccination mandate, there’s great concern about potential issues that could arise from this decision. Companies choosing not to implement a vaccination mandate are similarly worried about possible Work Health and Safety implications.
HRM put some of those concerns to two legal experts, Amy Zhang, Executive Counsel and Team Leader at Harmers Workplace Lawyers, and Andrew Jewell, Principal of Jewell Hancock Employment Lawyers. Here are their responses.”
Question 1: Can the employer be held liable if a company mandates the vaccination and an employee has an adverse reaction? Would this differ depending on whether the company is subject to a public health order?
Jewell: There is an argument that an employer could be liable for negligence if it directs an employee to get vaccinated and have an adverse reaction. However, this would only be the case if there was no public health direction which applied. If an employer is simply following a government mandate, it is unlikely they could be held to have been negligent. In either instance, an employer who suffers an injury may have the ability to make a workers compensation claim.
Zhang: Even if no public health order applied and an employer mandated vaccination and serious adverse side effects arise, an employee may be entitled to make a workers compensation claim.
An employer may also face a disability discrimination claim if an employee had a prior disability that was exacerbated as a result of getting vaccinated. There is also the possibility of a negligence claim being made against the employer. However, there may be significant issues with such a claim, given the government is strongly recommending vaccination and the mandating of vaccinations is consistent with government and health advice.
Employers can protect themselves from potential claims by encouraging rather than mandating vaccination and consulting with employees about any potential health issues they may foresee arising from getting vaccinated.
Question 2: Could workplaces introduce rapid antigen testing for employees instead of mandating the vaccine?
Jewell: In places like Victoria, where a government mandate does not allow employers to let unvaccinated employees work anywhere but from their homes. There is no ability to put in place any alternative system such as rapid antigen testing. However, if that mandate was lifted, or in states where no such order is in place, employers can consider rapid antigen testing as long as they can establish a safe system.
Zhang: If there are no public health orders requiring vaccination. Then workplaces can introduce a policy that states that rapid antigen testing can be used in place of mandating the vaccine, alongside a suite of other safety protocols to protect staff and minimise the spread of COVID-19.
Indeed, to satisfy work health and safety obligations, employers should introduce rapid antigen testing for all employees, including vaccinated employees, given vaccination does not fully prevent the spread of COVID-19. Employers cannot simply rely on vaccination to discharge their safety obligations.
Question 3: How can companies mandate the vaccine for their first two doses of COVID-19 vaccination, as well as the booster shot?
Zhang: An employer has a right to mandate vaccination, including a booster shot, provided it is lawful and reasonable to do so.
What is lawful and reasonable will depend on a range of factors and circumstances of the case. Including, but not limited to, the nature of the role and industry, the spread of COVID-19 in the community at the particular time, any legitimate reasons why an employee is not able to get vaccinated or get the booster shot, and whether there are alternatives to vaccination (such as rapid antigen testing).
In terms of office-based workers who are able to complete work at home, if it is lawful and reasonable for the employer to direct an employee to get vaccinated and return to the office, then an employee’s failure to comply with a lawful and reasonable direction can result in disciplinary action, including dismissal.
An employer can also include the requirement for the vaccination, including a booster shot, in employment contracts, although an employer must be mindful of not contravening discrimination legislation.
Question 4: Is an employer legally obligated to accommodate a prospective employee who has an authorised medical exemption and therefore has not been vaccinated?
Zhang: If an employee has a valid medical exemption, then under the public health orders, they are able to work in the workplace. However, an employer will still need to consider any health and safety obligations associated with unvaccinated (medically exempt) employees working in the workplace. For example, any higher risk that they catch COVID-19 and any accommodations that should be implemented to eliminate or reduce that risk.
Employers also need to be mindful that they cannot discriminate against employees because they are unvaccinated due to a medical exemption. For example, they cannot refuse to hire such an employee on that basis unless that employee could not perform the inherent requirements of the role.
Suppose an employee can perform the role with reasonable adjustments (such as by working from home or slight changes to how the duties are performed). In that case, an employer is required to accommodate those reasonable adjustments.
The nature of the reasonable accommodations will depend on the specific role and workplace but must not cause unjustifiable hardship to the business. Reasonable accommodations also need to be balanced against an employer’s health and safety duties.
This may mean that if an employee is unvaccinated due to a medical exemption and is usually in a customer-facing role, they may, for a time (depending on the spread of COVID-19 in the community at the time), work in a low customer-facing position (i.e., moving into administrative duties).
Question 5: How should employers collect vaccination information from their employees while ensuring they are protecting their private information?
Zhang: The collection of vaccination information is governed by the Privacy Act 1988 and other legislation. Significant penalties and other consequences apply with respect to a failure to comply with the relevant obligations.
As a matter of best practice, employers should only seek and collect the minimum information necessary to satisfy their obligations around checking that staff are vaccinated or not vaccinated. This may involve simply sighting COVID-19 vaccination certificates rather than storing them.
Any records of such information should be kept in a secure file, and access to such information should be limited. The information should be kept confidential and not used for any purpose outside of which it was collected. As a matter of best practice, employers should also develop and circulate a written policy that sets out clearly the protections in place around the information collected.
Jewell: The obligation is for employers to collect a confirmation of vaccination or otherwise record employees as unvaccinated. This means that employees don’t actually need to provide anything. They will just be treated as unvaccinated if no proof of vaccination is provided.
Employers should create a registrar which collates vaccination certificates or records employees as being unvaccinated and limit the access of this registrar as much as possible to ensure the information is treated with the most privacy possible. If employees ask about this, employers should consider describing the protections in place to ensure information is protected because asking about the treatment of their private information is inherently reasonable.
Ten things to keep in mind about privacy laws and employees’ vaccination status
Make sure you don’t breach Australian privacy laws when collecting information about workers’ vaccination status.
Vaccination is a tough issue for businesses and staff, many of whom may have already made decisions either way or are in the process of doing so.
But what about the information relating to an individual’s vaccination status? Can it be collected and used by businesses? What happens if a business breaches Australian Privacy Principles when asking for proof of a staff member’s vaccination status?
This is yet another Pandora’s box of potential missteps for businesses.
What are the key issues around requesting proof of a staff member’s COVID-19 vaccination status and recording that data?
The Privacy Act 1998 (Cth) (Privacy Act) and the Australian Privacy Principles (APP) apply to many businesses collecting, using, storing, and disclosing information relating to staff vaccination status.
The Privacy Act covers Australian government agencies and private sector organisations (including all private health service providers). Some small business operators (organisations with an annual turnover of $3 million or less) are exempt.
Exempt businesses do not need to comply with the APPs. Still, they may have other legal obligations restricting their ability to compel staff to provide vaccination information or curtailing the manner in which they may discipline staff who refuse to do so.
In some jurisdictions, entities may also need to comply with State or Territory privacy legislation or privacy principles.
The National COVID-19 Privacy Principles (CPP) also provide a framework for government and business to guide a best-practice approach to the collection of information about vaccination status.
What happens if a business breaches Australian Privacy Principles when asking for proof of vaccination?
The Australian Privacy Commissioner may commence proceedings for an act or practice by an entity that contravenes the APPs.
This may occur, for example, after the staff member makes a complaint.
If court action is successful, civil penalties of up to 2000 penalty units (the value of a penalty unit is currently $222) may be imposed. The Commissioner may also take other action, including seeking enforceable undertakings or issuing infringement notices.
Collecting vaccination information – what are the rules?
Vaccination information is ‘collected‘ for the purposes of the APPs if it is included in a record. For example, a record that a business keeps about a staff member.
Vaccination information may be collected if a business records whether a staff member is vaccinated or keeps a copy of evidence of vaccination, such as the online immunisation history statement or a COVID-19 digital certificate from the Australian Immunisation Register.
It may also be collected when there is a statement to that effect on the staff member’s personnel file or the business ticks a box confirming that evidence has been sighted for a particular worker.
Of course, suppose a business simply sights the vaccination certificate (or other satisfactory evidence) and does not keep any records. In that case, there is no collection, and the APPs will likely not apply.
Information may also be ‘collected’ by different means, including from another entity (e.g., a vaccination provider), through surveillance cameras of an area in which staff are being vaccinated or from an audit log (e.g., staff using personal/carers or other leave for the purposes of vaccination).
What about the employee records exemption?
Private sector businesses often rely carte blanche on the employee records exemption.
However, businesses need to remember the employee records exemption does not apply when a business is collecting an employee’s vaccination information, which means the employer will need prior valid consent in most cases. See Jeremy Lee v Superior Wood Pty Ltd  FWCFB 2946 for more details on this.
More generally, the exemption does not apply to collecting, using, storing, or disclosing contractors, prospective employees, or volunteers’ vaccination information for the workforce.
Australian government agencies may also need to undertake a Privacy Impact Assessment: Privacy (Australian Government Agencies – Governance) APP Code 2017.
Does a business have an unfettered right to demand vaccination information?
Seeking valid consent
APP 3 provides the framework for how businesses may collect vaccination information.
First, the collection must be reasonably necessary for an entity’s functions and activities.
A business may argue that it is reasonably necessary to provide a COVID-safe workplace or COVID-safe services. For example, if staff work face-to-face with vulnerable clients, especially where those clients have requested their service providers to be fully vaccinated. A privacy impact assessment may assist this analysis.
Second, since vaccination information (including status and medical exemptions) is classified as sensitive information, businesses must also seek valid consent from a staff member before collection. For that consent to be valid:
- adequate information must be provided to staff
- permission must be voluntary
- consent must be current and specific (i.e., a general consent under an employment or services contract may not suffice); and
- the person must have the capacity to understand and communicate the authorisation (e.g., if it is in a contract, the business must explain to the person what it means at the time of signing).
Relevantly also, the information provided to staff (or prospective staff) as part of this consent process must comply with the Therapeutic Goods (Restricted Representations – COVID-19 Vaccines) Permission (No. 4) 2021 (see in question 7).
Circumstances in which businesses do not need consent
In limited situations, companies may not require consent and may direct their staff to provide this information. Businesses may also be able to take disciplinary action for non-compliance. For example, consent is not required when collecting data that is:
- required or authorised by a law, including Acts of any Australian jurisdiction, and regulations or instruments made under those Acts (e.g., public health orders); or
- required under a contract (i.e., to provide evidence of vaccination as an ongoing condition of employment) – some host businesses may also be able to avoid the APPs by imposing the requirement through service contracts with labour-hire providers.
As an aside, businesses should also have regard to discrimination laws where a job applicant may, for example, have a disability or religious ground, which prevents vaccination.
Even if the Privacy Act does not apply to a particular business, mandated collections of information must be carefully managed to avoid legal claims by eligible staff under unfair dismissal, discrimination, and possibly as adverse action under general protections laws.
Under general protections laws, while the Privacy Act is not a workplace law, an employee or prospective employee may potentially make a complaint concerning their employment and allege that they have been treated adversely because of that complaint.
What should businesses do when seeking consent from staff to share their vaccination information?
If a business decides to collect vaccination information by seeking consent, it must ensure it is transparent about the reasons for its collection and the use of that information (APP 1).
For example, suppose a business is collecting vaccination information to satisfy requirements under a public health order, and the information would be stored for that purpose. In that case, staff should be informed of that.
APP 5 also requires a business to take reasonable steps (ideally before collection or soon after) to notify the affected staff:
- of its reasons (e.g., to comply with a public health order or for work safety)
- the consequences of refusing to provide the information (e.g., a sacking offence or no receipt of a gift/incentive)
- if the collection is required or authorised by law (i.e., is there a contractual condition, public health order, or is it part of the business’ COVID-safe plan under work health and safety laws?)
- how the information will be used or disclosed (i.e., to assist the business in demonstrating to government authorities that it has complied with the requirements in a public health order)
Also, the collection itself must be free of intimidation or deception through fair and lawful means. Otherwise, the consent may not be valid.
It may be wise to obtain express consent from staff as it appears that consent may only be inferred in limited circumstances.
Is the ‘carrot and stick’ approach helpful when asking about a staff member’s vaccination status?
Where vaccination is not mandated, businesses may face difficulties if they wish to get consent from all staff to keep vaccination records as part of a COVID-safe plan.
On this basis, it may be easier to encourage consent to the collection of vaccination information as part of a work-provided vaccination benefit or incentive—a carrot rather than stick approach.
So, is this legal? Well, yes, but any benefit or incentive scheme must comply with the Therapeutic Goods (Restricted Representations – COVID-19 Vaccines) Permission (No. 4) 2021 (Permission).
The permission requires business communications about COVID-19 vaccines to be consistent with Commonwealth health messaging.
Businesses must not directly or indirectly reference vaccine brands, compare vaccines, or reference active ingredients (except through an advertisement of an approved COVID-19 vaccination provider), state that vaccines do not cause harm or side effects or have any false or misleading statements.
Any offers of benefits or rewards made to vaccinated staff are subject to strict conditions under the permission. For example, offers may only be made to staff who are partly or fully vaccinated according to Australian government requirements. Staff must not participate except on the advice of a health practitioner, and the offer must not promote a particular vaccine.
Businesses failing to comply with these restrictions may commit an offence, with maximum civil penalties of up to 5,000 penalty units for an individual and 50,000 penalty units for a corporation.
It may amount to a criminal offence leading to imprisonment for up to 5 years in certain circumstances. See Division 3A – Advertising offences and civil penalties.
What type of evidence or proof of vaccination is reasonable for a business to request?
If the APPs apply, the required proof of vaccination must be no more than is reasonably required in the circumstances and must be held for no longer than is necessary.
However, unless mandated by a public health order, there is no clear guideline on what type of evidence is reasonable in the circumstances.
For example, under the NSW Public Health (COVID-19 Vaccination of Health Care Workers) Order 2021, an employer may request vaccination evidence by way of an “online immunisation history statement” or a “COVID-19 digital certificate from the Australian Immunisation register”.
Alternatively, where a healthcare worker is exempt from the requirement to be vaccinated due to a medical contraindication, they must provide a certificate stating they cannot have a COVID-19 vaccine because it may be harmful.
Where the need to collect vaccination information is less black and white, it may be wise to link the request to an incentive being offered to vaccinated workers. For many staff, the motivation may simply be the ability to return to the workplace.
What are the ongoing privacy obligations once vaccination information is collected?
For employees covered by the Privacy Act, the collected information will be held on their employee records and will no longer be subject to the APPs as long as it is only used for the agreed purpose.
However, for all other staff (including volunteers, contractors and prospective but unsuccessful job applicants), that information may only be stored subject to the APPs.
This requires ongoing compliance practices and procedures. Businesses will need to ensure the information is kept accurately, limit its use and disclosure to the purpose for which it was collected (i.e., do not disclose vaccination status more generally). And conduct ongoing reviews and audits to reassess the need to keep the information on an ongoing basis.
Even if not covered by the APPs, businesses will likely wish to comply with these requirements as best practice and to ensure their COVID-safe plans are based on accurate information.
Relevantly, the National COVID-19 Privacy Principles also support a best-practice approach on vaccination records, including data and purpose limitation, taking reasonable steps to ensure information is secure and destroying it when it is no longer needed.
Be careful what you wish for – the nature and extent of vaccination information
Businesses need to consider what they will do if staff refuse to provide vaccination information or sufficient medical evidence of a contraindication.
Consistency is best, especially if a refusal leads to dismissal – for example, employees may be able to seek relief under unfair dismissal laws.
In the absence of a mandated requirement to vaccinate, businesses may proceed down the mandatory vaccination path and then find themselves in a quandary where they are compelled to discipline or dismiss a highly valued staff member who elects not to be vaccinated.
Also (and of equal importance), businesses may consider if they need to know the details of staff members’ medical contraindications if the workplace can be made safe through other measures, such as rapid antigen testing.
So, should businesses collect vaccination status data from staff or not?
Ultimately, when deciding whether vaccination information is going to be collected, a business would be wise to consider why it wishes to do so and whether it is necessary. This assessment may change over time, including if COVID-19 risks diminish and public health orders expire.
In situations where a public health order requires vaccination, this decision is less difficult, and vaccination information will be kept in accordance with the public health order. This may also be easier when an employment or services contract lawfully requires the provision of vaccination information as a condition of ongoing employment or engagement. It is likely that many businesses going forward will include such clauses for new staff.
However, where a business simply wants to keep vaccination information as part of its COVID-safe plan, and there is no legal basis for compelling this, it will be all about obtaining valid consent.
The other alternative is to ask staff members to show the business the online immunisation history statement, COVID-19 digital certificate from the Australian Immunisation register or other satisfactory evidence with no record being kept of that sighting. As the information is not collected, the APPs may not apply. However, this may be of little practical utility if a business wishes to use the results to better manage risks to staff and clients, including to document its risk management as part of its COVID-safe plan.
Businesses and government agencies should also keep front of mind that dismissals or adverse treatment of staff (or prospective staff) who are not vaccinated or who do not wish to provide vaccination information to the business may create risks of legal claims, including general protections, unfair dismissal, and discrimination as applicable.