COVID-19 – Agency privacy obligations and employee vaccination status

Queensland government agencies1 must deal with personal information2 in accordance with the privacy principles3 contained in the Information Privacy Act 2009 (Qld) (IP Act). This obligation applies to the personal information of their employees, including whether or not they have received a COVID-19 vaccination.

Non-government employers

Non-government employers should refer to the Office of the Australian Information Commissioner website4 for guidance on handling information about their employees' vaccination status.

This guideline5 is intended to assist Queensland government agencies to understand their privacy obligations regarding their employees' COVID-19 vaccination status information. The guideline Managing privacy in a pandemic provides information about managing employee privacy generally in the context of COVID-19.

This guideline does not apply to health agencies, ie the Department of Health or Hospital and Health Services. Health agencies should refer to COVID-19 – Health agency privacy obligations and employee vaccination status.

Collecting employee vaccination status information

Vaccination status information

Vaccination status information in this guideline includes whether an employee has been vaccinated, any decision by an employee to not receive the vaccine, and any reasons for that decision.

Vaccination status information can only be collected where it is reasonably necessary for the agency's functions or activities. Agencies need clear and justifiable reasons for collecting it. When it can be collected, it must be collected in a way that does not unreasonably intrude on the employee's personal affairs and agencies must take steps to ensure it is accurate, complete, up to date and not misleading.6

Evidence of vaccination - sighting only

Where agencies can lawfully collect their employees’ vaccination status, agencies should sight evidence their vaccination status and make a record of this action, rather than retaining a copy of the evidence. This approach minimises the collection of personal information consistent with IPPs 1 and 3.

In the event an employee provides the agency with a copy of their vaccination status this should be sighted and recorded. Once that action is complete, the document should be disposed of (destroyed), provided this is consistent with your agency’s policy and procedure outlining the process which is followed to verify employee vaccination status.7

The same process should be applied if employees have a medical exemption from being required to be vaccinated.

It cannot be collected for an unspecified or possible future purpose or where the functions or activities of the agency can be undertaken without it. For example, it is unlikely that collecting vaccination status information for monitoring purposes only would be considered necessary.

Agencies should consider public health advice when determining whether it is reasonably necessary to collect vaccination status information. Workplace specific health and safety risks and relevant workplace laws can also affect whether it is necessary to collect vaccination status information.

If collection is required or authorised by law

Agencies can collect employee vaccination status information if it is required or authorised by law. Law includes a Queensland Act, an Act of another jurisdiction, such as the Commonwealth, that applies in Queensland, and regulations or other instrument made under those Acts, including public health orders or directions.

Relevant laws may require an agency to collect employee vaccination status information, require employees to be vaccinated, or both. Some examples are:

No collection 'just in case'

Vaccination status information cannot be collected for an unspecified or possible future purpose or where the functions or activities of the agency can be undertaken safely without it. For example, it is unlikely that collecting vaccination status information for monitoring, or statistical,  purposes would be considered necessary.

When determining whether it is reasonably necessary to collect vaccination status information, agencies should consider public health advice. Workplace health and safety obligations and risks, relevant workplace laws and workplace specific vaccine directives can also affect whether it is necessary to require vaccinations and/or collect vaccination status information.

More information

Refer to WorkSafe Queensland, the Fair Work Ombudsman and Safe Work Australia for more information on managing COVID-19 in the workplace.

Notification obligations when collecting vaccination status information

In most cases, the agency must be transparent about why it is collecting vaccine status information and how it will be used and disclosed.8 It must take reasonable steps to make its employees generally aware of why the information is being collected, any legal authority for the collection, anyone it is the agency's usual practice to disclose it to and any entity that they will disclose it to.9

This information must be provided before collecting the information or, if this is not practicable, as soon as practicable after collection occurs.

Obligations after employee vaccination status information is collected

Agencies must protect employee vaccine status information against unauthorised misuse, loss and unauthorised access, modification or disclosure.10 It must be appropriately secured and reasonable steps taken to ensure the information is accurate, complete, up to date and not misleading.11

Vaccination status information can only be used or disclosed in accordance with why it was collected, what employees were told when the information was collected, or as provided for in the privacy principles.12

Where collection was required by law

Where vaccine status information was collected under a public health direction or other law, that law may:

  • impose specific storage and security requirements; and/or
  • limit its use and/or disclosure.

In those circumstances, the secondary uses and/or disclosures permitted under the privacy principles will not apply.13

Privacy impact assessments

Agencies intending to collect their employees' vaccination status information should consider undertaking a Privacy Impact Assessment (PIA), even if the collection is authorised or required by law.

A PIA allows an agency to identify the privacy risks associated with the collection of vaccination status information and can assist the agency to:

  • accurately record the information it collects and ensure it is complete and kept up-to-date
  • meet its notification obligations, ie what an agency must communicate when collecting this information
  • collect the information using a secure method and store it securely once collected; and
  • limit the use and disclosure of employee vaccination status information to what is necessary to prevent and manage COVID-19.

A PIA will also assist an agency to be open and transparent about how it will deal with employee vaccination status information.

Refer to Overview of the Privacy Impact Assessment (PIA) process and Undertaking a Privacy Impact Assessment for more information.

Current as at: December 16, 2021