Queensland government agencies1 must deal with personal information2 in accordance with the privacy principles3 contained in the Information Privacy Act 2009 (Qld) (IP Act). This obligation applies to the personal information of their employees, including whether or not they have received a COVID-19 vaccination.
Non-government employers should refer to the Office of the Australian Information Commissioner website4 for guidance on handling information about their employees' vaccination status.
This guideline5 is intended to assist Queensland government agencies to understand their privacy obligations regarding their employees' COVID-19 vaccination status information. The guideline Managing privacy in a pandemic provides information about managing employee privacy generally in the context of COVID-19.
This guideline does not apply to health agencies, ie the Department of Health or Hospital and Health Services. Health agencies should refer to COVID-19 – Health agency privacy obligations and employee vaccination status.
Vaccination status information in this guideline includes whether an employee has been vaccinated, any decision by an employee to not receive the vaccine, and any reasons for that decision.
Vaccination status information can only be collected where it is reasonably necessary for the agency's functions or activities. Agencies need clear and justifiable reasons for collecting it. When it can be collected, it must be collected in a way that does not unreasonably intrude on the employee's personal affairs and agencies must take steps to ensure it is accurate, complete, up to date and not misleading.6
Where agencies can lawfully collect their employees’ vaccination status, agencies should sight evidence their vaccination status and make a record of this action, rather than retaining a copy of the evidence. This approach minimises the collection of personal information consistent with IPPs 1 and 3.
In the event an employee provides the agency with a copy of their vaccination status this should be sighted and recorded. Once that action is complete, the document should be disposed of (destroyed), provided this is consistent with your agency’s policy and procedure outlining the process which is followed to verify employee vaccination status.7
The same process should be applied if employees have a medical exemption from being required to be vaccinated.
It cannot be collected for an unspecified or possible future purpose or where the functions or activities of the agency can be undertaken without it. For example, it is unlikely that collecting vaccination status information for monitoring purposes only would be considered necessary.
Agencies should consider public health advice when determining whether it is reasonably necessary to collect vaccination status information. Workplace specific health and safety risks and relevant workplace laws can also affect whether it is necessary to collect vaccination status information.
Agencies can collect employee vaccination status information if it is required or authorised by law. Law includes a Queensland Act, an Act of another jurisdiction, such as the Commonwealth, that applies in Queensland, and regulations or other instrument made under those Acts, including public health orders or directions.
Relevant laws may require an agency to collect employee vaccination status information, require employees to be vaccinated, or both. Some examples are:
Vaccination status information cannot be collected for an unspecified or possible future purpose or where the functions or activities of the agency can be undertaken safely without it. For example, it is unlikely that collecting vaccination status information for monitoring, or statistical, purposes would be considered necessary.
When determining whether it is reasonably necessary to collect vaccination status information, agencies should consider public health advice. Workplace health and safety obligations and risks, relevant workplace laws and workplace specific vaccine directives can also affect whether it is necessary to require vaccinations and/or collect vaccination status information.
In most cases, the agency must be transparent about why it is collecting vaccine status information and how it will be used and disclosed.8 It must take reasonable steps to make its employees generally aware of why the information is being collected, any legal authority for the collection, anyone it is the agency's usual practice to disclose it to and any entity that they will disclose it to.9
This information must be provided before collecting the information or, if this is not practicable, as soon as practicable after collection occurs.
Agencies must protect employee vaccine status information against unauthorised misuse, loss and unauthorised access, modification or disclosure.10 It must be appropriately secured and reasonable steps taken to ensure the information is accurate, complete, up to date and not misleading.11
Vaccination status information can only be used or disclosed in accordance with why it was collected, what employees were told when the information was collected, or as provided for in the privacy principles.12
Where vaccine status information was collected under a public health direction or other law, that law may:
In those circumstances, the secondary uses and/or disclosures permitted under the privacy principles will not apply.13
Agencies intending to collect their employees' vaccination status information should consider undertaking a Privacy Impact Assessment (PIA), even if the collection is authorised or required by law.
A PIA allows an agency to identify the privacy risks associated with the collection of vaccination status information and can assist the agency to:
A PIA will also assist an agency to be open and transparent about how it will deal with employee vaccination status information.
Refer to Overview of the Privacy Impact Assessment (PIA) process and Undertaking a Privacy Impact Assessment for more information.
Current as at: December 16, 2021