Member Login

Hair & Beauty Australia Industry Association

COVID-19 vaccinations and privacy laws

Posted December 6, 2021

Many employers are asking about the collection and storage of information regarding an employee’s vaccination status and the requirements of the Privacy Act 1988 (Cth) (Privacy Act).

Can an employer require an employee to provide evidence of their vaccination status?

If an employer wants to collect vaccination status from employees, they must be satisfied that this collection is permitted under Australian Privacy Principle 3 (APP) in the Privacy Act. Under APP 3:

  • a business must only solicit and collect personal information that is reasonably necessary for its functions or activities; and
  • a business can only collect ‘sensitive information’ from an individual if the individual consents to the collection, unless an exception applies.

Vaccination status information falls within the definition of ‘sensitive information’ in the Privacy Act because it is ‘health information about an individual’.

Individual consent is not necessary where the collection of sensitive information is required or authorised by or under an Australian law. State and Territory public health orders fall within the definition of an ‘Australian law’. Victoria and New South Wales are the only states that have public health orders/directions which require hair and beauty employers to collect and store vaccination status information for their employees and require an employee to provide this information to their employer. In these circumstances, both the employer and employee must comply with the public health order/direction.


What are the requirements for genuine consent?

If there is no public health order/direction in place then a business is required to seek an individual’s consent to collect vaccination status information. The consent must be freely given, which means that the business cannot pressure or force an employee to provide information about their vaccination status.

The business must provide the person with adequate information about:

  • what information will be collected i.e. vaccination status;
  • why it is required; and
  • what it will be used for.

The business will also need to inform the individual about whether the information will be disclosed to any third parties.


Can an employer require new employees/candidates/contractors/suppliers/clients to provide vaccination status information?

Employers can ask individuals to supply vaccination status information if the employer is required to collect the information to comply with a relevant public health order/direction requiring vaccination.


Salons in Victoria

Under the Open Premises Directions (No 5), workers at a beauty and/or hairdressing salon must be fully vaccinated, and the business must collect, record and hold vaccination status information about each fully vaccinated person and each excepted person that works at or attends the premises.

An ‘excepted person’ is someone who holds certification that they are unable to receive a COVID-19 vaccination due to a medical contraindication or an acute medical illness.

The only way a person can get a vaccination exemption certificate is through a doctor lodging an Immunisation Exemption Form with the Australian Immunisation Register. A person will then need be able to access their Medical Exemption Certificate via the myGov website or app. Access to this certificate is the same as downloading an immunisation certificate.

The business is required to maintain a system that requires clients and other visitors (except those under the age of 16) to show their vaccination status information every time they attend the premises. A worker must also be appointed as a COVID Check-In Marshall at the entrance of the premises to ensure that each client provides their vaccination status information.

The business is also required to take all reasonable steps to ensure that a client or other visitor who is not fully vaccinated or not an excepted person does not enter or remain on the premises.


Salons in New South Wales

Under the Public Health (COVID-19 General) Order, hair and beauty businesses must take reasonable steps to ensure that unvaccinated adults are not on the premises. This includes workers and clients. This restriction is likely to be lifted once the state reaches the 95% fully vaccinated target which is estimated to be on 15 December.

An exemption form is available for people who are unable to be vaccinated due to a medical contraindication. Workers will need to provide evidence of a medical contraindication via a certificate from a doctor, in a form approved by the Chief Health Officer that specifies the medical contraindication. This can be done either through the Australian Immunisation Register’s immunisation medical exemption form or the NSW COVID-19 vaccine medical contraindication form.

At the time of writing there are no vaccination requirements in the hair and beauty sector in any other state or territory.


What can a business do with vaccination status information?

If a business is relying on consent as the basis for collecting vaccination status information, then that information can only be used in a manner that the individual has agreed to. For example, if a business disclosed the vaccination information to a third party and the individual did not agree that the employer could do this, it is likely to be considered that consent was not provided.

Public health orders/directions that require vaccination status information to be collected can only be used for the purpose it was collected for. In other words, if a business is required to collect vaccination status information in order to determine who is allowed to be on the premises, then that is all it can be used for.


How should vaccination status information be stored?

Vaccination status information must be stored securely. The information should only be accessed by a limited number of people who need to know the information.

In addition to the requirements in the Privacy Act, the Healthcare Identifiers Act 2010 (Cth) requires that businesses take reasonable steps to protect any ‘healthcare identifiers’ that the business holds from misuse, loss or unauthorised access, modification or disclosure. An individual’s full COVID-19 Digital Certificate contains the person’s ‘Individual Healthcare Identifier’  therefore this Act would apply. There are penalties for unauthorised use and disclosure of ‘healthcare identifiers’.

Employers should consider covering the individual’s Healthcare Identifier if they are going to keep copies of digital certificates.


What can an employer do if an employee refuses to provide information on their vaccination status?

An employer and employee must comply with any public health order/direction that requires employers to collect, record and store vaccination status information.

Before any disciplinary action occurs for refusing to comply with a direction to provide vaccination status information, the employer should consider the following issues:

  • Would terminating the employee’s employment be considered harsh, unjust or unreasonable? If so, the termination could breach the unfair dismissal laws in the Fair Work Act 2009 (FW Act).
  • Would taking disciplinary action against the employee be seen to be discriminatory on the basis of a protected attribute (e.g. a disability in the form of a medical condition that prevents vaccination)? If so, this could breach anti-discrimination laws or the general protections in the FW Act.

How long should vaccination status information be kept?

APP3 only permits a business to collect personal information that is reasonably necessary for its functions or activities. As soon as it is no longer necessary to collect and store the information, the information should be destroyed.

If a public health order/direction regarding mandatory vaccination and collection of vaccination status information is lifted, then the employer needs to destroy any digital certificates or other vaccination status information records that they have kept.

Where can I find more information about privacy requirements?

The Office of the Australian Information Commissioner publishes guidance for entities regulated by the Privacy Act. The Office has issued guidance on privacy issues relating to COVID-19 vaccinations.

Advice or assistance

Our advisers are ready to answer your questions. For advice on this topic, or any other workplace relations matter, please call the HABA Advice Line on 02 9221 9911.

Please note that the HABA Advice Line will be open over the Christmas-New Year period from 9:00am-5:00pm AEDT Monday to Friday excluding public holidays.

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Copyright © Hair and Beauty Australia | ABN 781 333 722 00