There is no doubt that the introduction of mandatory vaccination policies and the collection of information about a person’s vaccination status has raised debates and concerns surrounding personal choice and privacy.
There is no doubt that the introduction of mandatory vaccination policies and the collection of information about a person’s vaccination status has raised debates and concerns surrounding personal choice and privacy.
The vaccination status of a person is health information that is “sensitive information” under the Privacy Act 1988 (Cth) (Privacy Act) to which higher privacy protections apply in relation to its collection.
Concerns have also arisen in relation to workplace vaccination and individuals’ rights to choose what to do with their bodies.
Background
In December 2021, the Full Bench of the Fair Work Commission (FWC) in Construction, Forestry, Maritime, Mining and Energy Union & Anor v Mt Arthur Coal Pty Ltd T/A Mt Arthur [2021] FWCFB 6059 (Mt Arthur Coal decision) found that site entry requirements which required employees to be vaccinated against COVID-19 were not a reasonable and lawful direction because of the employer’s failure to consult with workers under work health and safety legislation prior to its introduction (see our summary of this decision here).
In January 2022, the FWC was again required to deal with disputes under enterprise agreements concerning a Site Access Requirement (SAR) introduced at coal mines and sites operated by the BHP group of companies in Queensland (the Employers).
In Construction, Forestry, Maritime, Mining and Energy Union & Ors v BHP Coal Pty Ltd T/A BHP Billiton Mitsubishi Alliance / BMA & Ors [2022] FWC 81, the parties sought the FWC’s recommendation (rather than seeking a full arbitration of the matter) in response to the question:
Is the SAR a reasonable and lawful direction having regard to the:
- Privacy Act; and
- Right to bodily integrity.
In this matter, the SAR required employees to have received two doses of an approved COVID-19 vaccination and to provide acceptable evidence to demonstrate their vaccination status. There were four forms of vaccination evidence including COVID-19 Digital Certificates, an International COVID-19 Certificate and an Immunisation History Statement. Unacceptable forms of evidence included a certificate found in the “Check in Queensland” smart phone application and a certificate that could be accessed through the MyGov or Medicare applications.
Employees were able to upload their vaccination evidence to an online portal which required employees to expressly consent to the collection of their information, or present their evidence to authorised personnel who would sight and record the information. Employees were also to complete a form which required them to provide their name, employee number, date of birth, type of vaccine, vaccination dates and document number of their vaccination certificate or immunisation history statement (but not their individual health identifier). This allowed the Employers to verify the vaccination evidence. The information would be held on a specific database which was used by BHP to record health and safety hygiene data and would only be accessible by specific and authorised persons.
The Construction, Forestry, Maritime, Mining and Energy Union, the Communications, Electrical, Electronic, Energy, Information, Postal, Plumbing and Allied Services Union of Australia and the Automotive, Food, Metals, Engineering, Printing and Kindred Industries Union (collectively, the Unions) provided submissions in the matter.
Bodily integrity
In relation to the right to bodily integrity, the Unions submitted that the SAR required employees to choose between being vaccinated or continuing to be employed. This choice placed pressure on employees to forfeit their right to bodily integrity and that this pressure was a factor against concluding that the SAR was reasonable. The Unions submitted that this pressure together with the breaches of the Privacy Act supported a conclusion that the SAR was not a lawful and reasonable direction.
The Employers accepted that there was a common law right to bodily integrity but denied that it was violated by the SAR. The Employers submitted that other considerations including the nature of the COVID-19 disease, the need to ensure the health and safety of workers and the statutory obligations to ensure health and safety outweighed the practical effect of the SAR placing pressure on employees to be vaccinated when they may not want to.
In relation to this issue, Deputy President Asbury applied the conclusions of the Full Bench in the Mt Arthur Coal decision. That is, the effect of the SAR on bodily integrity alone did render the SAR unlawful or unreasonable, but was a relevant consideration as to whether the SAR was a lawful or reasonable direction.
Accordingly, DP Asbury turned to the contentions in relation to the Privacy Act.
Privacy Act
The Australian Privacy Principle (APP) 3.3 was the subject of dispute. APP 3.3 provides:
An APP entity must not collect sensitive information about an individual unless:
(a) the individual consents to the collection of the information and:
i. if the entity is an agency — the information is reasonably necessary for, or directly related to, one or more of the entity’s functions or activities; or
ii. if the entity is an organisation — the information is reasonably necessary for one or more of the entity’s functions or activities; or
(b) subclause 3.4 applies in relation to the information.
The Unions submitted that APP3.3(a) required employees to consent to the collection of vaccination information. For the Unions, this consent was not freely given because employees were at risk of facing disciplinary action or termination of employment if they did not consent.
In this regard, the Unions relied upon Lee v Superior Wood Pty Ltd [2019] FWCFB 2946 (Lee) and submitted that similar circumstances applied in this matter and as such the SAR was not a lawful direction. In Lee, the Full Bench found that the direction given to an employee to provide his fingerprint data without his consent was not a reasonable direction and further, that any consent given when told he faced discipline or dismissal would be ineffective and not genuine consent.
The Unions argued that the Employers had not demonstrated that the collection of the vaccination information was reasonably necessary for its functions activities as required by the APP3(a)(ii) and had not demonstrated that APP 3.4 was applicable.
The Unions submitted that the Employers could verify an employee’s vaccination status by sighting (but not recording) the vaccination evidence in the Queensland Government’s QR Check-in App prior to entry to the worksite and this did not require the collection of sensitive information. For the Unions this demonstrated that the method of collection by the Employers was not reasonably necessary.
The Employers denied that there was a contravention of the APP 3.3 and submitted that the information collected was permitted because the employees provide express consent to providing the information and the information was reasonably necessary for the implementation of the SAR.
As to the issue of free consent, the Employers submitted that per the conclusions of the Full Bench in the Mt Arthur Coal decision, the SAR was not legal coercion and the consent was not ineffective because there was social or economic pressure. Further, the Employers also submitted that the Lee decision should not be followed for reasons including that the circumstances of that case differed.
In response to the Unions argument that there could be sighting of the vaccination evidence upon entry, the Employers argued that this was impracticable as it would require each entry point to be staffed at all times during the 24-hour operation of the mine, cause entry delays and provided no way for verification.
DP Asbury noted that APP 3.3 had “two limbs”:
- consent is given; and
- whether the sensitive information is collected is reasonably necessary for, or directly related to, one or more of the Respondents’ functions or activities.
As to (1.) DP Asbury did not accept the arguments from the Unions in relation to consent and found that the Lee decision could be distinguished on its facts. In the Lee decision, there were other breaches of the Privacy Act including that the employer did not have a privacy policy, concerns about the security of data collected and the finding that the collection of biometric data was for administrative convenience rather than for the employer’s functions or activities. It was in this context that the Full Bench in the Lee decision found that the consent given would “likely have been vitiated by a threat to dismiss”.
DP Asbury did not agree that the SAR amounted to economic pressure which would make consent ineffective. She accepted that in the methods of collection, employees were providing their consent to providing their vaccination evidence and for it to be collected. Employees were told why it was being collected, the use of the information and the way it would be stored. Employees were also given the option to change or withdraw their consent.
DP Asbury stated at [175]:
I acknowledge that the choice as to whether to comply with the direction or not, may be difficult for persons who hold strong views about the privacy of their sensitive information and that a decision not to provide the information will almost certainly result in the termination of their employment. However, the fact that employees are faced with a difficult choice, does not, in the circumstances, constitute effective lack of choice. Nor does it constitute duress or coercion that vitiates or invalidates the choice.
As to (2.) the DP Asbury considered this limb was concerned with whether the collection of the information was reasonably necessary and not the manner in which it was collected. She was satisfied that the vaccination evidence was reasonably necessary for the Employers functions or activities for a number of reasons, including:
- the SAR was to fulfil the Employers’ functions in relation to the health and safety of employees;
- the SAR operated as part of a broader COVID-19 controls which would assist the Employers in managing COVID-19 risks in the workplace;
- the COVID-19 pandemic was a rapidly evolving situation and information about vaccine types and dates vaccination were received would help inform decision and manage effects of the virus;
- assisting the Employers to manage fraudulent vaccination evidence;
- COVID-19 was a significant hazard particularly in workplaces where common spaces are shared and employees interact. For the coal industry, this also extended to the local communities and accommodation facilities where employees may reside or visit; and
- for both the Employers and employees to comply with their obligations under the Coal Mining Safety and Health Act 1999 (Qld).
DP Asbury did not accept the Unions suggestions for other sighting vaccination evidence at entry points as practicable. She noted that the mines operated 24 hours per day, 7 days per week, 365 days per year, had multiple access points and such a process would be prone to human error.
Accordingly, DP Asbury was satisfied that the collection of vaccination evidence was reasonably necessary for one or more of the Employers functions or activities as such, the SAR did not contravene the Privacy Act and was not unlawful.
Having reached her conclusions on both the Privacy Act and bodily integrity issues, DP Asbury concluded that the SAR was a lawful and reasonable direction having regard to the Privacy Act and the right to bodily integrity.
Lessons for employers
While DP Asbury’s conclusions are only a recommendation, it provides support to employers who have implemented or are considering implementing mandatory COVID-19 vaccination policies.
It is clear now that prior to the introduction of such policies, it will be necessary that employers consult with workers and ensure that they comply with the APPs under the Privacy Act.
Information provided in this blog is not legal advice and should not be relied upon as such. Workplace Law does not accept liability for any loss or damage arising from reliance on the content of this blog, or from links on this website to any external website. Where applicable, liability is limited by a scheme approved under Professional Standards Legislation.