Australia: FWC dismisses privacy concerns about employers collecting sensitive information

Introduction

A recent decision of the Fair Work Commission (the "FWC") provides greater clarity for employers in relation to whether collecting sensitive information from employees regarding their vaccination status is a lawful and reasonable direction. Sensitive information such as vaccination status is afforded higher protections under the Privacy Act  (1988) (the "Privacy Act"), and employers are prohibited from collecting sensitive information unless the employee consents, and it is reasonably necessary to the functions or activities of the employer.

Background

Employees at 12 Queensland coal mines and related sites operated by employers in the BHP group of companies were informed in October 2021 that a Site Access Requirement ("SAR") was being introduced which required all employees to be fully vaccinated against COVID-19 by 31 January 2022. An identical SAR had been introduced in relation to an open cut coal mine in NSW run by another employer in the BHP group of companies. In that case, the FWC found that the employer had fallen short of its consultation obligations under the Work Health and Safety Act 2011 (NSW) (the "Mt Arthur Decision").

The SAR in this case also required employees to provide evidence as to the type of vaccination and the date they received it. Several unions launched a dispute contending that the SAR was invalid and was not necessary for the performance of the employee's contract of employment. The unions also submitted that collecting sensitive information under the SAR was an unreasonable invasion into the privacy of employees, which did not have regard to the Privacy Act or the "right to bodily integrity".

The unions and the employers had agreed to a consultation plan which was held over the course of December 2021 and January 2022, during which all of the issues in dispute had been resolved except for issues relating to the rights of employees under the Privacy Act and to bodily integrity. Consequently, the parties agreed to seek a recommendation from the FWC on the question of whether the SAR was a lawful and reasonable direction, having regard to the Privacy Act and the right to bodily integrity.

The employers had communicated to its employees that it was implementing the SAR and collecting sensitive information based on the following rationale:

• it had an obligation and responsibility to keep workers safe and healthy;
• COVID-19 remained a significant risk to the employer's workforce; and
• vaccination remains the most efficient and effective control available to combat the risks posed by COVID-19.

In opposing the SAR, the unions submitted that the SAR was "replete with unlawfulness and unreasonableness"  having regard to the Privacy Act. The unions, pointing to the public health orders, industrial instruments and the employee's contract argued that there were no grounds for the employers to be collecting sensitive information and to direct employees to provide such sensitive information when proving their vaccination status. The unions also noted that while employees weren't being explicitly forced to be vaccinated, the pressure applied to employees to maintain their jobs resulted in them giving up their bodily integrity and ceding a civil right. The unions also submitted that employee consent was vitiated due to the economic and social pressure related to the SAR.

In relation to the employers collecting sensitive information, it was submitted by the employers that it would accept three documents as evidence for vaccination. These documents were titled "certificates", and would include the employee's name, date of birth, vaccine type, both vaccine dose dates and the document number. The unions objected to this requirement, and proposed an alternative system whereby employees who did not wish to provide sensitive information were able to use a "green tick" method instead, which involved showing the employers the green tick symbol on their QR Check-in App (which verified that a vaccination certificate had been uploaded) to obtain entry to the site. However, the unions still maintained their objections to the employers collecting sensitive information, asserting that even the fact that the employee had such a green tick on their QR check in app could not be recorded by the employers and must be verified on each occasion that the employee accessed a mine site.

Outcome

The FWC rejected the arguments put forward by the unions, finding that the SAR was a lawful and reasonable direction having regard to the Privacy Act and the right to bodily integrity.

The FWC applied the ruling in the Mt Arthur Decision to find that the effect of the SAR on the rights of employees to bodily integrity did not result in the SAR being unlawful, and that this was not, of itself, determinative of whether the SAR was unreasonable. The FWC also applied the relevant reasoning in the Mt Arthur Decision in respect of the Privacy Act, finding that the economic and social pressure created by the SAR was not coercion in the legal sense that vitiated the consent of the employees to provide sensitive information to the employer.

The FWC held that the SAR was reasonable for the respondents to uphold their statutory and common law duties to employee health and safety. The sensitive information was reasonably necessary for their functions or activities because the SAR had been implemented to lessen or prevent a serious threat to the life, health and safety of individuals on the employer's sites, which was a vital concern for both the employers and the employees. The FWC also disagreed with the position of the unions that the employer collecting sensitive information needed to be reasonably necessary for the functions or activities of the employer, ruling that it was the information itself which needed to be reasonably necessary.

The FWC considered that it would be extremely impractical to monitor the "green tick" approach suggested by the unions, given the nature of operations at the worksites which operated 24/7, 365 days a year. This, coupled with multiple access points and employee start times, would require the employers to have staff at access points constantly throughout each day. This approach would be "susceptible to human error" which could result in a series of COVID-19 outbreaks on the various mining sites.

Key Takeaways

• Collecting sensitive information from employees regarding their vaccination status is permitted under the Privacy Act if it is reasonably necessary for the employer's functions and activities.
• Employers may be able to implement mandatory vaccination policies where they are necessary for the discharge of statutory and common law duties regarding employee health and safety.
• The FWC has ruled on two occasions that it does not consider that economic and social pressures to receive a COVID-19 vaccine constitute coercion for the purposes of legal consent.