PRIVACY .... WHAT ARE YOUR RIGHTS?

So, this is an important topic!


The first thing you need to know is that we have Federal Legislation overseeing our privacy rights - this means that it applies to all Australians everywhere at all times.


Secondly, it is important to note, that we have PRIVACY PRINCIPLES as a part of our rights enshrined in the Privacy Act 1988 (Cth).


SCHEDULE 1 of the Commonwealth Privacy Act 1988 sets out the

Australian Privacy Principles.


Clause 3.1 of the Australian Privacy Principles states: "If an Australian Privacy Principle (APP) entity is an agency, the entity must not collect personal information (other than sensitive information) unless the information is reasonably necessary for, or directly related to, one or more of the entity's functions or activities".


Now, an "APP entity" means an agency or organisation.


"Agency" means:

(a) a Minister; or

(b) a Department; or

(c) a body (whether incorporated or not), or a tribunal, established or appointed for a public purpose by or under a Commonwealth law, not being:

(i) an incorporated company, society or association; or

(ii) an organisation that is registered under the Fair Work (Registered Organisations) Act 2009 or a branch of such an organisation; or

(ca) a body (whether incorporated or not), or a tribunal, established for a public purpose by or under a law (other than a law providing for the incorporation of companies, societies or associations) of a State or Territory as in force in an external Territory, other than a body exempted by the Minister under subsection (5A); or

(d) a body established or appointed by the Governor-General, or by a Minister, otherwise than by or under a Commonwealth law; or

(e) a person holding or performing the duties of an office established by or under, or an appointment made under, a Commonwealth law, other than a person who, by virtue of holding that office, is the Secretary of a Department; or

(ea) a person holding or performing the duties of an office established by or under, or an appointment made under, a law of a State or Territory as in force in an external Territory, other than an office or appointment exempted by the Minister under subsection (5A); or

(f) a person holding or performing the duties of an appointment, being an appointment made by the Governor-General, or by a Minister, otherwise than under a Commonwealth law; or

(g) a federal court; or

(h) the Australian Federal Police; or

(ha) a court of Norfolk Island; or

(k) an eligible hearing service provider; or

(l) the service operator under the Healthcare Identifiers Act 2010 .


"Organisation" means:

(a) an individual; or

(b) a body corporate; or

(c) a partnership; or

(d) any other unincorporated association; or

(e) a trust;

that is not a small business operator, a registered political party, an agency, a State or Territory authority or a prescribed instrumentality of a State or Territory.


Section 94H of the Privacy Act deals with: Requiring the use of COVIDSafe, and states:

If your privacy rights have been violated in accordance to the above law, you can make a complaint to the Office of the Australian Information Commissioner here.


COVID VACCINATION STATUS DISCLOSURES AND YOUR PRIVACY RIGHTS


Can your employer require you to disclose information about your vaccination status?


Your employer can only require you to provide evidence of your vaccination status in particular circumstances.


If your employer intends to collect your vaccination status into a record, they must be satisfied that this collection is permitted under Australian Privacy Principle (APP) 3.


Information about your vaccination status is sensitive information and is afforded a higher degree of protection under the Privacy Act. Generally, your employer must seek your consent in order to collect your vaccination status information and the collection of this information must be reasonably necessary for one or more of your employer’s functions or activities, unless an exception applies.


Consent must be freely given and constitute valid consent.


This means that your employer cannot pressure or intimidate you to provide information about your vaccination status where they are relying on your consent as the lawful basis for collecting it. Your employer should provide you with adequate information about what information will be collected, why it is required and what it will be used for, prior to you giving consent. Your employer should also tell you whether the information will be disclosed to any third parties.


If your employer is a private sector organisation, they must also be able to justify the collection of your vaccination status information as being reasonably necessary for one or more of their functions or activities.


If your employer is an Australian Government agency, they must also be able to justify that the collection of your vaccination status information is directly related to their functions or activities (which may include preventing or managing COVID-19).

Applicable workplace laws and contractual obligations will impact whether the collection of your vaccination status information is reasonably necessary for your employer’s functions or activities. If your employer is requiring you to disclose information about your vaccination status on a ‘just in case’ basis, or if they can achieve their purpose without collecting this information, it will be harder for them to demonstrate that the collection is reasonably necessary.


The same considerations apply to any proposed collection of vaccination status information from persons related to you or living with you. Employers should be cautious and not assume that they can collect vaccination status information from your relatives or household contacts just because they can collect information from you.


Where your employer has provided a lawful and reasonable direction to you to be vaccinated, your employer can ask you to provide evidence of your vaccination, if this is reasonably necessary. Your employer must also obtain your consent. More information about lawful and reasonable directions is available from the Fair Work Ombudsman’s website.


If there is a term in your enterprise agreement, other registered agreement or employment contract that requires COVID-19 vaccination, it is likely to be reasonably necessary for your employer to collect information about your vaccination status. However, your employer will still need to obtain your consent to the collection.


Required or authorised by law

Your employer may be able to require you to disclose information about your vaccination status without consent if the collection of this information is required or authorised by an Australian law. This includes any Act of the Commonwealth, of a state or territory, or regulations or any other instrument made under such an Act, including public health orders or directions.


State and territory public health orders are continually being updated to respond to the COVID-19 pandemic. You should monitor these developments and review the specific requirements of any relevant orders or directions issued by your state and territory health authority to determine if you may need to disclose information about your COVID-19 vaccination status to your employer. Consult your relevant Department of Health to find out about any relevant requirements to provide proof of vaccination.


If you choose not to have the COVID-19 vaccine, can your employer require you to provide your reasons or other medical evidence?


Your reasons for choosing to not have the COVID-19 vaccination and medical evidence related to this decision is also considered to be sensitive information under the Privacy Act.


As with vaccination status information, your employer can generally only collect this information with your consent, and the collection must be reasonably necessary for your employer’s functions or activities.


However, if there is an Australian law – such as a public health order or direction – that requires your employer to collect your vaccination status information and reasons for non-vaccination, you may be required to provide your employer with your reasons or medical evidence exempting you from vaccination. The information collected should be limited to what is specified in the relevant law, or to what is reasonably necessary in circumstances where it is collected by consent.


Is your employer required to tell you why they are requesting your vaccination status information and what they are going to do with your information?



If your employer requests your consent to collect vaccination status information, they are required to be transparent about why the information is being collected, and how it will be used, in line with APP 1.


Your employer must also take reasonable steps to notify you of the matters set out in APP 5. These include:

  • the purpose of collection

  • the consequences if you refuse to consent to the collection

  • if the collection is required or authorised by law

  • how your employer may use or disclose information about your vaccination status, and

  • that their APP privacy policy contains information about how you may access your personal information, seek correction of your personal information, make a complaint about a breach of the APPs and how your employer will deal with such a complaint.

Your employer should provide you with this information before they collect information about your vaccination status or, if this is not practicable, as soon as practicable after collection occurs.


If you disclose information about your vaccination status to your employer, will your information be protected by the Privacy Act?


Private sector employees

If your employer is a private sector organisation and information about your vaccination status has been collected by them lawfully, the employee records exemption in the Privacy Act will apply in many instances.


This means that the APPs will not apply to the handling of your information once it has been collected and is held in an employee record, where it is directly related to the employment relationship between you and your employer. The OAIC has developed guidancefor private sector employers on privacy best practice when handling information about employee vaccination status. You may wish to suggest that your employer review this guidance before collecting your information.


Your employer must also handle your information in accordance with any applicable requirements or privacy protections set out in a relevant public health order.


Public sector employees

If your employer is a Commonwealth or Norfolk Island Government agency, the privacy protections in the Privacy Act and the APPs will continue to apply to your vaccination status information once it has been collected and included in your employee record.

Your employer must also handle your information in accordance with any applicable requirements or privacy protections set out in a relevant public health order.


Further information is available from the Australian Public Service Commission.


What if you are a contractor, volunteer or applying for a job?


If you are a contractor, subcontractor or volunteer then the employee records exemption will not apply. This is also the case if you are applying for a job as a prospective employee.