Australia: Collecting Vaccine Information - A Fair Work Commission Recommendation

Published on Feb 11, 2022

In a new case, the Fair Work Commission issued a recommendation that BHP's collection of vaccine information to support its workplace vaccination mandate was both lawful and reasonable. This case will set the scene for other employers collecting vaccine information. We explore the recommendation in detail.

Background to the FWC recommendation

DP Asbury has issued a recommendation, drawing on findings from the Full Bench of the FWC in the recent Mt Arthur BHP vaccine mandate decision, that BHP's site access requirement is a lawful and reasonable direction having regard to both the Privacy Act 1988 (Cth) (Privacy Act) and employees' right to bodily integrity in the context of BHP Queensland mine sites.

The FWC recognised that whilst some employees may face a difficult decision between consenting to provision of their sensitive information to BHP or being dismissed, this did not mean their consent was not legally effective.

What was the case about?

The case involved disputes about BHP's direction for all workers at BHP's coal mines and other Queensland workplaces to meet the Site Access Requirement (SAR) requiring workers to:

  • be fully vaccinated by 31 January 2022; and
  • provide proof of vaccination by that date, including the type of vaccination and date it was received.

This matter follows related disputes and the Full Bench of the FWC's decision about a similar site access requirement for BHP's Mt Arthur Coal Mine in NSW, discussed in our recent update, WHS consultation crucial to enforcing mandatory COVID-19 vaccination (Mt Arthur decision).

The CFMMEU, the CEPU and the AMWU (the Unions) argued on various grounds that the SAR was not a lawful and reasonable direction. Each made applications under the Fair Work Act 2009 (Cth) to have the disputes in relation to this SAR dealt with in accordance with the disputes procedures under the relevant Enterprise Agreements.

After a series of conciliation conferences the parties agreed to a consultation plan. Following the implementation of that consultation plan, all issues in dispute were resolved except those in relation to employees' rights under the Privacy Act and rights to bodily integrity. On this basis, the parties sought DP Asbury's recommendation on this question 'Is the Site Access Requirement a lawful and reasonable direction or not, having regard to (1) the Privacy Act and (2) the right to bodily integrity?'

The bodily integrity issue

In the Mt Arthur decision, the Full Bench cited an earlier High Court judgment that the right to bodily integrity consisted of 'the right to an individual to choose what occurs with respect to his or her own person' and held that such a right was not violated by BHP's SAR in that case.

In this case, the Unions submitted that the pressure that the SAR places on employees to choose between getting vaccinated (i.e. their right to bodily integrity) and having their employment terminated, considered alongside the alleged contravention of the Privacy Act, goes to the lawfulness and reasonableness of the direction. They argued that the combined effect of the alleged Privacy Act breach and the effect that the SAR has on bodily integrity cumulatively tips the balance against the reasonableness of the SAR.

Ultimately the Deputy President formed the view that, applying the Full Bench's conclusions in the Mt Arthur decision, the effect of the SAR on employees' bodily integrity does not result in the SAR being unlawful and is not, of itself, determinative of whether the SAR is unreasonable.

The Privacy issue

The CFMMEU and CEPU contended that the SAR breached Australian Privacy Principle (APP) 3.3, which prevents the collection of sensitive information (including health information like an individual's vaccination status), without an individual's consent. It also requires organisations to only collect information that is reasonably necessary for its functions or activities, unless particular exclusions apply.

The Unions argued that the collection of vaccination status information from employees to meet the SAR breached APP 3.3 because:

  • employees could not be considered to have provided free and voluntary consent to the collection of their sensitive information. Any 'consent', they argued, was vitiated by the threat of disciplinary action and termination of employment; and
  • the information in the documents BHP asked employees to provide to meet the SAR (copies of COVID-19 digital certificates) was not reasonably necessary for, or directly related to, one or more of BHP's functions or activities. The specific information which the Unions took issue with related to the type of vaccine received and the date of injection.

The Unions also asserted that instead of BHP collecting copies of employees' COVID-19 digital certificates, there were suitable alternatives for BHP to obtain an employee's vaccination status information (including the 'Check in Queensland' app and/or by presenting an employee's COVID-19 digital certificate at entry to be sighted by BHP personnel without a record being created). They argued that the availability of these alternative methods demonstrated that BHP's requirements were not reasonably necessary.

A key concern for BHP related to evidence it had uncovered of fraudulent vaccination information being provided by employees and the level of employee non-compliance with the SAR. Without making a finding about this matter, DP Asbury accepted that some 40% of employees who had not complied with the SAR did so on the basis of either concerns about rights under the Privacy Act or their right to bodily integrity.

DP Asbury ultimately formed the view that:

  • employees had been 'more than adequately' informed about matters relevant to consent to the collection of their sensitive information under APP 3.3;
    while the SAR does have the practical effect of applying pressure to employees to surrender their rights under the Privacy Act, it does not, of itself, force employees to provide sensitive information as it remains open to employees to refuse to do so. While DP Asbury acknowledged that the consequences of not providing consent means that employees will be faced with a difficult decision, the requirement was not considered to constitute coercion or duress of the kind that vitiated consent;
  • the documentation BHP sought (including vaccine type, vaccine dose dates and the document number, though the individual health identifier was not collected), was reasonably necessary for BHP's functions and activities including to lessen or prevent serious threat to life, health and safety of individuals on site and to public health and safety. Importantly, as the DP recognised, this case involved coal mine workers employed across various sites who have various methods of travel to work ('fly in fly out', 'drive in drive out' and 'bus in bus out'), various styles of accommodation (some operated by contractors) and where workers use facilities in regional communities. 'Mine sites', DP Asbury noted, are not 'hotels' and it 'is neither safe nor reasonable to require that a coal mine operator use an access system for verifying vaccination status that is designed for hospitality and retail establishments';
  • the information BHP collected was intended to facilitate planning for the future about COVID-19 controls needed and employee protection; and
  • the direction did not contravene the Privacy Act.

What this means for your workplace

While DP Asbury's recommendation and reasons are not binding on future matters before the FWC, they provide a useful guide to the approach the FWC is likely to take in relation to similar matters. The recommendation also follows a number of decisions about vaccine mandates across various industries, including the Mt Arthur decision, which provide useful guidance for organisations about the introduction of appropriate COVID-19 related safety measures for their workplaces.

While the appropriate approach will always depend on the circumstances, DP Asbury also recognised a number of key principles in managing COVID-19 risks:

  • the shifting nature of the risks – '[t]he only constant of the Pandemic is the rapid shifts in the threats it poses. Matters foreshadowed by the Full Bench have eventuated including the increase in infection rates as borders open, exacerbated by the spread of the more infectious Omicron strain of the virus...';
  • the importance of vaccination as a control measure – 'vaccination is the most effective and efficient control available to combat the risks posed by COVID – 19 for the foreseeable future'; and
  • the importance of considering the particular features of each workplace.

We are continuing to assist clients in managing the risks of COVID-19 in their workplaces including implementing COVID-19 related safety measures in consultation with safety experts and their people. As you consider implementing any vaccination mandate, key points to take into account include:

  • Requirements to comply with any consultation obligations under work health and safety laws and any industrial instrument;
  • Ongoing assessments with respect to risk levels as circumstances change in relation to COVID-19 in your industry and workplace;
  • Your organisation's privacy obligations. Broadly, employers should:
  • seek employee consent to collect, store and use vaccine information in accordance with policies and procedures;
  • only collect information that is reasonably necessary for their organisation's functions and activities;
  • ensure data security – restrict access and use to what is necessary;
  • retain information for only as long as is necessary for the organisation's functions and activities.
  • remember that vaccination status is health information and is subject to health records legislation in some states and a higher level of protection under the Privacy Act. In most cases, it is an offence for an organisation to collect individual healthcare identifiers (IHI) which are included on an individual's immunisation history statement stored on the Australian Immunisation Register. Any proof of vaccination collected by an employer should have an individual's IHI removed or redacted.

If you would like further information or advice regarding the issues raised above, please reach out to our Workplace team.


Trent Forno
Partner, Brisbane