Collecting vaccination information - are employees freely consenting?

Friday, 11 March 2022 at 1:21 am

The Fair Work Commission has rejected a challenge to BHP's COVID-19 vaccination verification requirements for its coal mine sites, based on an alleged breach of privacy legislation, dismissing arguments to the effect that employees' consent is not 'real'.

The decision is instructive for the Victorian Public Sector as applicable provisions of the Victorian legislation are capable of being interpreted in a similar way.


On 7 October 2021, BHP employees at coal mines and related sites were informed of site access requirements, which required workers to provide evidence to BHP of having received two doses of COVID-19 vaccination, including the type of vaccination and date it was administered.

Workers could either provide digital vaccination certificates or immunisation statements, which would then be stored either when an employee uploaded the document to an intranet portal or provided a copy to a BHP Health Team member on site, who would then sight and record the information.

In both cases, employees are asked whether they give their express consent to the collection of the information via the following consent notice. If an employee does not consent the information is not collected. The implications of not providing the information were communicated as:

  • employees who cannot comply with a site access requirement on the date that it becomes effective will be stood down on unpaid leave
  • those who cannot comply with the SAR without reasonable excuse will be asked to show cause why their employment should not be terminated
  • if employees do not provide evidence of vaccination status, BHP may assume you have not received the vaccine.

Several unions disputed the site access requirements by application to the Fair Work Commission under the dispute settlement procedures applying at various mine sites.

They sought a Recommendation from the Commission in the form of an answer to the following question: “Is the Site Access Requirement a lawful and reasonable direction or not, having regard to (1) the Privacy Act and (2) the right to bodily integrity?”

What were the privacy law arguments?

Australian Privacy Principles (APP) 3.3 provides that organisations must not collect sensitive information (defined to include health information) about an individual unless the requirements set out in APP 3.3(a) and 3.3(a)(ii) are met. Relevantly, APP 3.3(a) requires employees to consent to the collection of sensitive information, and APP 3.3(a)(ii) requires that the sensitive information be reasonably necessary for, or directly related to, one or more of the organisation's functions or activities.  

While public sector employers are not likely to be 'APP entities' covered by the Privacy Act 1988 (Cth), the comparable provisions in the Health Records Act 2001 (Vic), which apply to the collection of health information by Victorian Public Sector employers, are similarly worded.

Specifically, the Health Privacy Principles state:

  1. An organisation must not collect health information about an individual unless the information is necessary for one or more of its functions or activities and at least one of the following applies—
    1. the individual has consented; or….

The applicant Unions argued that BHP's site access requirements did not constitute a lawful and reasonable direction because:

  • to the extent that any employee consented to supplying the information, the consent was vitiated by the threat that, if they do not consent, they may be disciplined or have their employment terminated, or there is no consent at all (which makes the collection of information unlawful); and/or
  • the collection of vaccination information is not permitted by the Australian Privacy Principles because the information is not 'reasonably necessary' for the employer's functions and activities.

What did the Commission decide?

Deputy President Ingrid Asbury held that BHP's Site Access Requirement (SAR) was a lawful and reasonable direction having regard to the Privacy Act 1988 (Cth) ('Privacy Act') and the right to bodily integrity.

The most significant conclusions were:

  • The site access requirement did not, itself, force employees provide sensitive information, and it remained open to employees to decline to do so.  The Commission found that, to the extent that the requirements may be regarded as a form of economic pressure, it still did not amount to economic duress of the kind that could vitiate consent.
  • Regarding BHP's argument that collecting vaccination certificates was required in order to interrogate its accuracy, and the Commission agreed that the information required is necessary to manage fraud, both actual and potential, because "[i]t is uncontentious that any fraudulent activity would be undertaken by persons who are not vaccinated and who seek to falsify evidence for the purpose of establishing that they are vaccinated".  The Commission was not persuaded that there are other and more effective means of addressing this concern. 
  • The site access requirement was reasonably necessary in order to fulfil its statutory and common law functions in respect of the health and safety of employees.  The Commission commented:

"It is difficult to conceive of a greater or more immediate hazard, or more serious consequences and risks, than those associated with the transmission of a virus that can cause serious illness and possibly death. The risk of illness arising out of that hazard is higher or more likely if unvaccinated persons are permitted to enter the Respondent’s work sites and acquire and/or spread the virus to other workers or persons, both vaccinated and unvaccinated."

  • The Commission rejected that a less invasive mode of verifying vaccination status was appropriate, involving workers showing a QR Check-in App displaying a green tick because it was "at best unworkable and at worst, chaotic" because of the time it would take to facilitate the entry and exit of persons from the workplace every day. 

Key lessons for the Victorian Public Sector

  • Where a Pandemic Order is in effect (which was not the situation faced by BHP), this will often mean that it is 'necessary' for an organisation to collect vaccination status information.
  • Where a Pandemic Order is not in effect, an organisation's legal obligations with respect to work health and safety and the duty of care owed to employees may mean that it is 'necessary' for the functions and activities of the organisation to collect vaccinations status information.  However, this is not sufficient, in and of itself, to make the collection of information lawful.
  • A carefully communicated consent agreement, including the consequences of non-compliance, may be sufficient for organisations to ensure that the collection of information is fair and in accordance with privacy law requirements.  However, whether the consent obtained is full, free and informed will depend on all of the circumstances.

Contact our team

Please get in touch with our team if you need assistance with these matters.

Alanna Mitchell
Assistant Victorian Government Solicitor
T: 0477 720 552

Cassandra Tanner
Lead Counsel
T: 0456 996 763