Is the ‘green tick’ enough to satisfy a COVID-19 vaccine requirement at work?
In the matter of CFMMEU v BHP Coal Pty Ltd  FWC 81, the Fair Work Commission (FWC) has found that it is not a breach of the Privacy Act 1988 (Cth) (the Privacy Act) for employers to collect employees’ COVID-19 vaccination data, including the date and brand of vaccine received. A mere ‘green tick’ from a COVID-19 application on a mobile phone may not provide sufficient detail to ensure the safety of workers and the community, particularly at large scale places of work.
On 7 October 2021, employees at Queensland coal mines operated by the BHP Group of Companies and related entities (BHP) of a Site Access Requirement (SAR). Under the SAR, employees were required to have received two doses of COVID-19 vaccine by 31 January 2022. They were also required to provide evidence in the form of official COVID-19 vaccine certificates. This level of detail was required to allow BHP to reduce the likelihood of fraudulent vaccination data being provided, and to enable BHP to assess risk as the virus and its effects on society continue to evolve. The evidence was to be uploaded to BHP’s vaccination portal on its intranet, or to be delivered to designated on-site stations at which the data was recorded into BHP’s health and safety database. When providing the vaccination information, employees were informed about the rationale for the SAR, the reasons why BHP was collecting the information, the uses of the information, and the ways in which the information would be stored securely. When providing the vaccination information, employees were asked to confirm their consent to the information being collected.
The Construction, Forestry, Maritime, Mining and Energy Union, the Communications, Electrical, Electronic, Energy, Information, Postal, Plumbing and Allied Services Union of Australia and the Australian Manufacturing Workers’ Union (collectively, the Unions) sought a recommendation from the FWC in response to the question: ‘Is the SAR a lawful and reasonable direction or not, having regard to (1) the Privacy Act and (2) the right to bodily integrity?’
The Privacy Act issue
The Privacy Act states that employers must not engage in a practice which breaches an Australian Privacy Principle (APP) as set out in Schedule 1 of the Privacy Act.
APP 3.3 states that entities must not collect sensitive information about an individual unless the individual consents, and the information is reasonably necessary for one or more of the entity’s functions or activities.
The Unions argued that the SAR breached APP 3.3, as employees did not voluntarily consent to the collection of their vaccination information, because they were required to provide their vaccination information in order to access the workplace and work, or risk termination of their employment.
The Unions further argued that the information collected was not reasonably necessary for BHP’s functions or activities. They argued that there was no statue or public health direction requiring the collection of the employees’ vaccination status.
The Unions also suggested that employees who were fully vaccinated but did not wish to provide detailed vaccination information could instead display the ‘green tick’ available on the ‘Check In Qld’ mobile phone application once the employee has linked their Medicare data to that application.
BHP agreed that the information in question was ‘sensitive’ but argued that consent was given, based on the level of information the employees were given prior to providing the information, and the fact that employees were required to confirm their consent while providing the information. BHP also argued that the information was reasonably necessary to ensure the health and safety of their employees and the broader community.
The bodily integrity issue
The Unions’ position was that the practical effect of the SAR was to pressure employees into receiving vaccines which they otherwise may prefer not to receive, and that this pressure denied employees the right to bodily integrity. The Unions argued that this is a relevant consideration in assessing the reasonableness of the SAR, although they accepted that the consideration was not in itself sufficient to make the SAR unreasonable.
The FWC was required to determine firstly whether the SAR violated employees’ rights to privacy under the Privacy Act. The issue of bodily integrity would only be relevant if the SAR had violated those rights.
The FWC found that the SAR did not confer authority on BHP to collect sensitive employee information without their consent. The action of providing health information signified the employee’s consent to BHP collecting their sensitive information, and employees were fully informed of the reasoning behind the collection and use of the information.
Further, while the FWC acknowledged that employees may have had a difficult decision to make if they had strong views about privacy of sensitive information but were concerned about their employment being terminated, the FWC was not satisfied that the pressure amounted to duress that could vitiate consent, as a difficult choice does not constitute a lack of choice.
With regards to the question of necessity, the FWC held that the collection of the vaccination information was necessary to fulfill BHP’s duties in respect of the health and safety of its employees and the public, particularly in respect of the obligations for health and safety detailed in the Coal Mining Safety and Health Act 1999 (Qld). BHP was required to collect vaccination information to ensure that the risk of transmission of COVID-19 in the coal mine was at an ‘acceptable level’, being ‘as low as reasonably achievable.’ While COVID-19 will remain a risk in the workplace even if all employees are vaccinated, vaccination remains an important mechanism to control the risk as much as possible.
The FWC found that that the Unions’ proposal to sight a ‘green tick’ on a COVID-19 mobile phone application each time the employee enters the work site was unworkable as the mines operate 24 hours a day with various access points to the site and large numbers of people coming and going throughout the day.
Ultimately, the FWC concluded that the SAR was a lawful and reasonable direction having regard to the Privacy Act and the right to bodily integrity.
Take Home Messages
This decision confirms that it is reasonable for employers to seek to obtain evidence of vaccination from their staff, so long as such a request is compliant with the Privacy Act (if applicable). It is desirable for that request, as well as any requirements regarding vaccination, to be set out in a policy.
Importantly for our local government clients, the Privacy Act does not apply to local government councils. Nevertheless, it is still essential that employers go through the appropriate work health and safety consultation processes with staff before implementing such a policy. Adequate measures to securely store all sensitive information must also be arranged.
If you have any queries in relation to this article, or would like assistance in preparing a COVID-19 vaccination policy for your workplace, please contact Sathish Dasan on +61 8 8210 1253 or firstname.lastname@example.org, Ganesh Krishnan on +61 8 8217 1395 or email@example.com or Anastasia Gravas on +61 8 8217 1331 or firstname.lastname@example.org.