Employer vaccination mandates still a minefield for businesses

Article written by Kyle Scott and Claudia Simmons for Australian Business Lawyers and Advisors

There has been a lot said and written over the last 2 years on the topic of COVID-19 and mandatory vaccination, and in particular an employer’s right to issue reasonable and lawful directions to employees to be vaccinated.  However, two years into the pandemic (and counting), there’s still a real lack of clear case law on the extent of an employer’s ability to implement mandatory vaccination policies.

To date, the majority of cases that have come out of the Fair Work Commission have involved situations where employees have been dismissed due to non-compliance with public health orders, or have otherwise been confined to jurisdictional challenges (for example, where the application was filed outside the 21-day time limit) meaning that the Commission has been able to dispose of the claim without a full consideration of the merits of the matter. Those cases have not turned on arguments about the employer’s right to issue reasonable and lawful directions.

Where a State or Territory public health order is in effect, the legal position is reasonably clear. However, where an employee is not required to be vaccinated under a public health order, employers wanting to implement vaccination requirements must rely on their right to issue lawful and reasonable directions.

The BHP Decision

The recent litigation involving the CFMMEU and BHP was a very useful ‘test case’ on the issue and, to date at least, is the best guidance on how a Court or Tribunal would deal with disputes where an employer issues a direction to employees to be vaccinated.

In the BHP decision (CFMMEU & Howard v Mt Arthur Coal Pty Ltd [2021] FWCFB 6059), a 5-member Full Bench of the Commission determined that BHP’s requirement that employees be vaccinated in order to enter worksites was not reasonable. That conclusion was reached largely due to BHP’s failure to properly consult its workforce in the time leading up to its decision to implement the requirement. In particular, the Commission found that BHP should have consulted the workforce when assessing risks to health and safety and when considering how to minimise those risks.

Despite finding the site entry requirement was not reasonable due to the failure to consult, the Commission outlined a number of factors that would provide a ‘strong case’ in favour of a vaccination policy being reasonable. Those factors are that any vaccination requirement:

• be directed at ensuring the health and safety of workers of the site
• have a logical and understandable basis
• be a reasonably proportionate response to the risk created by COVID-19
• be developed having regard to the circumstances of the site
• be timed having regard to the spread of COVID-19 in the local area at the relevant time
• be implemented only after encouraging and facilitating vaccination for workers as much as practicable.

The BHP decision provides a useful roadmap for businesses that are considering implementing mandatory vaccination requirements. In particular, the case highlights the importance of:

• conducting a risk assessment for each category of worker, prior to any decision being made, to determine whether vaccination is a necessary and proportionate control to protect the health and safety of employees; and
• meaningfully consulting with the workforce on any risk assessments and vaccination requirement proposals prior to the implementation of any policy / directive.

However, even where you are able to establish that there is a legitimate and reasonable basis for vaccination requirements, businesses must consider how the vaccination requirement will be implemented and policed, including how employees’ vaccination status will be verified.

Privacy considerations remained the sleeping giant

While the BHP decision was widely reported when it was published in December 2021, one aspect of the decision did not get a lot of air-time: whether BHP’s site entry requirement breached the Privacy Act.

Under the BHP policy, employees were not only required to be vaccinated but were also required to provide evidence of their vaccination status by a particular date in order to access the worksite.

In the dispute, the CFMMEU argued that the BHP policy was not lawful or reasonable because BHP had not complied with the Privacy Act; specifically, the union argued that BHP needed to obtain genuine and voluntary consent from employees in order for them to hand over their vaccination information.

The Privacy Act rules regarding the collection of sensitive information are quite complex. The starting point is that employers must not collect ‘sensitive information’ about an individual unless the individual consents and the information is reasonably necessary for one or more of the organisation’s functions or activities. However, there are two exceptions to the requirement for consent:

• where the collection is ‘required’ or ‘authorised’ by an Australian law (e.g. under a public health order); or
• where a ‘permitted general situation’ exists in relation to the collection of information (one such permitted general situation is where the employer ‘reasonably believes that the collection is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety’).

Importantly, the Full Bench did not reach a concluded view about whether BHP had breached its privacy obligations, including whether the ‘permitted general situation’ was enlivened in this particular case. Instead, the Full Bench said it was unnecessary for them to determine the issue as they had already concluded the policy was not reasonable due to the lack of consultation.

This left two really important questions unanswered:

1. Does a business need an employee’s consent in order to collect their vaccination information?
2. Can an employer direct an employee, against their will, to provide proof of their vaccination status?

Further BHP dispute provides additional guidance, but without answering the question!

On 21 January 2022, Deputy President Asbury of the Fair Work Commission published a Recommendation and Reasons after dealing with a dispute between the CFMMEU and BHP Coal about the application of BHP’s site entry requirement in Queensland ([2022] FWC 81). In this matter, the parties had agreed between themselves that DP Asbury make a Recommendation rather than arbitrating the dispute and issuing a Decision. However, the Reasons still provide a helpful analysis of the legal position around privacy and consent when dealing with vaccination information.

In the dispute, the unions argued that the site entry requirement was not lawful or reasonable because it involved a breach of the Privacy Act.  Specifically, it was argued that any consent that is given in the face of social and economic pressure is not really consent. The unions relied on the passage in the Full Bench decision of Lee v Superior Wood (a case about the collection of an employee’s biometric data) where the Full Bench stated that “We consider that any ‘consent’ that he might have given once told that he faced discipline or dismissal would likely have been vitiated by the threat”.

In response, BHP argued that no employee was being forced to provide their vaccination information. Rather, it was their choice whether or not to provide vaccination proof, but that if they chose not to provide vaccination evidence they would not be permitted on site and likely have their employment terminated. BHP argued that any economic or social pressure that may be felt by them to do provide their vaccination proof in order to keep their job did not amount to coercion such that it would vitiate consent.

In her Reasons, DP Asbury found that the practical effect of the site entry requirement was to apply pressure to employees to surrender their rights under the Privacy Act by providing their sensitive health information. However, DP Asbury concluded that such pressure does not amount to coercion in a legal sense or economic duress that could vitiate consent. On that point, DP Asbury stated that:

I acknowledge that the choice as to whether to comply with the direction or not, may be difficult for persons who hold strong views about the privacy of their sensitive information and that a decision not to provide the information will almost certainly result in the termination of their employment. However, the fact that employees are faced with a difficult choice, does not, in the circumstances, constitute effective lack of choice. Nor does it constitute duress or coercion that vitiates or invalidates the choice.

The DP Asbury Reasons adds weight to the view that where employees reluctantly consent to provide their vaccination information (even under threat of termination), their reluctance does not void their consent in providing the information. This is helpful for employers that might be considering implementing mandatory vaccination policies.

However, neither of the BHP decisions deal with the question of whether an employer can compel an employee to provide their vaccination information pursuant to the ‘permitted general situation’ exception in the Privacy Act. Like the 5-member Full Bench BHP decision last December, DP Asbury avoided making any conclusions about whether the ‘general permitted situation’ applied so as to not require the consent of employees to collect their vaccination information. So the question continues to remain unanswered for the time being!

A safer way forward for businesses: ‘sighting’ rather than collecting

Businesses that are considering implementing mandatory vaccination requirements (outside the scope of the public health orders) will need to carefully consider how they will deal with the privacy law issues arising from their policy, including how they will check employee vaccination status when applying and enforcing the policy.

In many cases, businesses will want to collect this information and store it on some form of database so that a record is retained for future reference (e.g. to meet client/customer requirements). In those circumstances, businesses should try to have employees voluntarily provide the information (i.e. they give their consent). However, you may then run into difficulties where employees do not consent to providing their vaccination status information, and in those cases you would need to rely on a ‘permitted general situation’ existing. Businesses will also need to notify employees of a range of things including the purpose for which they are collecting the information and to whom the business might disclose the information (we recommend that a disclosure / consent statement be provided to employees prior to collecting vaccination information).

A far safer approach would be to ‘sight’ employee vaccination information instead of ‘collecting’ it.  Under the Privacy Act, the term ‘collect’ is defined as meaning collecting the personal information ‘for inclusion in a record or generally available publication’. By merely ‘sighting’ vaccination information and not collecting it or making a written record of employees who are vaccinated, businesses are able to side-step the requirements for obtaining employee consent under the Privacy Act.  This provides a far cleaner path for businesses to take.

Clearly, the legalities surrounding mandatory vaccination policies remain complex, so businesses should have a clear plan before going down this path.

‍