As New Zealand steadily tracks towards its vaccination targets and a much-anticipated reopening, businesses across New Zealand are continuing to grapple with ways to best prevent and manage COVID-19 in the workplace. Currently front of mind are vaccination policies for staff and other visitors to the workplace and Government mandated vaccine requirements.
As a result, businesses continue to collect more sensitive information about employees, contractors and other visitors to the workplace, including vaccination status information and medical certificates for individuals with a medical contraindication.
In what circumstances can businesses collect vaccination status information?
It is important to remember that information about a person’s vaccination status and medical certificates are ‘personal information’ which must be collected, used and disclosed in accordance with the New Zealand’s privacy laws, including the Privacy Act 2020 (Privacy Act) and the associated New Zealand Privacy Principles (IPP’s)
In what circumstances can businesses collect vaccination status information about employees, labour hire workers, contractors, volunteers, candidates and other visitors to the workplace?
Vaccination status information is ‘sensitive information’ about an individual and is afforded higher protections under the Privacy Act.
This means that generally speaking, a person’s vaccination status must only be collected if
- the information is necessary for one or more of the business’ functions or activities; and
- the individual has consented.
In many cases, it may be necessary for businesses to collect vaccination status information to prevent and manage COVID-19 in the workplace. When considering vaccination information about workers, applicable workplace laws and contractual obligations will impact whether the collection of vaccination status information is reasonably necessary for a business’ functions or activities.
If vaccination status information is being collected ‘just in case’, or if the purpose for which it is being collected can be achieved without the information, it will be harder to justify the information being collected.
When consent is not required
There are certain circumstances when consent is not required. This includes where:
- the collection is required or authorised under law New Zealand law; or
- the information is necessary to prevent or lessen a serious threat to the life, health, safety or welfare of any individual or to public health or safety (and it is impracticable to obtain consent).
Laws that require and authorise the collection of vaccination status information can include public health orders and directions made by Government.
When relying on the “required or authorised by law” exemption, it is important to understand the specific requirements of the relevant law. The law will dictate what information is “required or authorised” to be collected. In most cases, it will be sufficient to sight an individual’s immunisation certificate or history statement and make a record of you doing so and that the person is partially or fully vaccinated. It is not necessary (nor is it recommended) that businesses collect and store a copy of the certificate/statement.
Directions and public health orders are constantly being issued and updated, and all organisations should monitor the developments.
In summary, vaccination status information about workers may be collected if a public health order or direction is in place, which requires that information to be collected. If a public health order or direction does not apply, where a lawful and reasonable direction has been given to workers to be vaccinated, you can ask your workers to provide evidence of their vaccination if you consider this is reasonably necessary and you have obtained their consent.
In all other cases, businesses may collect vaccination status information if that information is reasonably necessary for one or more of the business’ functions or activities (which may include preventing and managing COVID-19 in the workplace) and the individual consents.
The above principles apply equally to other types of sensitive information, including medical certificates provided by individuals who have a medical contraindication and may be exempt from vaccination requirements under law.
Collection Notice and Transparency
It is important that all businesses are transparent about the reasons why they are collecting vaccination status information and comply with the relevant IPP.
The principle requires businesses that collect personal information to take reasonable steps either to notify the individual of certain matters about the collection or to ensure the individual is aware of those matters at the time personal information is collected (or as soon as practicable thereafter).
Businesses can comply with this requirement by giving a Collection Notice. The Collection Notice is a statement that sets out (amongst other things) why the information is being collected, how it will be used, who it will be disclosed to, whether it will be disclosed overseas and whether the collection is required or authorised by law.
This means all businesses must have and distribute a Collection Notice to all employees, contractors, labour hire workers, volunteers, candidates for employment and other visitors to the workplace when collecting vaccination status information.
A properly drafted Collection Notice can also help obtain valid and informed consent, where required.
What should businesses do now?
While the issues around vaccination in the workplace can be confusing, the associated privacy obligations are relatively straightforward.
If your business chooses or is required to collect vaccination status information about employees, contractors and other visitors to the workplace, we recommend the following tips for minimum best practice compliance:
- always give a Collection Notice (which complies with the requirements of IPP’s) to each individual about whom information is collected (this includes employees);
- only collect the minimum amount of personal information reasonably necessary to prevent or manage COVID-19 or that is required by law to be collected;
- once collected, all personal information should only be used or disclosed within and outside your business on a “need-to-know” basis and for the purposes set out in the Collection Notice;
- have in place clear policies and parameters for destroying/retaining personal information – information must only be retained for as long as is necessary for the purpose for which it was collected (do not hold the information indefinitely); and
- ensure the information is securely stored.
How we can help
Here at the Information Privacy Company, we can create tailored collection notices and memos to provide to your employees, clients and other relevant stakeholders. Next to this, we can complete a Privacy Impact Assessment (PTA) to identify the risks and potential effects of collecting this information.
If you would like to discuss these requirements or require practical advice to help your business comply with its privacy obligations, please contact us.