Navigating the noise around mandatory vaccinations

As Australia moves from a position of eliminating COVID-19 to living with COVID-19, governments across the country have implemented vaccination mandates as one of the levers to protect the community from COVID-19 transmission and to minimise the impact of infections that do arise.

These vaccination mandates, and the manner by which they have been implemented and supplemented by employer vaccination policies, have by no means been universally received, and much has been raised in challenge of them.

These challenges are largely resolved on technical points, adding to confusion for organisations attempting to navigate the noise.  This noise has been amplified by the recent decision of a 5-member Full Bench of the Fair Work Commission in the matter of CFMMEU & Anor v Mt Arthur Coal Pty Ltd.

Does the decision in Mt Arthur Coal mean the mandatory vaccination policies are unlawful?

Put simply, no.

In early October, Mt Arthur Coal introduced a policy requirement that all of its workers must be vaccinated against COVID-19 as a condition of entry to the mine.  Workers had until 9 November 2021 to provide evidence that they had received at least one dose of a COVID-19 vaccine.  Fifty workers who did not provide such evidence were stood down.  The Construction, Forestry, Maritime, Mining and Energy Union challenged the mandatory vaccination policy by lodging a dispute under the applicable enterprise agreement.

The question for the Full Bench was whether the mandatory vaccination policy was a lawful and reasonable direction.  The Full Bench determined that it was not in this case, for the reason that Mt Arthur Coal was found to have failed to consult with staff as required under the terms of the applicable enterprise agreement, and in accordance with general consultation obligations operative under workplace health and safety laws.

Notably, the Commission stated that, but for the failure to adequately consult, there were a range of factors in favour of the implementation of a company mandatory vaccination policy; which included:

  1. It was directed at ensuring the health and safety of workers of the workplace, had a logical and understandable basis; and was a reasonably proportionate response to the risk created by COVID-19.
  2. It was developed having regard to the circumstances at the workplace, including the fact (in that case) that workers could not work from home and came into contact with other workers whilst at work.
  3. The timing for its commencement was determined by reference to circumstances pertaining to the local area at the relevant time.
  4. It was only implemented after the employer spent a considerable amount of time encouraging vaccination.

Flowing from these observations, it may be taken that employer mandatory vaccination policies will be lawful and enforceable where they are:

  1. Tailored to the risk factors and circumstances that operate in the particular workplace in which they will apply; and
  2. Critically, subject to consultation before implementation.

In the context of introducing or updating a mandatory vaccination policy, consultation requires a business to provide its workforce with a reasonable opportunity to persuade the decision-maker in relation to the decision to introduce such a policy.  It does not require the workforce to agree to the policy or give the workforce power of veto.

Where these requirements are met, and the terms and implementation of a mandatory vaccination policy, or updated mandatory vaccination policy are lawful and reasonable, they will be legally enforceable.

Can employers collect vaccination information?

A critical requirement of an employer vaccination policy, as well as of public health orders creating mandatory vaccination obligations, is a requirement for affected employees to provide evidence of their vaccination status.

Information about an employee’s vaccination status is defined as ‘sensitive information’ for the purposes of the Privacy Act 1988 (Cth) (Privacy Act) and is accordingly afforded a higher degree of protection.

This higher protection means that an employer can collect evidence of an employee’s vaccination status where the collection is with the employee’s consent, and where the collection is reasonably necessary for one or more of the employer’s functions or activities, such as to ensure the safe performance of work.

The voluntary provision by employees of their vaccination status, provided that employees are notified of the purpose for which the information is collected and the ways in which the information may be used or disclosed, will be regarded as a collection with consent.

That consequences might flow from a refusal to provide consent for the collection of vaccination information will not, by itself, impact upon whether an employee has had a genuine opportunity to consent, or not.

Should employers hold vaccination information?

In another recent headline case, Virgin Australia Airlines undertook to destroy vaccination information that it had collected from its workforce following the commencement of proceedings by the Australian Licensed Aircraft Engineers Association alleging that the collection of individual healthcare identifiers (IHI) from Virgin Australia Airline employees breached the Privacy Act and could be misused by Virgin Airline employees.

In resolving the proceedings, Virgin Australia Airlines undertook that it would delete all proof of COVID-19 vaccination documents provided by employees that they hold and have verified, which was codified in an Order made by the Court.

So, does this mean that the collection of vaccination information is unlawful, and should employers proceed to destroy all vaccination information provided by employees?  No.

The undertaking given by Virgin Australia Airlines was made subject to the operation of requirements imposed by law, with laws varying from State to State and Territory on the extent to which employers are required to collect, record and hold particular vaccination information.

It is also important to be aware that the destruction of the vaccination information was at the undertaking of Virgin Australia Airlines, and not as a result of any decision made by the Court that the collection and holding of vaccination information including IHIs was unlawful.

Organisations would, however, be wise to only view, collect, record and/or hold the least amount of information possible.  A person’s COVID digital certificate, accessible via their Medicare account, does not include their IHI, however their immunisation certificate does. The handling and disclosure of IHIs is regulated in its own right under the Healthcare Identifiers Act 2010 (Cth) (HI Act). This is reflective of the even higher level of protection that is afforded to this information.

Section 26(1)(d) of the HI Act states that the use or disclosure by a person of an IHI, is prohibited unless a relevant exception applies. Where there is no such exemption, a person can be exposed to a criminal penalty – which could lead to fines or even a jail term of up to two years – and a civil penalty where the person uses or discloses information in circumstances that contravene the HI Act, and the person knows or is reckless as to those circumstances.

Given the particular sensitivity of IHIs businesses can and should redact this information at the time they collect a person’s vaccination information, to the extent that this is possible, and where this is not practicable, ensure that information containing a person’s IHI is stored securely.  Redacting may be as simple as asking a person to cover their IHI with a finger when snapping a photo, or it could otherwise be a request for an employee to crop their immunisation certificate to remove their IHI before sending to your business.

What should employers be doing now?

For the majority of staff who are vaccinated, the operation of public health orders and organisation policies requiring vaccination are relatively uncontroversial.  However, to mitigate against claims and challenges from the vocal few, it is important for organisations to turn their minds to the following key considerations:

  • The requirement to view, collect, record and / or hold vaccination information varies from State to State and Territory. Ensure that your organisation is viewing, collecting, recording and / or holding vaccination information only as absolutely required;
  • If a worker asks to have their IHI removed from any copy of the vaccination information securely held by your organisation, reasonable steps should be taken to do so, and substitute vaccination evidence provided where legally required to be held;
  • If your organisation proposes to introduce a new or updated mandatory vaccination policy, ensure that there is consultation prior to implementation and enforcement;
  • Don’t forget your COVIDSafe Plan – your organisation’s COVIDSafe Plan should be reviewed and updated to operate effectively alongside any mandatory vaccination public health order or policy, including by setting out any additional safety and hygiene measures for employees holding valid exemptions from vaccination requirements.

In all cases, get advice when situations of uncertainty arise or where your organisation is receiving pushback on its policy.


Katie Sweatman
+61 3 9958 9605
[email protected]
Marcus Topp
+61 3 9958 9610
[email protected]