So, this is an important topic!
The first thing you need to know is that we have Federal Legislation overseeing our privacy rights - this means that it applies to all Australians everywhere at all times.
Secondly, it is important to note, that we have PRIVACY PRINCIPLES as a part of our rights enshrined in the Privacy Act 1988 (Cth).
SCHEDULE 1 of the Commonwealth Privacy Act 1988 sets out the
Clause 3.1 of the Australian Privacy Principles states: "If an Australian Privacy Principle (APP) entity is an agency, the entity must not collect personal information (other than sensitive information) unless the information is reasonably necessary for, or directly related to, one or more of the entity's functions or activities".
Now, an "APP entity" means an agency or organisation.
"Agency" means:
(a) a Minister; or
(b) a Department; or
(c) a body (whether incorporated or not), or a tribunal, established or appointed for a public purpose by or under a Commonwealth law, not being:
(i) an incorporated company, society or association; or
(ii) an organisation that is registered under the Fair Work (Registered Organisations) Act 2009 or a branch of such an organisation; or
(ca) a body (whether incorporated or not), or a tribunal, established for a public purpose by or under a law (other than a law providing for the incorporation of companies, societies or associations) of a State or Territory as in force in an external Territory, other than a body exempted by the Minister under subsection (5A); or
(d) a body established or appointed by the Governor-General, or by a Minister, otherwise than by or under a Commonwealth law; or
(e) a person holding or performing the duties of an office established by or under, or an appointment made under, a Commonwealth law, other than a person who, by virtue of holding that office, is the Secretary of a Department; or
(ea) a person holding or performing the duties of an office established by or under, or an appointment made under, a law of a State or Territory as in force in an external Territory, other than an office or appointment exempted by the Minister under subsection (5A); or
(f) a person holding or performing the duties of an appointment, being an appointment made by the Governor-General, or by a Minister, otherwise than under a Commonwealth law; or
(g) a federal court; or
(h) the Australian Federal Police; or
(ha) a court of Norfolk Island; or
(k) an eligible hearing service provider; or
(l) the service operator under the Healthcare Identifiers Act 2010 .
"Organisation" means:
(a) an individual; or
(b) a body corporate; or
(c) a partnership; or
(d) any other unincorporated association; or
(e) a trust;
that is not a small business operator, a registered political party, an agency, a State or Territory authority or a prescribed instrumentality of a State or Territory.
Section 94H of the Privacy Act deals with: Requiring the use of COVIDSafe, and states:
If your privacy rights have been violated in accordance to the above law, you can make a complaint to the Office of the Australian Information Commissioner here.
COVID VACCINATION STATUS DISCLOSURES AND YOUR PRIVACY RIGHTS
Can your employer require you to disclose information about your vaccination status?
Your employer can only require you to provide evidence of your vaccination status in particular circumstances.
If your employer intends to collect your vaccination status into a record, they must be satisfied that this collection is permitted under Australian Privacy Principle (APP) 3.
Information about your vaccination status is sensitive information and is afforded a higher degree of protection under the Privacy Act. Generally, your employer must seek your consent in order to collect your vaccination status information and the collection of this information must be reasonably necessary for one or more of your employer’s functions or activities, unless an exception applies.
Consent must be freely given and constitute valid consent.
This means that your employer cannot pressure or intimidate you to provide information about your vaccination status where they are relying on your consent as the lawful basis for collecting it. Your employer should provide you with adequate information about what information will be collected, why it is required and what it will be used for, prior to you giving consent. Your employer should also tell you whether the information will be disclosed to any third parties.
If your employer is a private sector organisation, they must also be able to justify the collection of your vaccination status information as being reasonably necessary for one or more of their functions or activities.
If your employer is an Australian Government agency, they must also be able to justify that the collection of your vaccination status information is directly related to their functions or activities (which may include preventing or managing COVID-19).
Applicable workplace laws and contractual obligations will impact whether the collection of your vaccination status information is reasonably necessary for your employer’s functions or activities. If your employer is requiring you to disclose information about your vaccination status on a ‘just in case’ basis, or if they can achieve their purpose without collecting this information, it will be harder for them to demonstrate that the collection is reasonably necessary.
The same considerations apply to any proposed collection of vaccination status information from persons related to you or living with you. Employers should be cautious and not assume that they can collect vaccination status information from your relatives or household contacts just because they can collect information from you.
Where your employer has provided a lawful and reasonable direction to you to be vaccinated, your employer can ask you to provide evidence of your vaccination, if this is reasonably necessary. Your employer must also obtain your consent. More information about lawful and reasonable directions is available from the Fair Work Ombudsman’s website.
If there is a term in your enterprise agreement, other registered agreement or employment contract that requires COVID-19 vaccination, it is likely to be reasonably necessary for your employer to collect information about your vaccination status. However, your employer will still need to obtain your consent to the collection.
Required or authorised by law
Your employer may be able to require you to disclose information about your vaccination status without consent if the collection of this information is required or authorised by an Australian law. This includes any Act of the Commonwealth, of a state or territory, or regulations or any other instrument made under such an Act, including public health orders or directions.
State and territory public health orders are continually being updated to respond to the COVID-19 pandemic. You should monitor these developments and review the specific requirements of any relevant orders or directions issued by your state and territory health authority to determine if you may need to disclose information about your COVID-19 vaccination status to your employer. Consult your relevant Department of Health to find out about any relevant requirements to provide proof of vaccination.
If you choose not to have the COVID-19 vaccine, can your employer require you to provide your reasons or other medical evidence?
Your reasons for choosing to not have the COVID-19 vaccination and medical evidence related to this decision is also considered to be sensitive information under the Privacy Act.
As with vaccination status information, your employer can generally only collect this information with your consent, and the collection must be reasonably necessary for your employer’s functions or activities.
However, if there is an Australian law – such as a public health order or direction – that requires your employer to collect your vaccination status information and reasons for non-vaccination, you may be required to provide your employer with your reasons or medical evidence exempting you from vaccination. The information collected should be limited to what is specified in the relevant law, or to what is reasonably necessary in circumstances where it is collected by consent.
Is your employer required to tell you why they are requesting your vaccination status information and what they are going to do with your information?
If your employer requests your consent to collect vaccination status information, they are required to be transparent about why the information is being collected, and how it will be used, in line with APP 1.
Your employer must also take reasonable steps to notify you of the matters set out in APP 5. These include:
the purpose of collection
the consequences if you refuse to consent to the collection
if the collection is required or authorised by law
how your employer may use or disclose information about your vaccination status, and
that their APP privacy policy contains information about how you may access your personal information, seek correction of your personal information, make a complaint about a breach of the APPs and how your employer will deal with such a complaint.
Your employer should provide you with this information before they collect information about your vaccination status or, if this is not practicable, as soon as practicable after collection occurs.
If you disclose information about your vaccination status to your employer, will your information be protected by the Privacy Act?
Private sector employees
If your employer is a private sector organisation and information about your vaccination status has been collected by them lawfully, the employee records exemption in the Privacy Act will apply in many instances.
This means that the APPs will not apply to the handling of your information once it has been collected and is held in an employee record, where it is directly related to the employment relationship between you and your employer. The OAIC has developed guidancefor private sector employers on privacy best practice when handling information about employee vaccination status. You may wish to suggest that your employer review this guidance before collecting your information.
Your employer must also handle your information in accordance with any applicable requirements or privacy protections set out in a relevant public health order.
Public sector employees
If your employer is a Commonwealth or Norfolk Island Government agency, the privacy protections in the Privacy Act and the APPs will continue to apply to your vaccination status information once it has been collected and included in your employee record.
Your employer must also handle your information in accordance with any applicable requirements or privacy protections set out in a relevant public health order.
Further information is available from the Australian Public Service Commission.
What if you are a contractor, volunteer or applying for a job?
If you are a contractor, subcontractor or volunteer then the employee records exemption will not apply. This is also the case if you are applying for a job as a prospective employee.
The information you provide about your vaccination status to a private sector organisation as a contractor, subcontractor, volunteer, or prospective employee will continue to be covered by the Privacy Act and the APPs.
If your information is protected by the Privacy Act what are your employers’ obligations in respect to your information?
If the employee records exemption does not apply to you, and where your employer is legally permitted to collect your vaccination status, they must accurately record your vaccination status information and ensure that it is complete and kept up-to-date.
You must be provided with an opportunity to access your information and request correction if the information is inaccurate. Your employer must have appropriate security systems to protect your vaccination status information from misuse, interference, loss, unauthorised access, modification or disclosure.
Your employer should also limit the use and disclosure of your vaccination status information to the purpose for which they advised you it has been collected. Finally, your employer should destroy this information when it is no longer required. More information about these obligations is available here.
Can you make a complaint if you think your employer is misusing your vaccination status information?
If you think your employer is misusing your vaccination status information, you should contact your employer in the first instance to try to resolve the issue with them.
If you are not satisfied with your employer’s response, you can lodge a complaint with the OAIC if your employer is a Commonwealth or Norfolk Island Government agency or an organisation covered by the Privacy Act. The Privacy Act covers organisations with an annual turnover of more than $3 million and some other organisations, such as:
private sector health service providers
businesses that sell or purchase personal information
contracted service providers for an Australian Government contract.
If the employee records exemption applies, you may be able to make a complaint about the collection practices of your employer, such as the fact that your employer has asked to collect your vaccination status information where it is not necessary or in relation to the APP 5 information that they have provided to you. This is because the employee records exemption only exempts personal information from the Privacy Act once it has been included in an employee record.
You can find more information about our complaints process here.
MAKING A COMPLAINT WITH THE OFFICE OF THE AUSTRALIAN INFORMATION COMMISSIONER
You can make a complaint to the OAIC here or here.
Complain to your employer first
If you think an organisation or agency has mishandled your personal information, you need to complain to them first, before you complain to us. They may be able to take your complaint in person or over the phone, or they may prefer it in writing.
Check their privacy policy — it should explain what you need to do make a complaint. The privacy policy should also include how you can make a complaint and may include the contact details for a privacy officer that you can direct your complaint to.
What to include in your complaint to them
When you make the complaint, make sure you:
identify yourself
give any identification or reference number(s), if relevant
give a brief description of the matter and why you think the organisation or agency has mishandled your personal information (what happened, when it happened and any consequences)
let them know what you’d like them to do to resolve the matter
If put your complaint in writing also include:
a contact address
a contact phone number
the date (if you’re sending a letter)
COMPLAINT TEMPLATE
You may wish to use this template to make your complaint.
Dear Privacy Officer,
I am writing to you to make a privacy complaint, about how [name of agency/organisation] has handled my personal information.
On [date]...[provide an explanation of what happened, including as much detail as possible].
As a result of this…[explain the impact the incident has had on you and why you are concerned about this].
To resolve this complaint, I would like your organisation to...[outline what you are seeking to resolve the complaint].
Please call me on [your phone number] to discuss the complaint.
If I do not receive a response from [name of agency/organisation] within a reasonable time (generally 30 days) or the complaint is not resolved, I may contact the Office of the Australian Information Commissioner (OAIC) to make a privacy complaint.
Yours sincerely, [Your name]
What a written complaint must include
If you decide to write to the OAIC by email, fax or post, make sure your complaint includes:
your name and contact details — we can’t investigate an anonymous complaint
any relevant reference numbers or identifiers
the name of the organisation or agency you’re complaining about
a brief description of your privacy complaint (what happened and when)
any action the organisation or agency you complained to has taken to fix the problem
a copy of any relevant document (such as your complaint to the organisation or agency and their response)
what outcome you’d like
If your complaint involves credit reporting, please include a copy of your credit report. (See also Complaints about Credit Reporting.)
Keep a record of your complaint
Make sure you keep a record of your complaint.
If you complained in person or over the phone, make a record (in your mobile device or a diary) of:
the date you complained
the name of the organisation or agency you complained to
the name of the person you complained to, if available
a brief description of the matter you complained about and why you think the organisation or agency has mishandled your personal information (what happened, when it happened and any consequences)
a brief description of what you asked the organisation or agency to do to resolve the matter
If you made you complaint in writing, keep a copy of your complaint.
Keep a record of any responses
If you receive a response from the organisation or agency in person or by phone, you may like to record (in your mobile device or diary):
the date you received the response
the name of the organisation or agency that responded
the name of the person you spoke to, if available
a brief description of the organisation or agency’s response
If the organisation or agency responds to your complaint in writing, make sure you keep their response.
Give them at least 30 days to respond
You need to give the organisation or agency a reasonable amount of time to respond to your complaint. We think 30 days is a reasonable time.
HOW TO LODGE A COMPLAINT WITH THE OAIC
The Privacy Act 1988 requires your complaint to us be in writing. We can’t take it over the phone.
The OAIC can accept a written complaint:
on our online privacy complaint form
on our privacy complaint form that you’ve downloaded
in an email
It’s free to lodge a complaint. You don’t need a lawyer. However, if you do decide to hire a lawyer, you must pay for the lawyer.
You can nominate someone to represent you in your privacy complaint by completing one of these forms and including this when you submit your complaint to us.
You can withdraw your complaint at any time without penalty.
Where to send your complaint
You can send your complaint to the OAIC either by:
email, send it to enquiries@oaic.gov.au (be aware that email isn’t encrypted, if you’re concerned about this use our online form which is secure)
mail, send it to GPO Box 5218, Sydney NSW 2001 (send it by registered mail if you’re concerned about sending it by standard post)
fax, send it to 02 9284 9666
If you have any questions about the personal information we collect when you lodge a complaint and how we handle it, please read our privacy policy or phone our Enquiries Line (1300 363 992).
Help lodging a complaint
If you need:
hearing or speech assistance, contact us through the National Relay Service
a translator, contact us through the Translating and Interpreting Service
For all other help, please phone our Enquiries Line (1300 363 992).
Making a complaint for someone else
You can help someone else lodge a complaint if they give their consent. You must include their written authority for you to act on their behalf with their complaint. You can also complete one of these forms:
If you need assistance with preparing your affidavit or other documents, with human rights advocacy, business consulting, or Fair Work Conciliation, please make a booking here on our website, and receive knowledgeable, compassionate, professional support from a trained international human rights legal advocate!
SUBSCRIBE TO OUR WEBSITE HERE TO GET UP TO DATE, WEEKLY INFORMATION, RESOURCES AND SUPPORT WITH BUSINESS AND HUMAN RIGHTS MATTERS.
Comentarios