Megan Prictor, The University of MelbourneIn the US, some National Basketball Association (NBA) players have recently asserted their right to privacy over their COVID vaccination status. In Australia, discussion of vaccine passports has also highlighted this issue.
We value the idea that our medical information is private and subject to special protection and that our doctor can’t freely share it with others. Yet suddenly, it seems we might be asked to hand over information about our vaccination status in many different situations.
It might be so we can keep doing our job, go into shops and restaurants or travel. It might make us uneasy. But can we refuse to tell others our vaccination status on privacy grounds? What does the law in Australia say about who can ask for it, and why, and what they can do with it?
What we already disclose
Vaccinations and medical exemptions are recorded on the Australian Immunisation Register operated by the federal government.
Information from the register is used to create immunisation history statements and COVID digital certificates. This information can then flow through to check-in apps to let us prove our vaccination status when we are asked to.
It’s understandable to think our health information should be secret – kept between us and our doctor. But the law – principally the Australian Privacy Act and health records laws in many states – allows it to be collected by other people if certain conditions are met. And it’s not only the doctor’s clinic and other health services where this information is allowed to move around.
For instance the No Jab, No Play legislation in Victoria, designed to increase immunisation rates in young children, means proof of their vaccination status must be given in order for the child to access kindergarten.
Adults have to disclose information about medical conditions and disabilities to organisations like VicRoads in order to obtain a driver licence. We might even disclose a health condition to our employer so “reasonable adjustments” can be made to help us keep working.
So there are many examples of disclosing health information well beyond the doctor’s clinic walls, and all of them are provided for by law.
Our vaccination status is classified as “health information” under Australia’s privacy laws.
Health information falls into a larger category of “sensitive information” – information that requires the most careful handling. The Australian Privacy Principles (APPs) in our Privacy Act set out the rules for how this information can be collected, used and disclosed.
The APPs say a business or employer (an APP entity) can only collect sensitive information like our vaccination status under certain conditions. An example is if the information is reasonably necessary for the business’s activities and we give our consent.
For this consent to be valid it must be given freely. People can’t be threatened or intimidated into disclosing their vaccination status.
Employers can mandate vaccination – as some businesses are doing – if it is “lawful and reasonable”. In this situation, an employee refusing to disclose their vaccination status would likely be in breach of a lawful and reasonable direction by their employer. Any consequences would be covered by the terms of their employment contract.
Public health and consequences
The collection of our vaccination status might also be allowed by other Australian laws, such as public health orders and directions. The mandatory collection of vaccination status in the aged-care sector is a good example.
Where proof of vaccination becomes a requirement of entering a premises or working in a particular job, we can choose to keep that information private, but not without consequences. Our privacy is not protected absolutely – the trade-off might be that we are denied entry or refused employment.
Information about a person’s vaccination status can only be collected by “lawful and fair” means such as asking them directly, but not collecting it by deception or without them knowing.
Separate rules say what can then be done with the information. Generally, it can’t be used for a different purpose than it was collected for, or shared with other people or organisations, unless an exception applies.
Although private sector employers’ handling of employee records is exempt from the Australian Privacy Principles, they should still store this information securely and make sure it is not used and disclosed unnecessarily.
But isn’t privacy a human right?
Privacy is recognised as a fundamental human right in the Universal Declaration of Human Rights and other international human rights documents.
Australia is a signatory to the International Covenant on Civil and Political Rights, which states: “no-one shall be subjected to arbitrary or unlawful interference with his privacy” (Article 17.1).
But this right is not absolute and it can be limited by national measures “in time of public emergency” (Article 4.1). On the flip side, any requirement to disclose vaccination status is shaped by human rights principles so that the requirement must be reasonable, proportionate and necessary.
It must also take into account the risk of discrimination. Our Human Rights Commission has outlined how certain people might be at particular risk of discrimination related to sharing their vaccine status. They might have difficulty using technology or not have access to it. So, even those who have been vaccinated might find it difficult to provide proof.
The World Health Organisation says people who don’t disclose their vaccination status shouldn’t be denied participation in public life.
Although health information is protected under Australian law, the law also allows this information to be collected, used and shared when reasonably necessary.
Privacy is not absolute. The COVID emergency limits some privacy protections in favour of public health goals. We need to be alert to the trade-offs and potential discrimination – particularly when access to jobs and services depends on the disclosure of vaccine status.