Bosses need to have a close look at what information they have on hand and the reasons why
Companies are exposing themselves legally by holding onto their staff Covid-19 vaccination records without proper justification.
Worker advocate Ashleigh Fechney says she's seeing a lot of employees taking "very harsh legal measures against their employer".
There has been considerable easing of government vaccine mandates this month. Only workers in the health and disability sectors, along with prison, border, and MIQ staff are required to be vaccinated.
Big employers such as Auckland Council have been reviewing the risk assessments that underpin their workplace vaccination policies that require certain roles to be performed by a vaccinated person.
This means workplaces in both the public and private sector will have a record of which staff are vaccinated, but privacy and employment law experts are urging employers to review whether they are justified in continuing to keep this information.
According to the Privacy Act 2020, employers should not keep personal information longer than necessary: “An agency that holds personal information must not keep that information for longer than is required for the purposes for which the information may lawfully be used.”
Louisa Joblin, a privacy law specialist and senior associate at Duncan Cotterill, says these changes mean there will be many organisations that are actually breaking the law by holding onto their staff’s vaccination records.
“If the purpose of the collection is no longer relevant, then you ought not to have it on file. You can only hold, store, use or disclose the information for the purpose of what it was gathered for.” – Barbara Buckett, employment lawyer
“There are a lot of agencies, including workplaces, businesses and other organisations, who are now in a position where they’re holding more personal information about vaccine status data than they can justify holding onto,” she says.
Employment lawyer Barbara Buckett agrees. Now that government mandates and workplace vaccine requirements are being lifted, she says employers need to go back to basics.
“If the purpose of the collection is no longer relevant, then you ought not to have it on file. You can only hold, store, use or disclose the information for the purpose of what it was gathered for,” she says.
In this case, vaccination records would have been gathered to know whether an individual was vaccinated to comply with a mandate or workplace health and safety risk assessment.
But when a staff member’s vaccination status becomes irrelevant, the records should be disposed of, Buckett says.
Privacy breaches could be costly
Vaccination records, passes or other information showing someone’s immunisation status is all sensitive information that can be used to identify an individual - more so than someone’s name and address, according to Joblin.
“Some people won’t mind who knows their vaccination status, and for others it's something they want to hold very close,” she says.
Failure to collect, use, and store sensitive information correctly could result in a privacy breach. It’s mandatory to report breaches that could result in serious harm to the Privacy Commission, and organisations that don’t report are slapped with a fine.
The Human Rights Review Tribunal, which handles privacy breach complaints, has said minor breaches could see an organisation cough up between $5,000 and $10,000 in compensation, while the most serious cases could cost more than $50,000.
Aside from the potential financial cost, Joblin says an organisation's reputation could also take a big hit.
Auckland Council set to delete data
Bell Gully partner and employment lawyer Liz Coats says bosses need to act in good faith, and in a manner that is fair and reasonable.
She recommends employers pay attention to government guidance on the topic, such as information from the Ministry of Business, Innovation, and Employment (MBIE) or WorkSafe, as it is often updated in response to changes in public health information or legal changes.
"While this guidance is not mandatory and isn’t “law”, it can be a helpful starting point to understand relevant legal considerations," she says.
Ashleigh Fechney says workers should approach their employer directly if they have concerns about their personal information, rather than going straight to another body such as the Privacy Commission.
“It’s not necessarily connected to this issue, but I’m seeing a lot of employees taking very harsh legal measures against their employer, instead of going directly to the employer. It’s having a damaging effect on the employment relationship,” she says.
“It’s always better to go straight to the employer with their concerns rather than going straight to the Privacy Commissioner.”
Auckland Council is one employer who is set to delete data around staff member’s vaccination status.
Andre Lubbe, head of employment relations, says the council is conscious of its Privacy Act obligations to employees and contractors.
“Given that the information will soon be obsolete, as My Vaccine Passes no longer remain an accurate record of vaccination status, we will delete the information from personnel records,” he says.
Lubbe says the council will retain the ability to record this information, in case it's required in the future.
Little wriggle room
But what if a workplace is holding on to data, in the case it might be needed again at some point? Can those records still be retained for future reference, even if that information is not needed right now?
Joblin says the answer is strictly no if the purpose for which it was collected no longer applies and the workplace no longer has the individual’s consent to now hold it for another purpose altogether.
However, there might be some wriggle room, where a workplace could obtain written consent from an employee to keep that information on hand, but Joblin says the best way to minimise the potential risk is to just delete it.
She says the employer should review what information they’re holding, whether it's accurate and up to date, and whether they still need it for the purposes that they collected it. If not, it needs to be deleted or destroyed.
This data also needs to be held safely and securely, so that other workers can’t snoop on their colleague’s information. If an employer decides to hold on to any data, they need to be asking themselves how they’ll keep that information safe.
Employers should seek legal advice for their particular workplace, as the rules will be different for each organisation, Joblin says.
Anna Clark, general manager of workplace relations and safety policy at MBIE says employers in both the private and public sector must meet their obligations under the Privacy Act 2020.
The Privacy Commission advises that employers dispose of any sensitive information and documents safely through measures such as shredding physical files and securely deleting personal information before disposing of electronic equipment such as laptops.
