4 minute read
Balancing privacy rights - with health and safety considerations in the real estate sector
The Government’s COVID-19 Protection Framework, which came into effect at the end of 2021, contains new regulations and guidance for employers. Some sectors are now subject to vaccine mandates and will be required to keep records of their employees’ vaccination statuses.
While the real estate sector is not currently subject to a vaccine mandate, real estate agencies are encouraged to undertake a risk assessment to determine whether their business activities should be carried out exclusively by vaccinated workers on health and safety grounds. In this case, ‘workers’ include any person required to operate the business or service, which includes paid and unpaid individuals.
Advertisement
Given many real estate roles are client-facing, health and safety risk assessments may conclude workers need to be vaccinated to operate in their roles effectively while ensuring that risks are kept to a minimum.
Vaccination Assessment Tool
The Government has provided a Vaccination Assessment Tool (VAT), to assist employers in determining whether they can require work to be carried out exclusively by vaccinated workers. The VAT provides four criteria in relation to a particular role or job, and employers must grade each of these as either ‘Lower Risk’ or ‘Higher Risk’. The four criteria are:
• Does the worker work in an indoor space that is less than 100 metre 2 ?
• Is it unreasonable for the worker to maintain one-metre physical distancing from other people?
• Is the worker in close proximity to any other person for more than 15 minutes?
• Does the worker provide services to people who are vulnerable to COVID-19?
Where an employer grades at least three of the four criteria as ‘Higher Risk’, the Government deems it reasonable to require a vaccinated person to perform the role.
Health and safety plans for real estate agencies
It is strongly recommended that after undertaking a risk assessment or use of the VAT to assess the risk of workers, agencies establish health and safety plans with the assessed level of risk in mind.
Records of workers’ vaccination status may only be taken and stored if worker vaccination is mandatory, or the information is material to the operation of an employers’ health and safety plan. It is important to remember that vaccination status is personal information per the Privacy Act 2020.
As such, health and safety plans should address issues such as whether the agency needs to know workers’ vaccination status and, if so, whether the agency needs to store evidence of their workers’ vaccination status or can simply record it without evidence. Generally speaking, an approach should be taken which keeps the collection, use and storage of vaccination information to the minimum level required to comply with the health and safety plan.
How should personal information be stored?
Where agencies elect to store information about their workers’ vaccination status, the manner of storage must ensure that information is kept safe and secure.
While individual workers will have varying levels of concern with respect to others having access to their vaccination status, the safest approach is to treat every worker’s vaccination information as sensitive information and protect it accordingly — with policies and procedures to ensure compliance with the Privacy Act. Ideally, this will simply be an extension of practices already in place for agencies to protect personal information.
Ensuring reasonable safeguards
The Privacy Act emphasises that employers must ensure personal information about employees is protected by such security safeguards as are reasonable in the circumstances. The Act explains that those safeguards are to protect against loss, unauthorised access, disclosure, or other misuse.
The definition of what exactly constitutes reasonable safeguards in the context of protecting sensitive information can be a source of confusion. Whether the safeguards put in place by an agency to protect sensitive information are reasonable will vary depending on the circumstances.
For example, keeping client files on a password protected computer system where all staff can access them for work purposes is likely to be reasonable. However, keeping workers’ vaccination information on a system accessible to all staff would not necessarily be considered reasonable due to the risk of other workers accessing the information for purposes not directly associated with work.
Ultimately, all agencies will need to store employee vaccination information in a way that securely restricts access to only those who legitimately require it, such as to assess compliance with the health and safety plan.
Failing to adequately protect workers’ personal information may result in a notifiable privacy breach, which may legally require the employer to report the breach to the Office of the Privacy Commissioner. Failure to report a notifiable privacy breach can result in a fine of up to $10,000. Privacy breaches can also have major reputational consequences which extend far beyond the financial implications.
Louisa Joblin
Associate Commercial Lawyer, Rainey Collins
