Fair Work Act 2009
s.739—Dispute resolution

Construction, Forestry, Maritime, Mining and Energy Union & Ors
v
BHP Coal Pty Ltd T/A BHP Billiton Mitsubishi Alliance / BMA & Ors
(C2021/8213 & Ors)

Applications for Commission to deal with a dispute in accordance with a dispute settlement procedure in enterprise agreements – Consultation on major workplace change – Site Access Requirement that employees are vaccinated against COVID – 19 and provide evidence of vaccination including type of vaccine and date given – Whether Site Access Requirement is a lawful and reasonable direction having regard to the Privacy Act and the right to bodily integrity – Privacy Act and Australian Privacy Principle 3.3 – Whether consent to provide sensitive information in relation to vaccine status is vitiated by coercion or duress in circumstances where non-compliance will result in termination of employment – Whether information verifying vaccination status is reasonably necessary for employer’s functions and activities – Site Access Requirement not unreasonable because if violates right to bodily integrity – Site Access Requirement not unlawful because it breaches Privacy Act – Finding that site access requirement is lawful and reasonable having regard to the Privacy Act and the Right to bodily integrity.

Introduction

[1] On 7 October 2021, employees at Queensland coal mines and related sites, operated by, or related to, the BHP Group of Companies, were informed of the introduction of a Site Access Requirement (SAR) by which they were directed that as a condition of entry to Queensland sites, they would be required, by 31 January 2022, to be fully vaccinated against COVID-19. The direction also requires that employees provide evidence of their compliance with the SAR by 31 January 2022 including the type of vaccination and the date it was received.

[2] Applications under s. 739 of the Fair Work Act 2009 (the FW Act) were made by the Construction, Forestry, Maritime, Mining and Energy Union – Mining and Energy Division (CFMMEU), the Communications, Electrical, Electronic, Energy, Information, Postal, Plumbing and Allied Services Union of Australia (CEPU) and the “Automotive, Food, Metals, Engineering, Printing and Kindred Industries Union” known as the Australian Manufacturing Workers’ Union (AMWU) (collectively the Unions/Applicants) for the Fair Work Commission (the Commission) to deal with disputes in accordance with disputes settlement procedures under enterprise agreements applying at mine sites and related operations (the sites) of various entities including BHP Coal Pty Ltd, BHP Billiton Mitsubishi Alliance and Central Queensland Services Pty Ltd (collectively the Respondents). Details of the Respondents, the enterprise agreements under which the disputes are raised and related matter numbers, are set out in Annexure A.

[3] Disputes were also raised with other entities – OS ACPM Pty Ltd, OS MCAP Pty Ltd and BMA Rail – and are at earlier stages in the dispute resolution procedures under the instruments applying to employees of those entities.

[4] The CFMMEU and CEPU contend in the Form F10 applications, that the SAR is invalid and of no effect on various grounds, including that it is not reasonably necessary for the performance the employees’ contracts of employment, it is an unreasonable invasion into the privacy of employees, it ignores the prevailing circumstances (namely the degree of risk presented at the workplaces by COVID-19) and ignores other and more effective means to control any risk presented at the workplaces by COVID-19 (for example, rapid antigen testing and other control measures currently in place or that have been in place). The CFMMEU and CEPU further contend that the SAR amounts to a unilateral variation of the employees’ contracts of employment.

[5] The AMWU similarly contends in its F10 applications that the SAR is not a lawful and reasonable direction as among other things, the Respondents have failed to consult with employees and their representatives before the decision was made to implement the mandate, there is no state-wide public health order requiring mine workers to be vaccinated against COVID-19, there are already COVID-19 control measures at the various mine sites, the SAR was not introduced on the basis of the particular circumstances of employment that apply at each site and the Respondents have not complied with obligations under the Privacy Act 1988 (Cth) (Privacy Act).

[6] Conferences of the parties were held on 10, 15 and 22 December 2021 and 4 and 7 January 2022. Without departing from their positions, the Unions and the Respondents agreed to a Consultation Plan. The objective of the Consultation Plan was for employees and their representatives to provide all thoughts, ideas, suggestions and scientific, medical or safety data or other information about the site access requirement, and for the employers to consider all such matters, and what if any, measures to avert or mitigate the effect of the site access requirement should be taken, before making a final decision on its introduction.

[7] At the conclusion of the process established under the Consultation Plan, it was accepted by the Unions that all issues in dispute had been resolved except for issues relating to the rights of employees under the Privacy Act and to bodily integrity with the Unions maintaining that the SAR is invalid on grounds related to these matters. The parties agreed to seek a Recommendation from the Commission in the form of an answer to the following question: “Is the Site Access Requirement a lawful and reasonable direction or not, having regard to (1) the Privacy Act and (2) the right to bodily integrity?”

[8] The parties also agreed that the Recommendation would resolve the notified disputes (set out in Annexure A) and disputes involving OS ACPM Pty Ltd, OSMCAP Pty Ltd and BMA Rail. Further, it was agreed that any party aggrieved by the Recommendation may seek, within 24 hours of the Recommendation, that the disputes be referred to the President for re-allocation to another Commissioner or a Full Bench for arbitration.

[9] In accordance with agreed Directions, the Applicants filed and served submissions by 12.00 pm on Monday 10 January 2022 and the Respondents by 12.00 pm on Tuesday 11 January 2022. The matter was listed for oral submissions at 5.00 pm on Tuesday 11 January 2022. The parties also agreed that the proceedings would be conducted on the basis that any material on the Consultation Hub used by the Respondents for the purposes of disseminating information to employees, may be used as evidence for the purposes of answering the question posed for Recommendation.

[10] All parties were legally represented as of right under the terms of the BMA Enterprise Agreement 2018 and to the extent that it was necessary in relation to disputes notified under other industrial instruments, permission for legal representation was granted on the basis that I was satisfied that it would enable the matter to be dealt with more efficiently, taking into account its complexity.

[11] The CFMMEU and the CEPU were represented by Mr L Tiley of Hall Payne Lawyers. The AMWU was represented by Mr P Turner of Maurice Blackburn Lawyers. The RTBU was represented by Mr L Kennedy. The Respondents were represented by Mr I Neil SC, with Ms H Blattman of Counsel, instructed by Herbert Smith Freehills.

[12] For the reasons set out below, I have concluded that the answer to the question is: Yes, the Site Access Requirement is a lawful and reasonable direction having regard to the Privacy Act and the right to bodily integrity.

The Mt Arthur Coal decision

[13] In Construction, Forestry, Maritime, Mining and Energy Union, Mr Matthew Howard v Mt Arthur Coal Pty Ltd T/A Mt Arthur Coal 1 (Mr Arthur Coal), a Full Bench constituted by five Members of the Commission, dealt with a dispute about whether a direction to employees of Mt Arthur Coal Pty Ltd, a member of the BHP Group of Companies, in relation to a site access requirement that is in essentially the same terms as the direction in the present case, was lawful and reasonable. The Full Bench in Mt Arthur Coal answered a question for arbitration finding that the direction was not lawful and reasonable on the basis of failure to consult in accordance with obligations under the Workplace Health and Safety Act 2011 (NSW). All parties made submissions about the Mt Arthur Coal decision and the effect of the findings of the Full Bench on the matters in dispute in the present case. It is convenient to deal with those submissions at the outset.

[14] The Respondents submit that the Full Bench decision in Mt Arthur Coal has two classes of findings that are significant in the present case. These findings are characterised by the Respondents as conclusions of a legal character and findings of fact in relation to medical, scientific and epidemiological justification for the site access requirement.

[15] With respect to the second category of findings, the Full Bench in Mt Arthur Coal found that the following uncontentious factual propositions (at [29]), were established on the evidence:

1. COVID-19 involves a high burden of disease, greater than influenza.

2. Any infected person is at risk of developing serious illness from the virus, which may lead to death.

3. The risks posed by COVID-19 have changed with the rapid rise of the Delta variant which is more infectious and has more severe health effects than previous variants.

4. All COVID-19 vaccines currently available in Australia are effective at preventing symptomatic infection, including from the Delta variant.

5. All COVID-19 vaccines currently available in Australia substantially reduce the risk of serious illness or death, including from the Delta variant.

6. All COVID-19 vaccines currently available in Australia are safe and any adverse effects are usually mild. There is a much higher risk of developing serious complications and dying from acquiring COVID-19.

7. An unvaccinated person is more likely to acquire COVID-19 from another unvaccinated person, rather than a vaccinated person.

8. While other measures, such as mask wearing, and social distancing, are demonstrated to reduce the transmission of COVID-19, the effectiveness of these measures depends on people applying them consistently or correctly. They do not provide a substitute for the constant protection offered by vaccines, nor do they reduce the risk of developing serious illness once somebody acquires an infection.

9. Vaccination is the most effective and efficient control available to combat the risks posed by COVID-19.

10. Even with high vaccine rates in the community, COVID-19 will remain a significant hazard in any workplace in which there is a possibility that people will interact or use the same common spaces (even at separate times). The Mine is clearly such a workplace.

…

[61] …higher rates of vaccination do not remove the risk of COVID-19 infection for unvaccinated workers. That is because unvaccinated workers are at risk of catching COVID-19 from other unvaccinated workers and fully vaccinated workers, who can acquire COVID-19 and efficiently transmit the disease to others. Indeed, unvaccinated people are more likely to acquire COVID-19 compared with vaccinated people. Further, unvaccinated workers on a work site increase the risk of spreading COVID-19 to vaccinated workers and other unvaccinated workers. In turn, those persons are at risk of spreading COVID- 19 outside the workplace to their families and friends.

…

[62] …the rates of infection of COVID-19…throughout Australia, are likely to increase over time as movement restrictions ease, with the result that it is inevitable that everyone who works on the Mine will come into contact with someone – probably many people – who are infected with COVID-19. Witness R5 [an expert medical witness] went on to express his opinion that ‘with reopening the virus will spread through Australia, and [although] the timing in the given locations [is] not exact, but in time it will spread to all locations, and be present in all work places’. When COVID-19 does so spread, those who remain unvaccinated are at greatest risk of acquiring COVID-19, becoming seriously ill or dying from acquiring COVID-19, and infecting other people with whom they come into contact.

…

[85] We accept that the object and purpose of the [Mt Arthur] Site Access Requirement is to protect the health and safety at work of Mt Arthur’s employees and other people at the Mine.

…

[252] …The Mt Arthur Site Access Requirement] is directed at ensuring the health and safety of workers of the Mine.

[16] The Full Bench in Mt Arthur Coal found that: “Even with high vaccine rates in the community, COVID-19 will remain a significant hazard in any workplace in which there is a possibility that people will interact or use the same common spaces (even at separate times).” The Respondents submit that each site subject to the SAR is such a workplace.

[17] The Respondents point to the fact that the Applicants do not take issue with the findings made by the Full Bench in Mt Arthur Coal and submit that those findings are manifestly correct. The Respondents also submit that the content of the SAR is identical in every material respect to the site access requirement that was considered by a Full Bench in Mt Arthur Coal. Further, with one qualification, the reasons and justification for the SAR are also identical in every material respect to those that supported the Mt Arthur SAR. The qualification is that, when Mt Arthur was heard, the Omicron variant of COVID-19 had not been identified in Australia; COVID-19 infections are now at higher rates in Australia than seen throughout the pandemic and a number of positive cases have been identified at the Respondents’ Queensland Mines. The Respondents submit that the subsequent arrival and rapid spread of Omicron is a further reason, in addition to those found in Mt Arthur Coal, that supports the introduction and implementation of the SAR.

[18] In these respects, there is no material distinction between the facts considered by the Full Bench in Mt Arthur Coal, with those in this case. There is also no challenge in this case to any aspect of the Health and Safety Rationale, and it should be accepted as being factually correct in every respect. The SAR is supported by the material on the Consultation Hub which is also not disputed. The SAR is supported by the findings of fact in the Mt Arthur Coal decision at [29] and those findings should be accepted as correct, and applied mutatis mutandis in the present case, on the basis that:

•  They were made after a full hearing by a five-member Full Bench that had been specially constituted to hear and determine challenges to the lawfulness and reasonableness of the Mt Arthur SAR. The Full Bench had the benefit of receiving evidence and submissions from each party and intervenor in those proceedings;

•  The CFMMEU was an applicant in Mt Arthur Coal. The AMWU participated in the hearing as an intervenor, but with the same rights as a party. It led evidence and made submissions;

•  The decision in Mt Arthur Coal, including the findings of fact set out in the previous paragraph, was a focus of consultation about the SAR. 2 No question about the correctness of any of these findings of fact was raised in consultation; and

•  There is no challenge to their correctness in these proceedings.

The SAR

[19] The basis of, and rationale for, the SAR is set out in a communication to employees issued via the Consultation Hub, updated on 6 January 2022, which states in summary that: BHP has an obligation and responsibility to keep workers safe and healthy; COVID-19 remains a significant risk to the Company’s workforce and vaccination remains the most efficient and effective control available to combat the risks posed by COVID-19. Reference is also made to the removal of harder controls and isolation measures by most State and Territory Governments and that in combination with the emergence of the more transmissible Omicron variant, the likelihood of infection including in the workplace, increases.

[20] Other relevant matters set out in the communication are that: unvaccinated people have a significantly higher likelihood of serious illness and possibly death if they get COVID-19; Delta strain continues to circulate and there is evidence it causes more severe illness; the more transmissible Omicron is expected to overtake Delta as the predominant strain by early 2022; vaccinated people can still transmit the virus but at a lower rate than those who are unvaccinated; all levels of Government are transitioning away from hard controls; and many BHP workers commute and travel, including to remote and regional areas. 3

[21] The Respondents submit that these matters are not contested by the Applicants in the present proceedings and the health and safety rationale should be accepted as being factually correct. In oral submissions the representatives of the Unions clarified that while the Unions do not take issue with the matters set out in the documents explaining the basis of and rationale for the direction in these proceedings, they reserve their rights to do so in any later proceedings. The Respondent also submits that the communication is consistent with the findings of the Full Bench in Mt Arthur Coal which should be accepted as correct. I accept that submission and the factual correctness of the health and safety rationale for the SAR.

[22] The Respondents’ submissions also detail the SAR requirements and the proposal for its implementation. The information in those submissions is not disputed. The SAR requires that employees have received two doses of approved COVID – 19 vaccinations. Employees are also required to provide information to demonstrate their vaccination status. There are four sources of information that the Respondents will accept as verification of a COVID – 19 Digital Vaccination Certificate. They are depicted as images on an information sheet issued by BHP and appended to the submissions of the CFMMEU and CEPU as Attachment “A”. In the order they are set out on the information sheet issued by BHP, the first document is titled “COVID – 19 Digital Certificate”. The second document is also titled “COVID – 19 Digital Certificate” but is in a in a form which is designed to be saved to a device such as a smart phone. The third document is titled “International COVID – 19 Certificate”. The fourth document is titled “Immunisation History Statement”.

[23] The three documents the Respondents will accept as evidence, titled as Certificates, include the employee’s name, date of birth, vaccine type, both vaccine dose dates and the document number. In addition to that information, the Immunisation History Statement includes all other immunisations that the holder has received, and the type of vaccine given. The document number is unique to each Certificate and the Immunisation History Statement and is not connected to the Individual Health Identifier of the holder and does not allow that number to be discovered by reference to the document number. The Individual Health Identifier of the holder is included on the first, third and fourth document. It is not included on the Digital Certificate designed to be saved to a device. However, the Respondent states, and it is not disputed, that it neither requires nor collects the Individual Health Identifier of the document holder.

[24] There are two other forms of COVID – 19 Digital Certificate depicted on the BHP information sheet. These are also titled “COVID – 19 Digital Certificate”. The first such certificate (the fifth on the information sheet) is the certificate found on a smart phone application known as the “Check in Queensland app”. The second such certificate (the fifth on the information sheet) is a certificate which can be accessed via the MyGov or Medicare apps. These certificates indicate the employee’s name, date of birth and date the certificate is valid from, being the date of the last vaccination. These documents are not accepted by the Respondents as evidencing vaccination status.

[25] The SAR provides for two means by which employees can provide information evidencing their vaccination status: 4

(a) They can upload the information to BHP’s Vaccination Data Capture Portal (Vaccination Portal) on its Digital Work Space (DWS), being BHP’s internal intranet;

(b) Alternatively, they can visit designated stations on-site at which authorised personnel can sight and record their Vaccination Information.

[26] The Respondents state that in either case, the employee needs either their COVID-19 digital certificate issued by the Federal Government (Vaccination Certificate) or their immunisation history statement. An employee will only have a Vaccination Certificate if they have received two doses of an approved COVID-19 vaccine. If they have only received a single dose, they will instead have access to an immunisation history statement. In both cases employees are asked whether they give their express consent to the collection of the information via the following consent notice. If an employee does not consent the information is not collected.

“Declaration and Consent

To keep you and our workforce safe and healthy BHP wishes to collect and process information about your COVID-19 vaccination status. This will assist us to plan for the future and escalate or de-escalate our COVID-19 controls and enable us to make decisions about workplace and site access in order to protect you and other BHP workers against COVID-19 infection risk.

By [checking the box], you consent to BHP:

1. collecting and processing information about your COVID-19 vaccination status for the purposes described above; and

2. where necessary, disclosing this information to third parties (health, security, site access and travel service providers); and

3. storing this information in BHP systems in line with our Global Privacy Notice for BHP Workers.

Giving your consent is voluntary and you are free to withdraw, alter or restrict your consent at any time by notifying BHP in writing. However, it would be helpful for you to share your vaccination status with us, as it will assist BHP to identify controls to continue to keep our workers as safe and healthy as possible. Without access to this information, we may assume that you have not received the COVID-19 vaccine for the purpose of our controls, including workplace entry controls.

We will manage all of your information in accordance with privacy laws. Your information will be stored securely and only accessible by the BHP Health Team. For more about BHP privacy management practices, and about your rights in relation to information held by BHP, please see the Global Privacy Notice for BHP Workers and Our Requirements for Information Governance and Controlled Documents.”

[27] To upload proof of their vaccination status employees are able to click on a link on the Vaccination Portal and download and complete a “COVID-19 Vaccination Form” (Vaccination Form). On the Vaccination Form, employees enter their name, date of birth, BHP employee number, date of their COVID-19 vaccine dose(s), the type of vaccine they had (i.e. Pfizer, AstraZeneca, or Moderna) and the document ID of either their Vaccination Certificate or immunisation history statement (together, the Vaccination Information). The document ID refers only to the Vaccination Certificate or immunisation history statement. It is not the employee’s Individual Health Identifier number and does not enable that number to be identified. The employee also attaches a copy of either their Vaccination Certificate or their immunisation history statement. 5

[28] The Vaccination Form makes clear that consent is voluntary and can be withdrawn at any time and requests employees to express their consent by ticking a box marked: “I agree”. 6 If employees do not indicate agreement in this manner, they will not be able to submit through the Vaccination Portal and therefore no record is created in the Vaccination Portal or the Cority database, used by BHP to record health and safety hygiene data.

[29] As an alternative to submitting the Vaccination Form via the Vaccination Portal, employees can give their Vaccination Information in person to a BHP Health Team member at site. The process involves the Health Team member reading out the consent notice set out on the Vaccination Form, 7 including that consent is voluntary and employees are free to withdraw, alter or restrict their consent at any time by notifying BHP in writing. Employee orally confirm consent and provide the Vaccination Information by showing the Vaccination Certificate or immunisation history statement to the BHP Health Team member, who uses it to verify the Vaccination Information, but without taking a copy of the document and the Health Team member inputs only the Vaccination Information into Cority.8

[30] Other relevant implications of the SAR are that employees who cannot comply with a site access requirement on the date that it becomes effective will be stood down on unpaid leave. Those who cannot comply with the SAR without reasonable excuse will be asked to show cause why their employment should not be terminated.” 9 Further, it is stated that if employees do not provide access to their vaccination status, BHP “may assume that you [the employee] have not received the Covid-19 vaccine for the purpose of this critical control.”10

The Unions’ cases

[31] The structure of the case advanced by the CFMMEU and the CEPU is that the primary argument is based on the Privacy Act issue and the alternative argument relies on the bodily integrity issue. In relation to the bodily integrity issue, it is not asserted by the CFMMEU and the CEPU that the effect the SAR has on bodily integrity is, of itself, sufficient to make the site access requirement unreasonable. Rather, the argument advanced on behalf of the CFMMEU and the CEPU is that taken together, the contravention of the Privacy Act and the effect that the SAR has on bodily integrity cumulatively tips the balance against the reasonableness of the SAR. The AMWU’s position is that the privacy issue and the bodily integrity issue must be weighed in considering whether the SAR is lawful and reasonable.

[32] The Unions’ submissions all point to the fact that there is nothing in public health orders, the industrial instruments or the express terms in the employees’ contracts that would provide the legal basis for the SAR. It follows that the basis for the SAR must derive from the term implied into all contracts of employment to the effect that employees must follow the lawful and reasonable directions of their employer. Such a term is implied by law, in the absence of a contrary intention by the parties. In Mt Arthur Coal the Full Bench accepted that a direction must be lawful and reasonable for an employee to be obliged to follow it. 11

[33] The seminal decision referred to by the Unions concerning the requirement of employees to follow lawful and reasonable directions of their employer, is R v Darling Island Stevedoring & Lighterage Co Ltd; Ex parte Halliday 12 (Darling Island Stevedoring) in which Dixon J summarised the common law position as follows:

“Naturally enough the award adopted the standard or test by which the common law determines the lawfulness of a command or direction given by a master to a servant. If a command relates to the subject matter of the employment and involves no illegality, the obligation of the servant to obey it depends at common law upon its being reasonable.

In other words, the lawful commands of an employer which an employee must obey are those which fall within the scope of the contract of service and are reasonable.”

[34] The CFMMEU and CEPU contend that the meaning of the word “lawful”, in the context of “lawful and reasonable” is elusive, but point to the following definitions in the Macquarie Dictionary (3rd edition) which should be adopted for the purpose of the Recommendation:

•  Legal appointed, established or authorised by law; deriving authority from law.

•  Illegal not legal; unauthorised.

•  Unlawful Not lawful; contrary to law; illegal; not sanctioned by law.

•  Lawful allowed or permitted by law; not contrary to law.

[35] The above definitions demonstrate that there is no material difference between legal/lawful on the one hand and illegal/unlawful on the other. It is a false dichotomy to suggest that, for example, illegality is concerned with the criminal law whereas unlawfulness is concerned with the civil law. The terms lawful and legal (and their negative equivalents) can and should be used synonymously.

[36] The CFMMEU and CEPU further note that obviously enough, a direction will not be lawful if it is unlawful. The direction will be unlawful if it involves, as a constituent part, a failure to comply with applicable legislation. As the above definitions demonstrate, whether the legislative breach is one which attracts a civil penalty or some other remedy, is of no moment.

[37] The AMWU highlights that a direction must be both lawful and reasonable, and that as the Federal Court observed in McManus v Scott-Charlton 13:

“Questions of illegality and reasonableness apart, the alternate formulations of lawfulness proposed by Dixon J are that the command “relates to the subject matter of the employment” or falls “within the scope of the contract of service”. It is clear that these were intended to be synonymous in the limitation they expressed.

The need for some such limitation is patent: employment does not entail the total subordination of an employee's autonomy to the commands of the employer. As was said by the President in Australian Tramway Employees' Association v Brisbane Tramways Co Ltd (1912) 6 CAR 35 at 42:

“A servant has to obey lawful commands, not all commands. The servant does not commit a breach of duty if he refuse to attend a particular church, or to wear a certain maker's singlets. The common law right of an employee is a right to wear what he chooses, to act as he chooses, in matters not affecting his work.”

There are obvious, and powerful, considerations of civil rights and liberties and of due process which inform this. These need not be laboured here although they are of no little significance in the resolution of this case.” 14

[38] Further, the AMWU cited the principle that the reasonableness and proportionality of a direction ought be assessed on a case-by-case basis as observed by the Full Bench in Mt Arthur Coal:

“[259] The reasonableness of a direction is a question of fact having regard to all the circumstances, which may include whether or not the employer has complied with any relevant consultation obligations; the nature of the particular employment; the established usages affecting the employment; the common practices that exist; and the general provisions of any instrument governing the relationship.” 15

[39] The CFMMEU and the CEPU contend that as in the Mt Arthur Coal case, where a direction involves one aspect of unreasonableness it is rendered wholly invalid. It is also contended that the SAR is “replete with unlawfulness and unreasonableness” having regard to the Privacy Act issue and that on this basis alone, the Commission should conclude that the direction is invalid. Alternatively, the Commission should reach the conclusion that the direction is invalid having regard to the cumulative effect of the Privacy Act issue and the issue of bodily integrity.

[40] The AMWU submits that while many matters which might reasonably be said to bear on the question of lawfulness and reasonableness were canvassed in Mt Arthur Coal, and it does not cavil with matters where the Full Bench made findings, the Privacy Act issue and the bodily integrity issue were not dealt with to finality in that case. These matters are of concern to AMWU members and must be weighed in considering whether the SAR is lawful and reasonable, a matter that was not dealt with in Mt Arthur Coal.

[41] The Respondents contend that premise that the SAR is a breach of the Privacy Act is of critical importance, particularly to the case advanced by the CFMMEU and the CEPU, with the result that if the argument based on the Privacy Act fails, the case advanced by those Unions falls away. It is convenient to deal first with the bodily integrity issue.

The bodily integrity issue

Union submissions

[42] The CFMMEU and CEPU adopt and support the AMWU’s position on the issue of bodily integrity. The CFMMEU and the CEPU also contend that the SAR is replete with unlawfulness and unreasonableness, having regard to the Privacy Act. On this basis alone, the Commission should conclude that the direction is invalid. Alternatively, the Commission should reach the conclusion that the direction is invalid having regard, cumulatively, to the bodily integrity issue and the Privacy Act issue. As was the case in Mt Arthur Coal, where a direction involves one aspect of unreasonableness, it will be rendered wholly invalid. The CFMMEU and CEPU submit that the same applies to unlawfulness.

[43] The AMWU’s position is that the Commission should issue a recommendation concluding that the SAR is not a lawful and reasonable direction having regard to the Privacy Act and the right to bodily integrity. The AMWU submits that employees subject to the SAR have a right to bodily integrity at common law. 16 Considerations of civil rights and liberties inform the limitations on the capacity of an employer to direct its employees.17

[44] The AMWU contends that it ought be uncontroversial, as it was in Mt Arthur Coal, that absent medical contraindications, the choice for employees is between being vaccinated and continuing to be employed by their employer. 18 The AMWU submits that the pressure being applied to employees to give up their bodily integrity and to cede a civil right, when otherwise they would not wish to do so, is a matter that is relevant in an assessment of the reasonableness of the direction.

[45] The AMWU referred to the statement of the Full Bench in Mt Arthur Coal that:

“[223] The practical effect of the Site Access Requirement is to apply pressure to employees to surrender their bodily integrity (by undergoing medical treatment) in circumstances where they would prefer not to do so. In our view, this is plainly a relevant matter in assessing the reasonableness of the direction. However, we also accept that this factor is not determinative of the question of reasonableness; it is a consideration to be weighed in the balance with the other relevant considerations…” 19

[46] The AMWU submits that the significant pressure exerted by the Respondents upon employees to forfeit their right to bodily integrity is a matter which weighs against a conclusion that the SAR is a reasonable direction. It is a matter which alongside the Respondents’ breaches of the Privacy Act, leads to a conclusion that the direction is unreasonable.

[47] In oral submissions the AMWU clarified that it is not contended that the right to bodily integrity is violated by the SAR and thereby the direction is rendered unlawful. Rather, consistent with the decision in Mt Arthur Coal the AMWU submits that the practical effect of the SAR is that employees are forced to choose between getting vaccinated where they do not wish to do so or losing their job. This pressure goes to the reasonableness of the direction, and it is a matter to be weighed in the balance alongside what the AMWU asserts is a breach of the Privacy Act.

Respondents’ submissions

[48] The Respondents accept in Mt Arthur Coal that there was a common law right to bodily integrity, 20 and make the same concession in the present matters. In Mt Arthur Coal the Full Bench held that the right to bodily integrity consisted of “the right to an individual to choose what occurs with respect to his or her own person.”21

[49] The Respondents contend that the question in these disputes is whether that right is violated by the SAR. The same question was put in issue in Mt Arthur Coal. 22 The Full Bench held that the right to bodily integrity was not violated by the Mt Arthur SAR, because:

● It did not purport to confer authority on anyone to perform a medical procedure on anyone else; 23 and

● It did not involve coercion in the legal sense, such as would vitiate an employee’s consent to be vaccinated. 24

[50] The same conclusions should be applied to the SAR in these disputes, for the following four reasons. First, as the content of the SAR is materially identical to that of the Mt Arthur SAR, there is no material basis on which to distinguish them. Second, although, as a non-judicial body, the Commission is not bound by the doctrine of precedent, 25 as a matter of policy and sound administration it and its predecessors have generally followed previous Full Bench decisions relating to the issue to be determined, in the absence of cogent reasons for not doing so.26 Here, there are no such reasons. Third, the Respondents submitted that there are cogent reasons for the Commission as presently constituted to follow and apply the conclusions in Mt Arthur Coal in respect of bodily integrity on the basis that:

● The decision is manifestly correct; 27

● The Full Bench cited in support of its conclusions a passage from the first instance decision of the New South Wales Supreme Court in Kassam v Hazzard. 28 That aspect of Kassam has subsequently been confirmed on appeal by the New South Wales Court of Appeal.29

[51] Fourth, and independently of the first three reasons, the Respondents contend that it would be an abuse of process if the Applicants were to seek to reagitate in these issues that were conclusively resolved in Mt Arthur 30 and they should not be heard to do so.

[52] According to the Respondents, once the conclusions of the Full Bench in Mt Arthur Coal are applied in the present case, it necessarily follows that the SAR is not unlawful because of its effect on bodily integrity. The same process of reasoning was applied in Mt Arthur Coal where the Full Bench held that the Mt Arthur SAR was prima facie lawful. 31 It did so notwithstanding that it recognised that “[t]he practical effect of the [Mt Arthur] Site Access Requirement is to apply pressure to employees to surrender their bodily integrity (by undergoing medical treatment) in circumstances where they would prefer not to do so.”32 Plainly, the Full Bench did not consider that this rendered the Mt Arthur SAR unlawful. The Respondents’ position is that the same conclusion should be applied to the Queensland SAR.

[53] In Mt Arthur Coal the Full Bench held that the practical effect of the Mt Arthur SAR was a relevant matter in assessing the reasonableness of the direction. However, the Respondents also accept that this factor is not determinative of the question of reasonableness; it is a consideration to be weighed in the balance with the other relevant considerations.’ 33 The Respondents’ view is that the same conclusions should be applied to the SAR. The Respondents submit that the following considerations are relevant, and together substantially outweigh the fact that the practical effect of the SAR is to apply pressure to employees to surrender their bodily integrity by being vaccinated in circumstances where some of them may prefer not to do so.

[54] First, the Respondents referred to Mt Arthur Coal where the Full Bench made the following finding:

“We note that there are a range of considerations which otherwise weighed in favour of a finding that the Site Access Requirement was reasonable, including that:

1. It is directed at ensuring the health and safety of workers of the Mine.

2. It has a logical and understandable basis.

3. It is a reasonably proportionate response to the risk created by COVID- 19.

4. It was developed having regard to the circumstances at the Mine, including the fact that Mine workers cannot work from home and come into contact with other workers whilst at work.

5. The timing for its commencement was determined by reference to circumstances pertaining to NSW and the local area at the relevant time.

6. It was only implemented after Mt Arthur spent a considerable amount of time encouraging vaccination and setting up a vaccination hub for workers at the Mine.” 34

[55] Consistent with the Respondents’ submissions that the factual findings in Mt Arthur Coal regarding the COVID-19 disease should be accepted in these disputes, these findings should be applied, mutatis mutandis, to the SAR.

[56] Second, the Respondents submit that the Full Bench’s reference in the passage quoted in the previous paragraph to the “health and safety of workers” was no doubt intended to take up the findings of fact set out in paragraph [29] of the Mt Arthur Coal decision in relation to COVID – 19, which are a powerful factor supporting the reasonableness of the SAR, just as they were for the Mt Arthur SAR.

[57] Third, all the Respondents are subject to statutory obligations to manage health and safety at their workplaces, and employees are subject to correlative duties to protect their own health and safety and that of other workers. For example, section 39(1)(c) of the Coal Mining Safety and Health Act 1999 (Qld) (CMSH Act) requires a coal mine worker to take any “reasonable and necessary course of action to ensure anyone is not exposed to an unacceptable level of risk”. That requirement in section 39(1)(c) of the CMSH Act encompasses, as held in Grant v BHP Coal Pty Ltd, 35 the imposition of conditions that may constitute an intrusion on the person. The facts and matters set out in the Health and Safety Rationale, the documents supporting that rationale, and the findings of fact made by the Full Bench in Mt Arthur Coal, all demonstrate that the SAR is directed to compliance with the Respondents’ statutory and common law obligations to protect health and safety at the workplace. The Respondents submitted that the obligations, and the correlative rights that they create, are another powerful factor supporting the reasonableness of the SAR.

[58] Fourth, the most important consideration supporting the conclusion in Mt Arthur Coal that the Mt Arthur SAR was unreasonable was deficiencies in consultation. 36 This consideration has no application to these disputes. There has been fulsome consultation. Employees who have views regarding vaccination as a SAR have been heard, they have been consulted, and their views have been taken into account.37 It follows that the balancing exercise identified in Mt Arthur weighs conclusively in favour of the reasonableness of the SAR.

The Privacy Act issue

Relevant provisions of the Privacy Act

[59] The provisions of the Privacy Act which were the focus of submissions and are relevant to the matters in dispute, are set out below. The objects of the Privacy Act set out in s. 2A are as follows:

“The objects of this Act are:

(a) to promote the protection of the privacy of individuals; and

(b) to recognise that the protection of the privacy of individuals is balanced with the interests of entities in carrying out their functions or activities; and

(c) to provide the basis for nationally consistent regulation of privacy and the handling of personal information; and

(d) to promote responsible and transparent handling of personal information by entities; and

(e) to facilitate an efficient credit reporting system while ensuring that the privacy of individuals is respected; and

(f) to facilitate the free flow of information across national borders while ensuring that the privacy of individuals is respected; and

(g) to provide a means for individuals to complain about an alleged interference with their privacy; and

(h) to implement Australia's international obligation in relation to privacy.”

[60] Section 6 Interpretation, contains the following definitions:

“collects” : an entity collects personal information only if the entity collects the personal information for inclusion in a record or generally available publication.

“consent” means express consent or implied consent.

“record” includes:

(a) a document; or

(b) an electronic or other device”…

[61] Section 14 explains that the Australian Privacy Principles (APP) are set out in the clauses of Schedule 1 to the Privacy Act. Section 15 provides that APP entities, which by virtue of the definition in s. 6C are organisations including bodies corporate, must not do an act or engage in a practice that breaches an Australian Privacy Principle. Principles 3.3 and 3.4 relevantly provide:

“3 Australian Privacy Principle 3—collection of solicited personal information

…

Sensitive information

3.3 An APP entity must not collect sensitive information about an individual unless:

(a) the individual consents to the collection of the information and:

(i) if the entity is an agency—the information is reasonably necessary for, or directly related to, one or more of the entity’s functions or activities; or

(ii) if the entity is an organisation—the information is reasonably necessary for one or more of the entity’s functions or activities; or

(b) subclause 3.4 applies in relation to the information.

3.4 This subclause applies in relation to sensitive information about an individual if:

(a) the collection of the information is required or authorised by or under an Australian law or a court/tribunal order; or

(b) a permitted general situation exists in relation to the collection of the information by the APP entity; or …

Note: For permitted general situation, see section 16A. For permitted health situation, see section 16B.”

[62] Section 16A of the Privacy Act concerns permitted general situations in relation to the collection, use or disclosure of personal information. The provision is set out in tabular form and the present dispute relates to item 1 in the table as follows:

“16A - Permitted general situations in relation to the collection, use or disclosure of personal information

(1) A permitted general situation exists in relation to the collection, use or disclosure by an APP entity of personal information about an individual, or of a government related identifier of an individual, if:

(a) the entity is an entity of a kind specified in an item in column 1 of the table; and

(b) the item in column 2 of the table applies to the information or identifier; and

(c) such conditions as are specified in the item in column 3 of the table are satisfied.”

[63] In relation to breach of an Australian Privacy Principle, s. 6A(1) provides:

6A - Breach of an Australian Privacy Principle

(1) For the purposes of this Act, an act or practice breaches an Australian Privacy Principle if, and only if, it is contrary to, or inconsistent with, that principle.

[64] It is not disputed that the Respondents have responsibilities under the Privacy Act. The Respondents are organisations as defined in s.6C of the Privacy Act and therefore each is an “APP entity”, 38 and is required to comply with the Australian Privacy Principles (APPs) in relation to collection of personal information from the Employees.39 It is also not disputed that the direction provides for the Respondents to collect personal information of employees for inclusion in a record, and that the information is sensitive information as defined in the Privacy Act.40

[65] The Full Bench in Mt Arthur Coal set out the following summary of the relevant Privacy Act provisions which I adopt.

[207] … An APP entity ‘collects’ personal information ‘only if the entity collects the personal information for inclusion in a record or generally available publication’. A ‘record’ includes a document or an electronic or other device. An APP entity must collect personal information only by fair and lawful means.

[208] APP 3.3 provides that an APP entity that is an organisation must not collect ‘sensitive information’ about an individual unless the individual consents and the information is reasonably necessary for one or more of the organisation’s functions or activities. ‘Sensitive information’ includes health information about an individual, which would include information about a person’s vaccination status. The requirement to have consent to the collection of sensitive information in APP 3.3. is subject to the exceptions in APP 3.4, which include:

● where the collection of the information is required or authorised by an Australian law. This could include where required under public health orders or directions, and

● where the APP entity is an organisation, and a permitted general situation exists in relation to the collection of information by the APP entity. This includes where the APP entity reasonably believes that the collection is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.

[209] ‘Consent’ in APP 3.3. means ‘express or implied consent’. The Australian Privacy Principles Guidelines issued by the Australian Information Commissioner under s.28(1) of the Privacy Act explain:

‘… The four key elements of consent are:

• the individual is adequately informed before giving consent

• the individual gives consent voluntarily

• the consent is current and specific, and

• the individual has the capacity to understand and communicate their consent.’

[66] The Full Bench in Mt Arthur Coal also set out the following guidance issued by the Office of the Australian Information Commissioner on COVID-19 vaccinations and privacy obligations explains:

“Consent to collecting vaccination status information must be freely given and constitute valid consent. You must make sure that your employees understand why you need to collect this information, what you will use it for, and give them a genuine opportunity to provide or withhold consent. You should exercise caution in seeking consent in these circumstances given the imbalance of power in the employment relationship that may cause employees to feel pressured or obligated to provide their consent.

Public health advice will be useful to inform what information, including vaccination status information, is reasonably necessary to prevent or manage COVID-19. Applicable workplace laws and contractual obligations will also influence whether the collection of vaccination status information would be considered reasonably necessary for your activities or functions.

Where you have provided a lawful and reasonable direction to your employee to be vaccinated, you can also ask your employee to provide evidence of their vaccination if you are satisfied that this is reasonably necessary and you have obtained the employee’s consent.”

CFMMEU and CEPU submissions

[67] The Respondents have said they are not content to simply sight, but not collect, employees’ vaccination status. The CFMMEU and the CEPU submit that the document published by the Respondents on 6 January 2021 entitled “COVID-19 Digital Vaccination Certificate Verification” (Vaccination Verification Document), ostensibly directed at the second method of verification, makes apparent that the material sought to be collected by the Respondents travels beyond whether the employee is vaccinated. The Respondents also seek vaccine type, both vaccine dose dates and document number.

[68] Both methods available to employees to verify vaccination status require the collection by the employer of sensitive information. Both methods purportedly require employees to consent to the collection of their sensitive information. Putting to one side the question of reasonable necessity, the CFMMEU and CEPU contend that the direction falls at the first hurdle and that any consent an employee may supply is vitiated by the threat that, if they do not consent, they may be disciplined or have their employment terminated. 41 Reference is made to the decision of a Full Bench of the Commission in Lee v Superior Wood42 where a Full Bench of the Commission found that a direction in relation to the provision of sensitive information was unlawful and unreasonable because it was contrary to the Privacy Act and stated that any consent by the employee in that case would likely have been vitiated by the threat of termination of his employment.

[69] Applying this conclusion to the present case, the CFMMEU and the CEPU contend that it can hardly be described as valid consent in circumstances where an employee (who wishes to convey vaccination status) has no alternative available to verify vaccination status that does not involve the collection of sensitive information.

[70] The CFMMEU and CEPU pose the rhetorical question as to why the “show the green tick” method of establishing vaccination status is good enough for the State of Queensland when a coal miner enters the Blackwater Hotel, but not good enough for BHP when a coal miner enters the Blackwater Mine? The CFMMEU and CEPU submit that these curious methods of verifying vaccination status invite consideration of whether the test of “reasonable necessity” in APP 3.3 is met. Importantly, APP 3.3 is not concerned with whether the vaccination requirement is reasonably necessary, but rather, whether the collection of sensitive information is reasonably necessary.

[71] The CFMMEU and CEPU submissions set out various forms of Vaccination Verification Document which may be utilised and assert that there are suitable alternatives that are open to the Respondents and which would comply with the Privacy Act. These include, at least, the “Check in Queensland” app and the presentation of an employee’s COVID – 19 Digital Certificate which does not contain sensitive information. According to the CFMMEU and the CEPU, the mere availability of these alternative methods demonstrates that the methods nominated by the Respondents are not reasonably necessary.

[72] Insofar as the Respondents assert that they need to collect the sensitive information in order to interrogate its accuracy, that argument fails for three reasons. Firstly, one should not presume that employees will engage in vaccine certificate fraud, which would be serious misconduct if not a criminal offence. Secondly, given the nature of the information, it is not as if the provision of the additional sensitive information (which is presumably no less susceptible to fraud) would in practical terms enable the Respondents to take any real steps to interrogate its accuracy: an employer can hardly ask an employee’s doctor whether they gave a particular patient a particular vaccine on a particular date. Thirdly, most importantly, there are other and more effective means of addressing this concern: an employer with a proper basis to doubt the information provided could direct an employee to provide better evidence of their vaccination status (without directing the collection of sensitive information), for example, by the employee obtaining an appropriately worded medical certificate.

[73] The CFMMEU and CEPU’s position is that the two methods of verifying vaccination status that are embedded within the direction are not fit for purpose. The concerns go to the information sought (more than whether vaccinated) and the way in which it must be provided (collected not sighted). The CFMMEU and CEPU submit that these methods do not comply with the Privacy Act in respect of consent nor in respect of reasonable necessity. They are in that sense unlawful which means the direction cannot be a lawful one. It is therefore also unreasonable.

[74] Further, the CFMMEU and CEPU submit that a vaccinated employee who wishes to demonstrate their vaccination status to their employer, but who does not consent to the employer collecting their sensitive information, is left in an invidious position. They are unable to comply with the direction as articulated. This unfair and absurd situation is another reason why the direction is unreasonable. Similarly, the direction is unreasonable for such an employee because it involves “substantial danger” 43 to the employee, namely the risk of their sensitive information being misused after it is collected, for example identity fraud.

[75] In oral submissions the CFMMEU and the CEPU confirmed that for the purpose of the hearing and the Recommendation sought, the health and safety rationale that goes behind the SAR and the direction is not disputed but reserve their position in relation to whether those matters may be disputed in other proceedings. Notwithstanding this concession, it was contended that the Respondents had not established any cogent reason why the collection and storage of information would enable them to manage their COVID – 19 situation. The SAR is about site access and not the collection of information to service the requirement.

[76] The Respondents have also not established how alternative methods of implementing the SAR would cause unjustifiable hardship. The Respondents are well resourced organisations. There is no suggestion that gates to the sites are unmanned and the CFMMEU’s proposal for checking vaccination status visually, only applies to those employees who do not consent to the collection of sensitive information in relation to their vaccination status. Further, the impost on the Respondents of the methods proposed as an alternative to the SAR, is not outweighed by the primacy of the employees’ statutory right to privacy, including their right to withhold consent to the provision of their sensitive information.

[77] In relation to the Respondents’ assertion that the information is necessary to prevent fraud, the CFMMEU and the CEPU submit that justification on this basis is premature, and the Respondents have ample means to deal with this issue if fraud is suspected and does not require to pre-emptively collect information before fraud arises. The Respondents’ submission that the information will assist checking the vaccination register, proceeds on a false premise as it is the understanding of the CFMMEU and CEPU that an employer or third party cannot search the Australian Immunisation Register. If there is a sound, defensible or well-grounded suspicion that an employee’s certificate is fraudulent, the employee can substantiate vaccination by taking steps including providing a certificate from the medical practitioner who administered the vaccination. In response to a question from me, Mr Tiley agreed that the issue the CFMMEU and the CEPU raise is that the information could be sighted by the Respondents but not recorded and that there should be no collection of any vaccination data, other than by consent.

[78] In response to the assertion that the concerns raised in the CFMMEU and CEPU submissions are hypothetical, it is stated that there are three categories of employees whose views are relevant to the privacy issue: those who are vaccinated and willing to consent to the collection of their data; employees who are vaccinated and have consented under protest to their data being collected and employees who are vaccinated and do not consent to their data being collected. The two latter categories are real people with a real problem and their circumstances are far from hypothetical.

[79] It was also contended that the argument is not that consent is vitiated by duress because of threat of termination, but rather that there is no consent in such circumstances. While there is no express threat of termination if consent is not provided, if employees want to access the workplace and work, and if they do not want to be treated as unvaccinated, they must waive their rights to privacy. On any view, employees in such circumstances cannot be described as making a choice. In this regard, reliance is placed on the decision of a Full Bench of the Commission in Lee v Superior Wood 44 and the Respondent’s assertion that the passage cited by the CFMMEU and the CEPU is obiter should not be accepted.

[80] It was also submitted that if the Commission is against the CFMMEU and the CEPU on the requirements in s. 16A(1)(a) of the Privacy Act about obtaining consent of employees being unreasonable or impracticable, the Respondents have not made out the requirement in (b) that the entity reasonably believes that the collection, use or disclosure is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety. This requires more than a threat of fraud or that it would be convenient for employees to provide the requested information.

[81] The CFMMEU and the CEPU maintain that the Full Bench in Mt Arthur Coal did not decide the privacy issue, and half-hearted attempts by the Respondents to suggest otherwise, should not be accepted. Finally, in relation to the consequences of failure to comply with the Privacy Act, it is submitted that the availability of a cause of action for a breach is not required before there would be a breach in the requisite sense and whether a provision of an Act is enforceable by way of a civil penalty or not, makes no difference in relation to unlawfulness. The question is whether there is a legal obligation that is not being met. The CFMMEU and CEPU further submit that in Mt Arthur Coal the Full Bench found that a failure to comply with a statutory obligation to consult about the direction made it unreasonable. In the present case, the direction is both unlawful and unreasonable, but even if unlawfulness is unable to be made out in the way contended for by the Respondents, the direction is still unreasonable, and this is sufficient to render it invalid.

[82] In relation to the Respondents’ obligations under the CMSH Act, the CFMMEU and the CEPU submit that while that CMSH Act may have much to say about the necessity or otherwise of certain measures to address the risk presented by disease, and one of them may be vaccination, this does not address how it is necessary to collect sensitive information to manage that risk.

AMWU Submissions

[83] The AMWU submits that in Mt Arthur Coal the Full Bench was unable to reach a concluded view about whether the Respondent had breached its privacy obligations. After setting out the relevant provisions of the Privacy Act and APPs, the AMWU referred to information provided by the OAIC as set out by the Full Bench in Mt Arthur Coal 45 and additional advice from that source that:

•  Employers can only collect information about employee’s vaccination status in particular circumstances where the employee consents and the collection is reasonably necessary for your workplaces’ functions and activities.

•  You must have clear and justifiable reasons for collecting employee vaccination status information for it to be reasonably necessary. If you do not have clear and justifiable reasons, you should not collect vaccination status information.

•  You can collect vaccination status information without consent only in circumstances where the collection is required or authorised by law (including a state or territory public health order or direction).

•  Only the minimum amount of personal information reasonably necessary to maintain a safe workplace should be collected, used or disclosed.

•  Vaccination status information should only be used or disclosed on a ‘need-to-know’ basis.

•  You must inform employees about how their vaccination status information will be handled.

•  Ensure you take reasonable steps to keep employee vaccination status and related health information secure. 46

[84] The AMWU also submits that to be voluntary, an individual must have a genuine opportunity to provide or withhold consent and consent will not be voluntary where there is duress, coercion or pressure that could overpower the person’s will. 47 The following factors are relevant to deciding whether consent is voluntary:

•  the alternatives open to the individual, if they choose not to consent

•  the seriousness of any consequences if an individual refuses to consent

•  any adverse consequences for family members or associates of the individual if the individual refuses to consent.”

[85] The AMWU also referred to the decision in Lee v Superior Wood Pty Ltd 48 (Lee), where the Full Bench found that any “consent” given for the purposes of APP 3.3, where an individual is faced with the prospect of discipline or dismissal, would likely have been vitiated by the threat of discipline or dismissal and would not have been genuine,49 and submitted that this approach should be applied in the present case.

[86] The AMWU contends that the practical effect of the SAR, is that employees must consent to the collection of sensitive information about their vaccination status or face the threat of dismissal or disciplinary action. The consequences of the refusal of consent and the attendant loss of employment for these workers are serious and may include loss of income, dignity and self-worth. The AMWU’s position is that any “consent” for the purposes of the statutory scheme of the Privacy Act and APP 3.3, having regard to the APP Guidelines and Lee, cannot therefore be voluntary.

[87] In relation to whether the collection of sensitive information is “reasonably necessary” the AMWU refers to the APP Guidelines which relevantly provide:

“B.114 The ‘reasonably necessary’ test is an objective test: whether a reasonable person who is properly informed would agree that the collection, use or disclosure is necessary. It is the responsibility of an APP entity to be able to justify that the particular collection, use or disclosure is reasonably necessary.

B.115 The test must be applied in a practical sense. For example, under APP 3 if an entity cannot in practice effectively pursue a function or activity without collecting personal information, the collection would usually be considered reasonably necessary for that function or activity. However, a collection, use or disclosure of personal information will not usually be considered reasonably necessary if there are reasonable alternatives available, for example, if de-identified information would be sufficient for the function or activity.

B.116 An APP entity cannot rely solely on normal business practice in assessing whether a collection, use or disclosure is reasonably necessary. The primary issue is whether, in the circumstances of a particular entity, a collection, use or disclosure is reasonably necessary for a particular function or activity.” 50

[88] The AMWU submits that the Respondents have not justified how it is reasonably necessary for one or more of their functions or activities to collect the sensitive information that is employees’ vaccination status. The AMWU further submits that no statute, public health order or direction requires the vaccination of these employees or the collection of their vaccination status.

[89] The AMWU’s position is that there are reasonable alternatives to the collection of sensitive information available, in use in many other contexts currently, which would not involve the collection of sensitive information – for example, displaying a vaccine certificate at entry, but no collection or record being created, as is presently required in Queensland to access a bar or café. The AMWU submits that mere apprehensions about potential fraud 51, do not render the collection of sensitive information reasonably necessary.

[90] In relation to subclause 3.4 of the APP Principles, the AMWU submits that no exception has been invoked by the Respondents, nor does one apply. No “Australian law” (which excludes contracts) requires or authorises the collection of the sensitive information. The AMWU also submits that the circumstance is not otherwise one where is it unreasonable or impracticable to obtain consent (as evinced by the Respondents purporting to seek consent) from workers. In light of the obvious alternatives to the collection proposed, merely that it is convenient to the Respondents to collect sensitive information, is not an adequate basis for a reasonable belief that the collection is necessary. 52

[91] In relation to the lawfulness of the SAR, the AMWU submits that if the Respondents have not acted in accordance with the Privacy Act, consistent with the decision in Lee, the direction is not a lawful one. 53 It is a direction which involves illegality. Further, the AMWU contends that this plainly weighs significantly against the reasonableness of the direction.

[92] In oral submissions, Mr Turner for the AMWU also confirmed that it did not seek to contest other matters in the present proceedings but reserved its rights to do so in other proceedings. In relation to the issue of consent, the AMWU submits that the Respondents’ submissions conflate the issue of vitiation of consent for the purposes of establishing the tort of battery and violation of the person’s bodily integrity, with the content of what is a statutory requirement that consent be obtained from a person before their sensitive information is collected for the purposes of APP 3.3 in Schedule 1 of the Privacy Act. The passages in Mt Arthur Coal referred to by the Respondents deal with these issues and not the issue of consent for the purposes of the Privacy Act.

[93] It is clear that a person who does not consent to have their sensitive information collected by the Respondents will face termination. The AMWU contends that in the workplace there is little greater pressure that could be exerted on a person and in that context, it cannot be concluded that a person is given a genuine opportunity to agree or disagree. Whether or not it is concluded that consent is vitiated, it is certainly not voluntary.

[94] The AMWU urges that the Commission follow the Full Bench decision in Lee and submits that nothing can be inferred about the correctness of that decision from the decision in Mt Arthur Coal. Further, the AMWU submits that the Respondents have rejected the reasonable suggestion that they simply sight a certificate on entry rather than collect sensitive information of workers and that this is now a practice which is a feature of public life in Queensland. In relation to the Respondents’ claim that this would be onerous, the AMWU contends that it is difficult to see how this could be so given that it is used in other facets of public life. In relation to the Respondents’ claim that the collection of sensitive information is necessary to prevent fraud, it is difficult to conceive of fraud that could not be identified by sighting a certificate on entry. If the document did not appear real, the person tendering it could easily be pulled aside and dealt with, by commencing an investigation.

[95] In response to the Respondent’s assertion that it would not be practical to sight a certificate on each occasion an employee enters a mine site or other workplace, the AMWU contends that employees enter through a limited number of gates, and such alternative arrangements would only need to be implemented for those who did not provide consent to the collection of their sensitive information. The Respondents have not considered a third option for such employees and their options are provide the information or get the sack. The AMWU also submits that convenience for the Respondents does not make it reasonably necessary for employees to be required to provide sensitive information.

[96] In response to the assertion that expectations concerning health and safety in the workplace entail that there will be some intrusion into the privacy of employees, and the Respondents’ reliance on Briggs v AWH Pty Ltd 54 and Grant v BHP Coal Pty Ltd55, the AMWU submits that neither decision considered or touched upon APP 3.3 or dealt with the provisions of the Privacy Act more generally. Both decisions were also decided before the Full Bench decision in Lee and neither is authority for the proposition that APP 3.3 is somehow overridden by broader workplace health and safety duties that do not directly override the provisions of the Privacy Act more generally.

[97] The AMWU also submits that the collection of sensitive information is not reasonably necessary for the operation or management of a system to manage risk for the purposes of meeting the Respondents’ obligations under the CMSH Act and there are other reasonable alternatives to the collection of that information that are sufficient to address the safety risk. Further, the AMWU submits that the Full Bench in Mt Arthur Coal was not ruling out that a breach of the Privacy Act might render a direction unlawful. Further, whether or not it is concluded in the present case that the direction is unlawful because it breaches the Privacy Act, it is certainly unreasonable on that basis.

Respondents’ submissions

[98] The Respondents submit that the Commission should conclude that the SAR does not contravene APP 3.3. The Respondents’ primary position is that collection of the information in question – being information by which the Respondents verify employees’ vaccination status – is permitted by APP 3.3(a), because:

•  The Respondents only receive the information from employees who expressly consent to its provision, and who take positive steps to provide the information to the Respondents through one of two specified processes; and

•  The information is reasonably necessary for the implementation of the SAR.

[99] The Respondents also submit that they do not collect the information in question without employees’ express consent. However, if it is held (contrary to the Respondents’ submissions) that employees’ express consent is vitiated, then APP3.3(b) applies, and a ‘permitted general situation’ 56 would then exist, permitting the Respondents’ collection of information relevant to the SAR under APP 3.4(b) and section 16A of the Privacy Act, because:

● It is unreasonable or impracticable to obtain employees’ consent (this assumes that the Commission considers “consent” to require something different to that which is presently being provided by employees) to the collection, use or disclosure; and

● The Respondents reasonably believe that the collection is necessary to lessen or prevent a serious threat to the life, health or safety of any individual, or to public health or safety.

[100] Further, the Respondents submit that the Commission should conclude that, even if the Applicants establish a breach of APP 3.3, any such breach does not render the SAR unlawful. As to the requirements of the Privacy Act, the Respondents contend that the only way that they can effectively apply and enforce the SAR is by requiring employees to disclose information by which their vaccination status can reliably be verified. Analogously, the requirement to provide proof of vaccination is also a feature of the various public health orders that State governments have imposed. 57

[101] With respect to the two means by which employees can provide information demonstrating their vaccination status, in either case, the employee needs either their COVID-19 digital certificate issued by the Federal Government (Vaccination Certificate) or their immunisation history statement. An employee will only have a Vaccination Certificate if they have received two doses of an approved COVID-19 vaccine. If they have only received a single dose, they will instead have access to an immunisation history statement. In both cases employees are asked whether they give their express consent to the collection of the information via a consent notice. The document ID is not the employee’s Individual Health Identifier number and does not enable that number to be identified. Where the employee elects to upload the information via the portal, the employee also attaches a copy of either their Vaccination Certificate or their immunisation history statement. All information is provided by employees voluntarily and without indicating agreement by ticking the box on the Vaccination Form, the employee will not be able to submit through the Vaccination Portal and therefore no record is created in the Vaccination Portal or Cority.

[102] The Respondents submit that the Vaccination Form also explains (as is the case) that the purpose of collecting the Vaccination Information is to keep the employee and the workforce safe and healthy, including to:

● Plan for the future and escalate or de-escalate COVID – 19 controls; and

● Enable decisions about workplace and site access to protect employees against COVID-19 infection risk.

[103] The Consultation Hub document “FAQs Vaccination – how to upload and data use” 58 states further that (as is the case) the Vaccination Information is necessary so that the Respondents can:

● Plan and make informed decisions relating to the COVID-19 controls framework (including the escalation and de-escalation of COVID-19 controls);

● Introduce the SAR, which has been implemented to lessen or prevent a serious threat to the life, health and safety of individuals on site and to public health and safety; and

● Administer its work health and safety obligations.

[104] The Applicants do not challenge the truth of these explanations, and there is no basis on which they could do so. The Respondents’ view is that they should be accepted as correct. The Vaccination Form advises employees that without access to the Vaccination Information, BHP may assume that they have not received the COVID – 19 vaccine, including for the purpose of site access. 59

[105] The Respondents confirm that once an employee has completed the Vaccination Form the Vaccination Information is reviewed by an authorised BHP Health Team member. The Health Team member will input only 60 the Vaccination Information into a database on a separate software platform called Cority. No record is made or kept of any information other than the Vaccination Information.

[106] Cority is an environmental, health and safety database used by BHP to record health and hygiene data. Only authorised Health Team personnel can access Cority, for example, paramedics, health specialists, and health administrators. 61 All such personnel have completed data privacy training.62 The Respondents explained that that users are only given access to the parts of Cority that are necessary for them to complete their role. The Vaccination Certificate or immunisation record is not retained by the Respondents after the Vaccination Information is verified. Currently, all Vaccination Certificates and immunisation history statements uploaded to the Vaccination Portal are deleted within 28 days.63

[107] The Respondents submit that express consent is sought and received in each case before the Vaccination Form is completed in the Vaccination Portal. If consent is not given, an employee is treated as unvaccinated for the purpose of the SAR. Consent is also necessarily implicit in the process, in that the Vaccination Information is provided to the Respondents by the act of the employees.

[108] In relation to the assertion that employees’ consent is vitiated by reason that, should they choose not to provide the vaccination information, they will be assumed not to have been vaccinated, the Respondents submit that the argument seems to be that the economic and social pressure identified in Mt Arthur Coal at [222] and [223] coerces the employees’ free will or choice so as to render their consent legally ineffective. The Respondents submit that the argument fails for two reasons. First, it is entirely abstract and no employee has given evidence of being overborne. Second, the Applicants’ argument was expressly and authoritatively rejected in Mt Arthur Coal. The Respondents also referred to the judgment of Leeming JA in Kassam v Hazzard 64 where it was stated at [170] that “…free choice” is a label which disguises the fact that many choices commonly made by people are influenced by incentives and burdens, which are not uncommonly put in place for the express purpose of altering behaviour.”

[109] The Applicants’ contrary argument depends on Lee. 65 The Respondents submit that the Applicant there argued successfully that the employer’s direction to provide a biometric fingerprint on entry to the workplace was not lawful, because the employer did not comply with the requirements of the Privacy Act. The non – compliance was, relevantly, soliciting the collection of sensitive information without consent.66 In that case, consent was not actually given, and the fingerprint information not collected. However, the Full Bench said in obiter dicta at [58]: “…we consider that any “consent” that he might have given once told that he faced discipline or dismissal would likely have been vitiated by the threat. It would not have been genuine consent.”

[110] The Respondents position is that this statement should not be followed or applied in these disputes, for five reasons. One, it was obiter. Two, it was only a tentative – that is, neither certain nor definite – conclusion, as the word “likely” plainly indicates. Three, it addressed a hypothetical set of facts. Four, its correctness was left open in Mt Arthur Coal. 67 Five, it is inconsistent with the holding in Mt Arthur Coal at [222] that such economic and social pressure as inheres in the choice between being vaccinated or not continuing to be employed does not amount to coercion such as would vitiate consent. The Respondents view is that the Commission as presently constituted should follow Mt Arthur Coal in preference to Lee, because Mt Arthur Coal is more recent than Lee; it is indistinguishable on its facts (as relevant to this issue) from the present case; it is a unanimous decision of a five member Full Bench; the finding as to the absence of coercion was part of the ratio of the decision; and Mt Arthur Coal is consistent with the recent decision of the New South Wales Court of Appeal in Kassam.

[111] The Respondents also submit that the Vaccination Information is reasonably necessary for the Respondents’ functions and activities as employers and occupiers of the Queensland sites, as required by APP 3.3(a)(ii):

● First, because it is an essential feature of their activity of implementing the SAR; and

● Second, because the object and purpose of the SAR 68, is to fulfil the Respondents’ statutory and common law functions in respect of the health and safety of their employees.

[112] In relation to the arguments advanced by the Applicants that a reasonable alternative to the mechanisms provided for in the SAR by which employees can provide information demonstrating their vaccination status, would be the display by the employee of a Vaccine Certificate at entry without a record being created, the arguments should be rejected, for the following reasons.

[113] First, the Applicants adduce no evidence to establish that this would be a reasonable alternative. According to the Respondents it is not intuitively so – uploading the Vaccination Information means that site access cards can be activated and so checks are not required each time each employee seeks to access site. If no record is made, then a manual check would be required on each and every occasion that an employee seeks to access a site, resulting in site access becoming an onerous manual process at every site which would also require 24-hour physical presence at all site entry points including those where there is currently no physical presence.

[114] Second, the Respondents would be unable to check the information provided. The Respondents contend that it is reasonably necessary for them to be able to verify the vaccination information, which they can do by recording that information (including the document number of the Vaccination Certificate), and where any indicia of fraud is identified in the review of the Vaccination Certificate (eg. font changes or inconsistency of information), verifying the vaccination record through the Australian Immunisation Register.

[115] The Respondents also refer to the bare submission that the risk of fraud is not a valid reason to collect the vaccination information (as opposed to the mere sighting of that information). The Respondents’ position is that such a submission should be rejected. Given the critical health and safety risks which the SAR seeks to mitigate, it is reasonably necessary that the Vaccination Information be collected and capable of verification. The effectiveness of any critical control can only be ensured if the control is able to be verified. The potential consequence of a single employee misstating (intentionally or not) their vaccination status is to expose the entire workforce at that site to higher risks associated with COVID-19.

[116] According to the Respondents, the CFMMEU and CEPU propose that an employer with a proper basis to doubt the information provided could direct an employee to provide better evidence of their vaccination status (without directing the collection of sensitive information), for example, by the employee obtaining an appropriately worded medical certificate. The Respondents submit that this suggestion leaves unanswered the problematic issues of what would constitute a proper basis, what the appropriate wording of any medical certificate would be, and why this would be better evidence. Further, the Respondents submit that any such medical certificate would necessarily include – at minimum – the person’s name, date of birth, and vaccination status in order for it to be verified. This is “sensitive information” within the meaning of the Privacy Act.

[117] Third, it was submitted that the alternative proposed by the Applicants would still involve the Respondents, by their personnel, seeing employees’ vaccination information. The Respondents note that it is not clear why, in that case, the Applicants take exception to that information being recorded in Cority, or how that constitutes a breach of APP 3.3. The fact that there may be a different way of acquiring the relevant information does not answer the question posed by APP 3.3(a)(i), which is whether “the information is reasonably necessary for, or directly related to, one or more of the entity’s functions or activities”. The Respondents submit that the question of reasonable necessity is directed to the information in question, not the fact or method of collection.

[118] The Respondents note that the CFMMEU and CEPU raise the spectre of “identity fraud” but do not take issue with the Respondents’ information governance policies or controls, or any particular step in the processes described above, or otherwise attempt to explain or develop the submission. The suggestion that the provision of the vaccination information to the Respondents involves a “substantial danger” for that reason should therefore be rejected.

[119] Finally, the Respondents addressed what it described as the “straw man” argument posed by the CFMMEU and CEPU about the position of an employee who wishes to demonstrate their vaccination status to their employer, but who does not consent to the employer collecting their sensitive information. The Respondents submit that the Commission should not accept that such an employee (if one exists, which is speculative) is in an invidious, unfair or absurd position, for the reasons outlined above regarding why the Applicants proposed alternatives to the mechanisms proposed by the Respondents in collecting vaccine information should be rejected. The Respondents reiterate their position that the SAR cannot be implemented and operationalised as a safety control without employees’ vaccination information.

[120] The Respondents also submit that even if APP 3.3(a) were not satisfied, APP 3.3(b) would apply and that the collection of the vaccination information is permitted under APP 3.4(b) and section 16A of the Privacy Act. The Respondents submit that the interplay between employee privacy and an employer’s obligation to protect the safety of its workers and others was discussed in Briggs v AWH, 69 in which the Full Bench of the Commission confirmed70 that current standards and expectations of the community concerning health and safety at the workplace are such that there will, of necessity, be some constraint on civil liberties and, particularly, an intrusion into the privacy of employees. That the employer’s obligations with respect to health and safety may warrant encroachment on individual privacy rights is also demonstrated by the reasoning of the Full Court in Grant v BHP Coal Pty Ltd.71

[121] While maintaining that employees consent to providing the vaccination information, if, contrary to the Respondents’ submissions, the Commission considers that the quality of the consent is insufficient to comply with the Privacy Act, then it is submitted that it is unreasonable or impracticable to obtain such consent. This is because the SAR necessarily involves a choice of the kind that the Full Bench identified in Mt Arthur Coal at [220] and depends on the collection of vaccination information. Further, if the fact of the choice vitiates consent, then it will necessarily be impossible to collect the vaccination information consensually.

[122] Additionally, the Respondents reasonably believe 72 that the collection of vaccination information is necessary to lessen or prevent a serious threat to the life, health or safety of every employee, as well as being necessary to public health and safety more generally. The reasonableness of this belief is made out by the findings of fact in Mt Arthur Coal at [29], regarding COVID-19. The Respondents also referred to the decision of Commissioner Simpson in Kieran Knight v One Key Resources (Mining) Pty Ltd T/A One Key Resources73 where it was considered that the section 16A exemption was likely to apply to questions asked of employees as to their recent travel, in the context of protecting the health and safety of workers in response to the COVID-19 pandemic. The Commissioner also held that the direction to provide that information was lawful and reasonable.74

[123] Section 16A of the Privacy Act was also considered in Dodson v Information Commissioner. 75 The Respondents submit that in that case, the applicant complained to the Office of the Australian Information Commissioner that her employer breached her privacy by disclosing her name and address to police and requesting they perform a welfare check. The employee’s consent was not sought. The Commissioner declined to investigate the complaint further on the basis that section 16A of the Privacy Act applied, because:

● The employer had formed an objectively reasonable belief that the employee was at risk of self-harming, based on an email she had sent to the employer; and

● It was impracticable or unreasonable to obtain the employee’s consent in that instance, because of the urgency of the situation.

[124] The matter came to the Federal Circuit Court as an application for judicial review. Vasta J dismissed the application. His Honour was satisfied that it was “well and truly” open to the Commissioner to decide that section 16A applied. The Respondents submit that the Commission would take a similar approach to the application of section 16A cases and conclude that the exemption is engaged.

[125] Finally, and in any event, the Respondents submit that even if there was a breach of the Privacy Act, it would not render the SAR either unlawful or unreasonable. Rather, it would constitute an interference with the privacy of the person: section 13 of the Privacy Act. The remedy would be a complaint to the Information Privacy Commissioner.

[126] The Respondents also submit that Mt Arthur Coal should be taken to have authoritatively decided that compliance with the Privacy Act does not inform the lawfulness of the Mt Arthur SAR. Having left open the question of whether the Mt Arthur SAR complied with the Privacy Act, the Full Bench held that the Mt Arthur SAR was prima facie lawful, and then stated:

“Provided Mt Arthur commences its consultation with the Employees in a timely fashion, we expect that Mt Arthur would be in a position to make a decision about whether to impose the Site Access Requirement at the Mine prior to 15 December 2021.”  76

[127] The position taken by the Full Bench was necessarily predicated on a view that the issue of compliance with the Privacy Act, regardless of how it might be resolved, could not bear on the lawfulness (and, for that matter, the reasonableness) of the Mt Arthur Site Access Requirement. Were that not so, Mt Arthur would never have been in a position to decide to impose the Mt Arthur Site Access Requirement, no matter how extensively it consulted. For the reasons given above, the same reasoning applies to the Queensland Site Access Requirement.”   

[128] The Respondents submit that a further reason that any non-compliance with the Privacy Act would not make the SAR unlawful or unreasonable, is that the requirement itself is simply that employees be vaccinated as a condition of site entry. The requirement to provide the Vaccination Information is adjunctive to the SAR. It is also submitted that a finding (contrary to the Respondents submissions) that in obtaining the vaccination information, the Respondents breached the Privacy Act, would not affect the validity of the Respondents’ requirement that its employees be vaccinated as a condition of site entry. This would lead to the absurd (and unsafe) situation that the employer would be unable to enforce the SAR. That consequence should be avoided.

[129] In oral submissions, Mr Neil for the Respondents emphasised findings of the Full Bench in Mt Arthur Coal that the SAR in that case did not constitute coercion in a legal sense, and that consent is not vitiated by the fact that the SAR involves social or economic pressure. 77 While those findings were made in relation to the bodily integrity issue, the Respondent submitted that they are also relevant to consent for the purposes of the Privacy Act, on the basis that in both circumstances, consent is vitiated by coercion in a legal sense. The thrust of the Applicants’ argument in the present case is that consent that is given in the face of social and economic pressure is not really consent, and the decision in Mt Arthur Coal is against that proposition and is authoritative and binding. That is the end of the argument in relation to APP 3.3.

[130] In relation to APP 3.3.(1)(ii), the Applicants’ argument is that it is not reasonably necessary for the Respondents to collect information about the vaccination status of employees because it would be sufficient to for the Respondents’ functions or activities, if employees were to present their vaccination certificates to be sighted on entry. That argument breaks down on two levels: first, the question under 3.3(a)(ii) is not whether the collection of the information is reasonably necessary for the entity’s functions or activities, but whether the information itself is reasonably necessary. In this regard, the chapeau to the whole provision – “An APP entity must not collect sensitive information unless” – directs attention to the collection of the information. The chapeau to (a) – “the individual consents to the collection” – makes clear that the consent is to the collection of the sensitive data, while (ii) makes clear that the reference to “reasonably necessary” attaches to the information, rather than the manner of its collection. As a result, the statutory question is whether the information has the quality of being reasonably necessary for one or more of the entity’s functions or activities, not whether the collection has that quality.

[131] There is no issue in the present case that the information about the vaccination status of employees is reasonably necessary for the Respondents’ functions or activities. Further, there is nothing that is more clearly a function or activity than something an entity is obliged by statute to do. Without that information, the Respondents cannot discharge their statutory or common law responsibilities for the health and safety of people in their workplaces. Accordingly, arguments about whether the information should be collected or the mode of collection, are beside the point under APP 3.3(a)(ii). In response to questions from me about the content of the information that was being sought by the Respondents and whether all such information was reasonably necessary for their functions or activities, Mr Neil made the following points:

•  The information is required to verify the vaccination status of employees;

•  There have been four cases of suspected provision of fraudulent information under investigation and two have been substantiated;

•  Fraud was detected in those cases because the nominated vaccine and the dates on which it was said to have been received were too close and it was this information which enabled fraud to be detected;

•  Looking at details on the actual vaccination certificate indicates irregularities with font and setting out;

•  Documents which do not show the type of vaccination and the date it was received do not contain sufficient information to enable cross-checking against immunisation registers if necessary because the number on documents relates to the document only rather than the information upon which it is based; and

•  The dispute before the Commission as presently constituted does not require that a decision is made as to the validity of the method adopted by the Respondents and not as to whether another method of verifying vaccination status should be adopted.

[132] In relation to the second level at which the Applicants’ argument breaks down, it was submitted that if the Respondents simply sighted the vaccination records of employees on each occasion they entered a site, then no record of any kind would be made of the fact that information had been sighted. The Applicants are postulating that the Respondents should give somebody the responsibility of sighting the vaccination information of people entering the workplaces. The impracticability of this proposal was said to rise to impossibility, when it is considered that every mode of ingress to the sites would be required to be covered and a forensic inspection conducted of vaccination information on every occasion that employees entered the sites. Mr Neil submitted that it is axiomatic that safety depends on records and the integrity of the system would be undermined not only by fraud, but by the possibility of unvaccinated people slipping through. In response to the proposition that there was no need for verification until the provision of fraudulent information was discovered or suspected, it was submitted that by this time, an unvaccinated person could have entered the site by which time: “[t]he horses on which the virus arrived would have bolted”. In response to the hypothetical question posed as to why information that is accepted to get into the Blackwater Hotel is not accepted in order for employees to access the Blackwater Mine, Mr Neil said:

“The answer to that hypothetical question, in our submission, lies in two points of distinction between the Blackwater Hotel and the respondents' workplaces.  One, the relationship between the Blackwater Hotel and its patrons is not one of employment, and not one that has all the statutory and common law obligations that a relationship of employment entails, including the Coal Mining Safety and Health Act.

The second point of distinction, the Blackwater Hotel's patrons are not fellow employees.  They do not have the statutory obligations to protect their own health and safety and those of the people who come into contact with them that the respondents' employees have to themselves and their work mates.  That's why there is a distinction, and a valid distinction, between the Blackwater Hotel and our work site.” 78 

[133] If the Commission finds that the pressure that inheres to the site requirement vitiates consent, the Respondents’ first fall-back position is that subparagraph (a) in column 3 of item 1 in clause 16A is met on the basis that it is impractical to obtain consent. This is because pressure, which is the very thing that upon acceptance of the Applicant’s argument undermines consent, is a necessary and inevitable part of the SAR. Such a requirement could not operate other than universally. A SAR which allows people who do not meet its requirements to access the site, would not be effective.

[134] The second and final fall-back position put by the Respondents is that if, contrary to the Respondents’ submissions, there is a contravention of the Privacy Act, that does not make the SAR unlawful or unreasonable. In this regard, the Respondents submit that having left the question of compliance with the Privacy Act open, the Full Bench in Mt Arthur Coal found that the SAR was not prima facie unlawful and could only have done so, if compliance with the Privacy Act, one way or the other, could not have affected the lawfulness of the SAR. Having identified deficiencies in consultation as being the most telling and the major consideration against the unreasonableness of the Mt Arthur SAR, the Full Bench went on to say it expected that if consultation was conducted in compliance with s. 47 of the Work Health and Safety Act 2011 (NSW) then Mt Arthur would be in a position to make a decision to introduce and implement the SAR. The Full Bench could only have done so if compliance or otherwise with the Privacy Act would not be an impediment to the introduction of the SAR in that case.

Consideration

Contextual and background matters

[135] I accept the Respondents submissions that the findings of fact set out by the Full Bench in Mt Arthur Coal at [29] are manifestly correct. I also accept that those findings should be applied mutatis mutandis in the present case, for the following reasons. In addition to being manifestly correct, the findings were made by a Full Bench constituted of five Members of the Commission which conducted a hearing, albeit in a time frame where the dispute was required to be determined quickly and that the Full Bench decided it was not necessary to canvas all matters raised in the submissions. The Full Bench had the benefit of evidence, including from Professor Marylouise McLaws, Professor of Epidemiology, Hospital Infection and Infectious Diseases Control, University of New South Wales. While I note that the Unions have reserved their positions in relation to challenges to these findings in any future proceedings, no challenge is presently made to the correctness of the findings of fact set out in the Mt Arthur Coal decision.

[136] The factual circumstances in relation to the COVID – 19 Pandemic against which the Full Bench decided Mt Arthur Coal have become more acute. The only constant of the Pandemic is the rapid shifts in the threats it poses. Matters foreshadowed by the Full Bench have eventuated including the increase in infection rates as borders open, exacerbated by the spread of the more infectious Omicron strain of the virus. To this could be added difficulties associated with COVID – 19 testing, including access to various means of testing such as PCR testing and RAT. Even if such testing was more widely or readily available in future, it is strongly arguable that it could at best, supplement rather than replace vaccination, as a control measure. This is particularly so given the findings of fact by the Full Bench in Mt Arthur Coal that Vaccination provides constant protection and other measures such as mask-wearing and social distancing do not provide a substitute for vaccination. Vaccination is and will continue to be, the most effective and efficient control available to combat the risks posed by COVID – 19 for the foreseeable future.

[137] Higher rates of vaccination do not remove the risk of COVID – 19 infections for unvaccinated workers because unvaccinated workers are at risk of catching COVID – 19 from other unvaccinated workers and fully vaccinated workers can acquire and transmit COVID – 19 to others. Unvaccinated people are more likely to acquire COVID-19 compared with vaccinated people. Further, unvaccinated workers on work sites increase the risk of spreading COVID-19 to vaccinated workers and other unvaccinated workers. In turn, those persons are at risk of spreading COVID- 19 outside workplaces including to their families and friends and other persons they encounter in their daily lives.

[138] To these findings I would add the following matters. The Mt Arthur Coal case concerned a SAR at one coal Mine in New South Wales. The present case concerns Coal mine workers employed by the Respondents at some 14 sites in Queensland including some 12 coal mines. It is common knowledge that many coal mine workers do not reside at locations near the mines at which they work but instead, travel regularly to and from mine sites to their homes and back, to complete cycles of work. A variety of travel methods are used including “fly in fly out”, “drive in drive out” or workers being transported by buses – “bus in bus out”. Even where workers provide their own transport and drive themselves, they may share transport with other workers. Some coal mine workers travel between mine sites to perform their work, particularly those employed by contractors. The Respondents do not have a direct employment relationship with employees of contractors and site access requirements remain an effective measure to manage risks associated with the spread of COVID – 19 because those requirements can be implemented with respect to all persons who enter regardless of the purpose of the entry.

[139] Coal mine workers including those employed by the Respondents in Queensland and those employed by contractors, who do not live locally, reside in camp style accommodation, sharing mess and recreational facilities. It is common that workers who reside at camp accommodation do not have dedicated rooms and are assigned a different room on each occasion they are rostered on, so that the room will have been vacated by another worker who is rostered off. Camp accommodation is operated by workers who are not directly employed by the Respondents and who also may travel to and from their homes to undertake their work. Coal mine workers – whether they reside locally or commute – use facilities in regional communities including sporting and recreational facilities, retail outlets, clubs and hotels.

[140] The Respondents are significant employers in regional centres and play an important role in regional economies by virtue of their own activities and those of the coal mine workers the Respondents employ or engage. As operators of coal mines and employers, the Respondents have wide ranging obligations to ensure the safety and health of coal mine workers and those workers have obligations to other workers to ensure health and safety. As corporate citizens, coal mine operators have responsibilities to the communities in which they operate. As residents of, or visitors to, those communities, coal mine workers have responsibilities to minimise risks to others in the communities in which they work and reside – either temporarily or permanently.

[141] The object and purpose of the SAR is to protect the health and safety at work of the Respondents’ employees and other people at mine sites and I accept that the SAR is directed to that object. I am also of the view that an additional effect of the SAR will be the protection of other persons in communities and networks in which the Respondents and coal mine workers are involved.

[142] The Respondent in the Mt Arthur Coal case is a member of the BHP Group of Companies, as are the Respondents in the present case. The content of the SAR under consideration in the present case is materially identical to that considered by the Full Bench in Mt Arthur Coal and I accept the Respondents’ submission that there is material basis on which to distinguish them. The circumstances in which the SAR will operate at Queensland mine sites are substantially the same, with the exception that they are now more acute given the increase in infections in Queensland and elsewhere since Mt Arthur Coal was decided. I also note that positive cases of COVID – 19 have been identified at the Respondents’ Queensland Mines. There is every likelihood that the acuity will increase as will the number of cases detected in the Respondents’ operations. Another difference is the fact that the SAR in the present case will operate across multiple sites while the Mt Arthur SAR operated with respect to a single site. In my view, this adds further weight to the rationale for its implementation as a safety and health mechanism to combat the effects of the COVID – 19 Pandemic on the Respondents’ Queensland workforce and operations.

[143] I also accept that the Full Bench in Mt Arthur Coal made findings of a legal character which should be followed in the present case. While the Commission is not bound by the doctrine of precedent, as a matter of policy and sound administration, Full Bench decisions relating to an issue to be determined by a single Member of the Commission, have been followed, in the absence of cogent reasons for not doing so. It is also well established that failure by a single Member of the Commission to follow an authoritative Full Bench decision is a fundamental and serious error of principle. 79 The are no reasons for not following the Full Bench Decision in Mt Arthur Coal and the matters I have canvassed compel consistency of approach.

[144] In Mt Arthur Coal the Respondent accepted that there is a common law right to bodily integrity and makes the same concession in the present matter. It is also accepted that the Respondents have obligations under the Privacy Act and that the SAR and the direction that underpins its implementation, provides for the Respondents to collect sensitive information about employees for inclusion in a record. There is no evidence about objections that individual employees may have based on their rights under the Privacy Act or to bodily integrity. The only information I have, which is anecdotal, is that some 60% of employees have complied with the direction and the remaining employees have not. The basis upon which 40% of the Respondents’ workforce has not complied is unknown.

[145] For the purposes of deciding the question upon which the parties seek a Recommendation, and without making a finding about this matter, I accept that some 40% of employees who have not complied with the direction on the basis of one or other of the matters within the scope of the question – either concerns about rights under the Privacy Act or associated with the right as an individual to choose what occurs with respect to their own person, referred to as a right to bodily integrity. I also note the submission of the Unions to the effect that the Privacy Act issue may also concern employees who gave consent in circumstances where they did not wish to do so. It is convenient to commence by considering the bodily integrity issue.

Bodily integrity issue

[146] In Mt Arthur Coal, the Full Bench dealt with a contention by Union Interveners (including the AMWU and the CEPU) that the Mt Arthur SAR “at least impacts upon the choice of an individual to undergo a medical procedure” and hence engages the common law right to personal and bodily autonomy and integrity. 80 In relation to this right, the Full Bench cited the judgement of Mason CJ, Dawson, Toohey and Gaudron JJ in Secretary, Department of Health and Community Services (NT) v JWB and SMB (Marion’s Case),81 which identified a “right in each person to bodily integrity [t]hat is to say, the right to an individual to choose what occurs with respect to his or her own person’.82 The Full Bench observed that Marion’s Case concerned the power of the Family Court to authorise a medical procedure where there was no capacity for the person concerned to consent, and was determined in circumstances where medical procedure undertaken without consent is a violation of the right to bodily integrity and prima facie an assault.⁸³ The Full Bench said (citations omitted):

[218] The existence of such a right is uncontroversial but the right is not violated by the terms of the Site Access Requirement. Unlike the circumstances in Marion’s Case, the Site Access Requirement does not purport to confer authority on anyone to perform a medical procedure on anyone else. As Beech-Jones CJ at CL said in Kassam v Hazzard:

‘It can be accepted that there is room for debate at the boundaries of what external factors might vitiate a consent to medical treatment so as to render the treatment a battery and a violation of a person’s right to bodily integrity. [...] People may choose to be vaccinated or undertake some other form of medical procedure in response to various forms of societal pressure including a law or a rule, an employment condition or to avoid familial or social resentment, even scorn. However, if they do so, that does not mean their consent is vitiated or make the doctor who performed the vaccination liable for assault. So far as this case is concerned, a consent to a vaccination is not vitiated and a person’s right to bodily integrity is not violated just because a person agrees to be vaccinated to avoid a general prohibition on movement or to obtain entry onto a construction site. Clauses 4.3 and 5.8 of [Public Health (COVID-19 Additional Restrictions for Delta Outbreak) Order (No. 2) 2021 (NSW)] do not violate any person’s right to bodily integrity any more than a provision requiring a person undergo a medical examination before commencing employment does.’ [Emphasis added]” 84

[147] The Full Bench noted the acceptance by the Union Interveners that the SAR does not, itself, force any employee to undergo vaccination and it remains open to an employee to decline to become vaccinated. The Full Bench also noted that the Union Interveners argued that the failure of an employee to become vaccinated will have consequences for employment, most likely termination, and imposed a practical compulsion to get vaccinated for an employee to retain employment. the Full Bench also noted the Respondent’s acknowledgement that absent medical contraindications, employees had a choice between being vaccinated and continuing to be employed. The Full Bench went on to hold that:

[222] While we would demur from the proposition that the Site Access Requirement constitutes coercion in the legal sense, we accept that it is a form of economic and social pressure.

[223] The practical effect of the Site Access Requirement is to apply pressure to employees to surrender their bodily integrity (by undergoing medical treatment) in circumstances where they would prefer not to do so. In our view, this is plainly a relevant matter in assessing the reasonableness of the direction. However, we also accept that this factor is not determinative of the question of reasonableness; it is a consideration to be weighed in the balance with the other relevant considerations.

[148] In relation to this finding, the Full Bench cited with apparent approval, the submission of Counsel for Mt Arthur Coal to the effect that while the Company acknowledges that every worker on the mine has a right to bodily integrity, that right must, in every case, be balanced against other rights. 85

[149] In the present case, the Unions do not contend that the SAR is unlawful on the basis that it violates the common law right to bodily integrity. The submission advanced by the Unions is that the significant pressure exerted on employees to forfeit their right to bodily integrity, is a matter which weighs against a conclusion that the SAR is a reasonable direction. Further, it is not contended that the bodily integrity issue, considered alone, should result in the Commission concluding that the SAR is not lawful and reasonable. Rather, it is submitted that the pressure on employees with respect to surrendering their bodily integrity, considered alongside the Respondents’ breaches of the Privacy Act leads to a conclusion that the direction is unreasonable. Accordingly, the Recommendation should conclude that the SAR is not a lawful and reasonable directing having regard to the Privacy Act and the right to bodily integrity.

[150] For reasons set out above, it is appropriate to apply the conclusions of the Full Bench in Mt Arthur Coal to the present case. It follows that the effect of the SAR on the rights of employees to bodily integrity, does not result in the SAR being unlawful and is not, of itself, determinative of whether the SAR is unreasonable. It is necessary to consider whether the SAR violates rights of employees under the Privacy Act and whether it is unlawful or unreasonable on that basis including in combination with its effect on the right to bodily integrity.

Privacy Act issue

Overview

[151] For the purposes of the Recommendation, in relation to the Privacy Act issue, the starting point is whether the employees from whom information is proposed to be collected, consent to the collection, as required by APP 3.3(a).

[152] It is clear from the material before me that individual employees have been more than adequately informed about relevant matters pertaining to consent identified in the APP and relevant guidance issued by the OAIC. Explanations provided to employees include why the Respondents need to collect the information and what it will be used for. Consultation has been extensive and comprehensive, and the Respondents have utilised multiple methods of disseminating information. Employees have also received explanations about how the information is proposed to be collected and stored including safeguards relating to confidentiality. There has been consultation about issues, concerns and suggestions raised by employees. There is no suggestion in the case of employees who have given consent (or have complied with the request to signify their agreement to providing the information) that the consent is not current and specific. Nor is it in dispute that any relevant employee has capacity to understand and communicate their consent.

[153] The issue in dispute is whether, in circumstances where employees are liable to termination of their employment for refusal to provide the information sought in the manner required, any consent they may give (or have given) to provide the vaccination information pursuant to the direction, is vitiated because it is not voluntary or it is the result of coercion or duress.

Consent

[154] By virtue of s. 15 of the Privacy Act the Respondents must not do an act or engage in a practice that breaches an Australian Privacy Principle (APP). For present purposes, the Privacy Principle asserted to have been breached is APP 3.3 which deals with the subject of sensitive information, by providing that organisations must not collect sensitive information about an individual unless the requirements set out in APP 3.3(a) and 3.3(a)(ii) are met. As previously discussed, it is common ground that the SAR and direction requires that employees provide sensitive information which is collected by the Respondents or a related entity. As a result, the acts or practices associated with the implementation of the SAR are caught by s. 15 of the Privacy Act unless APP 3.3 applies so that those acts or practices are excluded.

[155] APP 3.3 has two limbs, or requirements that must be met, for the exclusion to operate. The limbs are linked by the conjunction “and’ requiring that both must be satisfied to exclude the relevant act or practice. The first limb, found in APP 3.3(a) is that the individual consents to the collection of the information. For the purposes of AAP 3.3, “consent” means express or implied consent.

[156] The Unions contend that the Respondents’ submissions in relation to consent, conflate the issue of vitiation for the purposes of establishing rights to bodily integrity, with the content of a statutory requirement that consent be obtained from a person before their sensitive information is collected, for the purposes of APP 3.3. I do not accept that submission. As the Respondents point out, for the purpose of legal definition, consent is consent. The same comment could be made in relation to duress.

[157] It is true that the notion of consent depends on the context in which it is invoked, and the degree or form of consent may differ depending on the subject matter of that which is being consented to. It is also true that it may be unsafe to translate what has been held in relation to consent in one context, to another. 86 However, the principles which inform a decision as to whether consent is vitiated by coercion or duress, have general application. In the present case, the coercion upon which the Unions rely in support of the arguments in relation to both the Privacy Act issue and the bodily integrity issue, is said to stem from the same source – the SAR. Further, regardless of whether the failure or refusal of employees to comply with the direction is because of concerns in relation to the Privacy Act or bodily integrity or both, the implications of non-compliance – disciplinary action including termination of employment – are the same.

[158] For these reasons, I accept that the findings of the Full Bench in Mt Arthur Coal in relation to coercion and the cases from which they were derived, have relevance to consent for the purposes of deciding the Privacy Act issue, notwithstanding that they were made in the context of the bodily integrity issue, that the Full Bench also considered.

[159] The CFMMEU and the CEPU contend that consent of employees to provide sensitive information, is vitiated by threat of discipline or termination of employment. The Unions rely on the decision of a Full Bench of the Commission in Lee v Superior Wood Pty Ltd 87 (Lee) and contend that I should apply the findings in that decision in the present case. The Unions also contend that consent in the present case is not valid, because employees who wish to convey their vaccination status have no alternative to do so, other than by methods which involve the collection of sensitive information and violate their rights under the Privacy Act. The AMWU contends that any consent given pursuant to the SAR and related direction is not voluntary because there is duress, coercion and pressure that overpowers a person’s will.

[160] I do not accept those arguments. The decision of the Full Bench of the Commission in Lee can be distinguished based on the facts in that case. Mr Lee, the Appellant in that case, was dismissed because he did not comply with a Site Attendance Policy by refusing to use newly introduced fingerprint scanners to sign on and off for work at the site. Mr Lee had earlier objected to the direction by advising the employer that he considered that the biometric data contained within his fingerprint was sensitive personal information and that Superior Wood was not entitled to require that information from him.

[161] In support of their arguments, the Unions rely on the following finding by the Full Bench in Lee in relation to the direction that the Appellant in that case provide his biometric data:

[58] For the reasons set out above, we consider the direction to Mr Lee to submit to the collection of his fingerprint data, in circumstances where he did not consent to that collection, was not a lawful direction. Moreover, we consider that any ‘consent’ that he might have given once told that he faced discipline or dismissal would likely have been vitiated by the threat. It would not have been genuine consent. Given this finding, it is not necessary to consider whether the direction was reasonable. Nonetheless had it been necessary to do so we conclude the direction was unreasonable. A necessary counterpart to a right to consent to a thing is a right to refuse it. A direction to a person to give consent does not vest in that person a meaningful right at all. Such a direction is in the circumstances of this case, unreasonable. It was not a valid reason for dismissal. (Emphasis added) 88

[162] It is clear from that passage that the finding of the Full Bench that the direction to the Appellant to provide his fingerprint was not lawful, was predicated on earlier findings, indicated by the fact that the paragraph in which the finding is stated, commences with the words: “For the reasons set out above”. The matters set out above the paragraph, which constitute those reasons include, in addition to the Appellant’s objection to providing the data, that the employer breached the Privacy Act by failing to:

•  have a privacy policy as required by APP 1;

•  issue a Privacy Collection Notice to employees as required by APP 5; and

•  notify the Appellant of matters in APP 5 including about complaints he might have made in relation to privacy.

[163] It was also the case that there were doubts about the security of the data to be collected because of failure on the part of the organisation responsible for its collection and storage, to comply with relevant provisions of the Privacy Act. Further, the Full Bench found that the evidentiary basis for concluding that the Appellant’s biometric data was reasonably necessary for the employer’s functions or activities, was not compelling, and was instead administratively convenient. Accordingly, it is questionable whether the requirement in APP 3.3(a)(ii) would have been met even if the Appellant consented to the collection of the relevant information. As the requirements in APP 3.3(a) and 3.3(a)(ii) are conjunctive, the collection of the information would have been in breach of the Privacy Act if either of those requirements was not met. Further the employer in that case had not identified other options and had not considered such options.

[164] Given those findings, it is doubtful the Appellant could have validly consented to the collection of his private information for the purposes of the Privacy Act. The finding of the Full Bench that consent the Appellant might have given once told that he faced discipline or dismissal would “likely have been vitiated by a threat to dismiss”, was made in the context of the earlier findings. The finding in relation to consent is not definitive as indicated by the term “likely”. Further, the finding in relation to the unreasonableness of the direction was similarly qualified on the basis that the Full Bench observed that it was not necessary to make the finding, and that it was indicative of what it would have found, if required to make such a finding. The finding that the direction was unreasonable was further qualified by the indication that it was made “in the circumstances of this case”. 89 Thus the finding of unlawfulness was based on failure to comply with notification and other procedural requirements of the Privacy Act while the finding of unreasonableness was limited to matters related to consent.

[165] It is also the case that a subsequent Full Bench, which dealt with a second appeal by Mr Lee against a decision in relation to remedy 90 made by a Member of the Commission to whom the first Full Bench remitted the matter, made the following observations about the decision of the first Full Bench:

“The evidence is also that Superior Wood introduced the scanner system following legal and other advice. Ultimately, the Full Bench in the first appeal took a different view about the operation of the Privacy Act and found that in relation to Mr Lee, who had objected to the use of the scanner and expressly did not give his consent to the biometric scanner, the direction to comply with the policy was not a lawful and reasonable direction. We observe that the first appeal decision did not find that the Policy was itself unlawful and this is a point correctly identified by Commissioner.” 91

[166] In the present case, there is no issue of lack of compliance in respect of any of the requirements of the Privacy Act in relation to the matters such as those that were identified by the first Full Bench in Lee. It is not disputed that the Respondents have met all their obligations under the Privacy Act and that the only issues in dispute are those that are the subject of these proceedings. Further, in contrast with the factual situation in Lee the Respondents in the present case have extensively consulted with the Unions and employees about the implementation of the SAR. Finally, the Full Bench in Mt Arthur Coal neither endorsed nor disavowed the correctness of the conclusions in Lee and simply observed that the decision was not relied on by any party and nor was the correctness or otherwise of that decision subject to comment by the parties. This is consistent with my view that the decision in Lee turns on its own facts and is of limited relevance in circumstances of this case and the matters that were decided in Mt Arthur Coal.

[167] Applying the findings of the Full Bench in Mt Arthur Coal in relation to coercion to the present case, the SAR does not, itself, force employees provide sensitive information to any APP entity, and it remains open to employees to decline to do so. To paraphrase the findings of the Full Bench in Mt Arthur Coal in relation to consent in the context of bodily integrity, the effect of the SAR in relation to the Privacy Act issue, is that employees who fail to provide the required evidence of vaccination face disciplinary action up to and including the termination of their employment. This is a threat to both the economic position of employees who do not comply with the direction and those dependent on them, and to the dignity and self-worth that comes from employment.

[168] As a result, the practical effect of the SAR is to apply pressure to employees to surrender their rights under the Privacy Act by providing relevant staff of the Respondents with personal information that is sensitive, in that it is health information about their vaccination status. When employees upload the information or provide it to the Respondents’ staff, consistent with the processes prescribed in the SAR, they do so on the basis that this action signifies their consent to the providing the information for collection by the Respondent. Accordingly, the SAR does not purport to confer authority on the Respondents to collect the sensitive information of employees if they do not consent to provide that information.

[169] The passage in the judgement of Beech-Jones CJ at CL in Kassam v Hazzard 92, referred to by the Full Bench in Mt Arthur Coal is equally apposite in relation to consent to provide sensitive information. The effect on a construction worker of being prevented from working on a particular site, because of a choice not to be vaccinated, is analagous to the effect on employees who face termination of their employment for non-compliance with a direction to establish their vaccination status before entering the site. Conversely, just as the consent of construction workers to be vaccinated to obtain entry onto a construction site is not vitiated, neither is the consent of coal mine workers to provide sensitive information to establish their vaccination status, to obtain entry to a mine site. This is the case notwithstanding that the source of the pressure is the employer.

[170] The finding of the Full Bench in Mt Arthur Coal that economic and social pressure related to the SAR is not coercion in a legal sense is applicable to other circumstances where there is economic pressure on employees in relation to a right. If economic and social pressure created by the Mt Arthur SAR is not coercion in the legal sense for the purposes of the right of employees to bodily integrity, pressure of the same kind created by the SAR in the present case, is not coercion that vitiates consent of employees to provide sensitive information to establish vaccination status.

[171] To the extent that the SAR is a form of economic pressure, it does not in my view amount to economic duress of the kind that could vitiate consent. While the cases in relation to economic duress deal with contractual matters, the principles are instructive. Essentially, economic duress requires conduct that goes beyond what the law is prepared to countenance as being legitimate or unconscionable conduct or conduct of a similar kind. 93 While I accept that employees faced with a direction that requires them to consent to providing sensitive information on the basis that if they do not do so their employment will be terminated, have a difficult decision to make, I do not accept that this constitutes coercion or duress of the kind that vitiates consent or results in consent not being legally effective.

[172] I am also of the view that consistent with the conclusion of the Full Bench in Mt Arthur Coal in relation to bodily integrity, the fact that the effect of the SAR is to apply pressure to employees to consent to providing sensitive medical data to their employers, is a relevant, but not determinative matter, in relation to assessing the reasonableness of the direction, in all the circumstances.

[173] I do not accept the argument advanced by the Unions that consent in the present case is not, or cannot be, valid because employees who wish to convey their vaccination status have no alternative to do so, other than by methods which violate their rights under the Privacy Act. First, neither of the methods by which the direction requires employees to convey their vaccination status, violates the rights of employees under APP 3.3(a) that their sensitive information will not be collected unless they consent.

[174] In relation to APP 3.3(a), based on the submissions of the parties and the material tendered in support of those submissions, I am satisfied that employees by adopting either of the methods provided for in the SAR to verify their vaccination status, consent to providing their sensitive information and for that information to be collected within the meaning of the relevant definitions in s. 6 of the Privacy Act. Employees are specifically told that when they upload the information or provide it to the Respondents’ staff, consistent with the processes prescribed in the SAR, they do so on the basis that this action signifies their consent to the providing the information for collection by the Respondent. Employees are fully informed, about the rationale for the direction that they are full vaccinated, the reasons the Respondents are seeking to collect their sensitive information, the use that will be made of that information and the processes by which the Respondents will ensure that it is held securely. Employees are also informed that their sensitive information will be used only for the purpose that has been advised to them and the safeguards in the system for holding the information that will ensure this.

[175] Employees are also informed of the implications of providing, or not providing, the information and that if they choose to do so, they are entitled to change their position at any time in the future. The choice is also exercised in circumstances where the employees concerned are coal mine workers, who know, or should reasonably know, that they have rights and obligations under the Coal Mine Safety and Health Act. I acknowledge that the choice as to whether to comply with the direction or not, may be difficult for persons who hold strong views about the privacy of their sensitive information and that a decision not to provide the information will almost certainly result in the termination of their employment. However, the fact that employees are faced with a difficult choice, does not, in the circumstances, constitute effective lack of choice. Nor does it constitute duress or coercion that vitiates or invalidates the choice.

[176] To the extent it is relevant to whether employees have consented to the collection of sensitive information as provided in APP 3.3(a), I do not accept that the alternative proposed by the Unions for verification of vaccination status is reasonable. Neither do I accept that the methods proposed by the Respondents are unreasonable, much less that they are “curious” as asserted by the CFMMEU and the CEPU. It is also apparent from the material tendered by the Respondents, including minutes of State level and site consultation meetings, that alternatives to the direction proposed by employees and the Unions were considered as part of an extensive consultation process. For reasons set out below, I am also satisfied that it was not unreasonable for the Respondents to reject the alternative methods proposed by Unions and employees during the consultation process, including the proposal canvassed in these proceedings.

[177] In those circumstances, there is no basis to find that the existence of alternative methods of collecting the sensitive information bears in any way on the validity of consent. It follows that the requirement in the first limb of APP 3.3 has been met. The reasonableness of the direction and the proposal advanced by the Unions as an alternative, are matters to which I will return when considering the second limb in APP 3.3 as to whether the information is reasonably necessary for, or directly related to, one or more of the Respondents’ functions or activities.

Reasonable necessity or direct relationship of information to functions or activities

[178] The second limb of APP 3.3 requires that the sensitive information for which consent to collection has been provided by employees, is reasonably necessary for, or directly related to, one or more of the Respondents’ functions or activities – APP 3.3(a)(ii). As the Respondents submit (in my view correctly), the second limb is concerned with whether sensitive information that is collected is reasonably necessary for, or directly related to, one or more of the Respondents’ functions or activities and not whether the method of collection per se is reasonably necessary for, or directly related to, such functions or activities. Nor is the second limb concerned with whether the method of collection is reasonable in a general sense. That this is the proper construction of APP 3.3 was not seriously contested in the proceedings. On the basis that a plain reading of the provision makes its meaning clear, I do not intend to embark on a construction exercise, but rather accept the construction advanced by the Respondents and the arguments in support of that construction.

[179] The contentions of the Unions that the vaccination information does not meet the requirement in the second limb of APP 3.3 were advanced on several bases. The CFMMEU contended that the “curious methods” proposed by the Respondents to verify vaccination status, invite consideration of whether the test of “reasonable necessity” is met. In this regard, the CFMMEU submits that APP 3.3 is not concerned with whether the vaccination requirement is reasonably necessary, but rather, whether the collection of sensitive information is reasonably necessary. It is not clear whether this proposition restates the proposition advanced by the Respondents, but as I have noted, issue was not taken with the Respondents’ proposition, in submissions in reply of the CFMMEU and CEPU made after the Respondents’ oral submissions.

[180] If the proposition advanced by the CFMMEU is that the collection of the sensitive information must be reasonably necessary for, or directly related to, one or more of the Respondents’ functions or activities, then I do not accept it. As previously stated, it is the information itself that must meet this description.

[181] The CFMMEU and the CEPU also contend that there are other alternative methods which are suitable and would comply with the Privacy Act. It is asserted that the existence of such alternative methods demonstrates that the methods nominated by the Respondents are not reasonably necessary. The Unions also take issue with the extent and content of the information the Respondents require to verify the vaccination status of employees for the purposes of the SAR asserting that it travels beyond the vaccination status of employees. I first consider the extent and content of the vaccination information required by the Respondents.

[182] As previously discussed, there are four sources of information that the Respondent will accept as verification vaccination status. The critical point of distinction between the documents that will be accepted by the Respondents, and those which will not be accepted, is in addition to the name of the employee, the employee’s date of birth and the date the Certificate is valid from, that the acceptable forms of proof include vaccine type, both vaccine dose dates and the document number.

[183] The Unions’ proposal for an alternative method of verifying vaccination status, is that employees who do not consent to providing the information required by the Respondents, be permitted to verify their vaccination status, by showing their QR Check-in App displaying a green tick, to obtain entry to the site. The Unions assert that the information on the documents, is not reasonably necessary for, or directly related to, one or more of the Respondents’ functions or activities.

[184] I do not accept those submissions. To the contrary, I am satisfied and find, that the vaccination information is reasonably necessary for one or more of the Respondents’ functions or activities, for the following reasons. The SAR has as its object and purpose, the fulfillment of the Respondents’ statutory and common law functions in respect of the health and safety of employees. Specifically, the SAR, has been implemented to lessen or prevent a serious threat to the life, health and safety of individuals on the Respondents’ sites and to public health and safety. These are matters with which the Respondents are vitally concerned, as employers and corporate citizens. It is also a matter with which employees are vitally concerned as coal mine workers who owe duties to themselves and other coal mine workers in relation to safety and health.

[185] The SAR is intended to operate as part of a COVID – 19 Controls Framework now and in the future. In this regard, the sensitive information the Respondents seek to collect, is intended to assist in planning for the future including the escalation or de-escalation of COVID – 19 controls and to enable decisions to protect employees. Further, the information is necessary to inform decisions about the COVID – 19 controls framework itself.

[186] The facts found by the Full Bench in Mt Arthur Coal and subsequent developments, evidence that both the virus and its effects are evolving rapidly. It is logical that knowledge of the vaccination types that employees have received and the dates on which those vaccines were given, would inform decisions to mitigate and manage these effects. For example, if a new strain of the virus emerged, which was more responsive to a particular type of vaccine, the Respondents would be positioned to assess the risks to employees based on this information. Similarly, if restrictive conditions on intrastate travel or movements were imposed, the Respondents would be in a position to establish the vaccination status of its employees quickly and conclusively and to assess the likely impact of such restrictions.

[187] I also accept that the information required by the Respondents is necessary to manage fraud, both actual and potential. It is uncontentious that any fraudulent activity would be undertaken by persons who are not vaccinated and who seek to falsify evidence for the purpose of establishing that they are vaccinated. The Respondents assert that they have identified four cases of suspected provision of fraudulent information and two confirmed cases. Such cases can only be identified if the vaccination information sought in the direction is available to the Respondents.

[188] As the Full Bench in Mt Arthur Coal found, unvaccinated persons are more likely to acquire COVID – 19 from another unvaccinated person, and this may occur outside the workplace. Once an infected and unvaccinated person enters the workplace, COVID – 19 is a significant hazard, in circumstances where workers interact or use the same common spaces. In the Queensland coal industry, such interaction is not limited to workplaces and can extend to accommodation facilities and facilities in local communities where workers gather for social and recreational purposes and interact with other members of those communities. These risks are actual, rather than hypothetical and I accept that the collection of the information required by the direction will provide a mechanism to manage and mitigate this risk by ensuring that the SAR can be effectively implemented and operated in a manner consistent with its objectives.

[189] I am also of the view that the information that is sought to be collected to verify the vaccination status of employees is reasonably necessary to ensure that the Respondents and employees comply with their obligations under the Coal Mining Safety and Health Act 1999 (Qld) (CMSH Act). The objects of the CMSH Act are set out in s 6 and include protecting the health and safety of persons at coal mines and requiring that the risk of injury or illness resulting from coal mining operations be at an acceptable level.

[190] Section 33(1) provides, relevantly:

33       Obligations for safety and health

(1) Coal mine workers or other persons at coal mines or persons who may affect safety and health at coal mines or as a result of coal mining operations, have obligations under division 2 (safety and health obligations).

[191] A “coal mine worker” is defined in the Dictionary to the CMSH Act as an individual who carries out work at a coal mine and includes an employee of the coal mine operator. Section 34 of the CMSH Act provides that a “person on whom a safety and health obligation is imposed must discharge the obligation”, and sets out maximum penalties for contravention of the section. Section 39 relevantly provides:

39       Obligations of persons generally

(1) A coal mine worker or other person at a coal mine or a person who may affect the safety and health of others at a coal mine or as a result of coal mining operations has the following obligations—

(a) to comply with this Act and procedures applying to the worker or person that are part of a safety and health management system for the mine;

(b) if the coal mine worker or other person has information that other persons need to know to fulfil their obligations or duties under this Act, or to protect themselves from the risk of injury or illness, to give the information to the other persons;

(c) to take any other reasonable and necessary course of action to ensure anyone is not exposed to an unacceptable level of risk.

(2) A coal mine worker or other person at a coal mine has the following additional obligations—

(a) to work or carry out the worker’s or person’s activities in a way that does not expose the worker or person or someone else to an unacceptable level of risk;

(b) to ensure, to the extent of the responsibilities and duties allocated to the worker or person, that the work and activities under the worker’s or person’s control, supervision, or leadership is conducted in a way that does not expose the worker or person or someone else to an unacceptable level of risk;

(c) to the extent of the worker’s or person’s involvement, to participate in and conform to the risk management practices of the mine;

(d) to comply with instructions given for safety and health of persons by the coal mine operator or site senior executive for the mine or a supervisor at the mine;

(e) to work at the coal mine only if the worker or person is in a fit condition to carry out the work without affecting the safety and health of others;

(f) not to do anything wilfully or recklessly that might adversely affect the safety and health of someone else at the mine.

[192] The expression “acceptable level of risk” is defined in s 29 of the CMSH Act as requiring coal mining operations to be carried out so that the level of risk is within acceptable limits and as low as reasonably achievable. Under s 18(1) and (2), a “risk” is the risk of injury or illness to a person arising out of a hazard and is measured in terms of consequences and likelihood. Section 19 provides that a “hazard” is a thing or a situation with potential to cause injury or illness to a person.

[193] Division 3 of the CMSH Act deals with the obligations of holders, coal mine operators, site senior executives and others. Section 42(a) provides, relevantly that a site senior executive for a coal mine has the obligations in relation to the safety and health of persons who may be affected by coal mining operations to ensure the risk to persons from coal mining operations is at an acceptable level.

[194] When those obligations and responsibilities are considered in light of the findings of fact made by the Full Bench in Mt Arthur Coal in relation to COVID – 19, including findings about the risks of infection and transmission and the effectiveness of vaccination as a control to reduce those risks, it is obvious that information about the vaccination status of employees, is integral to the functions and activities of the Respondents in relation to complying with their obligations under the CMHS Act.

[195] The potential for transmission of COVID – 19 is a hazard as defined in s. 19 of the CMSH Act. In the current environment, it is difficult to conceive of a greater or more immediate hazard, or more serious consequences and risks, than those associated with the transmission of a virus that can cause serious illness and possibly death. The risk of illness arising out of that hazard is higher or more likely if unvaccinated persons are permitted to enter the Respondent’s work sites and acquire and/or spread the virus to other workers or persons, both vaccinated and unvaccinated, at those sites or in accommodation facilities related to the sites or the communities where the mines are located. There is also a significant risk that coal mine workers who do not live in areas close to the mines will contract the virus while at work and transmit it when they travel to their homes.

[196] The proposal advanced by the Unions as an alternative measure to implement the SAR, is that workers who do not wish to provide the vaccination information sought by the Respondents use the “green tick” method to verify their vaccination status and access work sites. The Unions maintain their objection to the Respondents collecting any data on the vaccination certificates which are uploaded by employees to the QR check in app which generates the green tick. The Unions also maintain that even the fact that the employee has such a certificate and/or a green tick on their QR check in app, cannot be recorded and must be verified on each occasion that the employee accesses a mine site.

[197] It is immediately apparent that the alternative proposal advanced by the Unions is counter intuitive. On the one hand it is implicitly accepted that persons who enter the workplace may reasonably be required to show evidence of having been vaccinated, while on the other hand it is contended that it is unreasonable for the Respondents to record even the existence of the evidence of vaccination.

[198] It is trite that a hazard cannot be managed unless it can be measured. The effective implementation of mechanisms to control hazards, requires that inputs and outputs are measured. The approach proposed by the Unions is completely inconsistent with the Respondents’ approach of establishing a COVID – 19 Framework to manage present and future hazards and with accepted norms for managing such hazards. At the risk of repeating the obvious, even with high vaccine rates in the community, COVID – 19 is, and will remain, a significant hazard, in workplaces where people interact. Vaccination is the most effective and efficient control available to combat the hazards posed by COVID – 19.

[199] As a matter of practicality, the proposal advanced by the Unions as an alternative means for the implementation of the SAR is unworkable. Leaving aside other workplaces operated by the Respondents in Queensland, the mines operate continuously over 24 hours a day, 7 days a week and 365 days a year. There are multiple access points and employees arrive at those points by a variety of means and from numerous locations which may include from camp accommodation which they share with other workers.

[200] To implement the SAR in the manner proposed by the Unions, the Respondents would be required to station persons at every access point to the mine to check the mobile telephones of employees or a hard copy of whatever document the employee wished to produce to verify vaccination. Even if the information on documents is not “collected” because it is not recorded, it would be open to the Respondents to require documentation that establishes vaccination status, by indicating the type of vaccination received and when it was given, provided the requirement was lawful and reasonable. Showing documentation to a person stationed by an employer at an entrance to a worksite, is not caught by the Privacy Act and there is no material before me to indicate that this requirement would be unlawful on some other basis. Given my earlier finding that the documentation sought by the Respondents is reasonably necessary for their functions and activities, my view is that it would also be reasonable for the Respondents to require that it be shown on entry to its sites.

[201] Even if the Respondents accepted the “green tick” as evidence of vaccination (which it could arguably continue to refuse), the entry process proposed by the Unions would be at best unworkable and at worst, chaotic. For the purposes of illustrating this point, I accept the following propositions advanced by the Unions in their oral submissions:

•  40% of the Respondents’ workforce at a mine site have not consented to having their sensitive information collected to establish their vaccination status;

•  There are two entry points at most mine sites;

•  Entry is obtained by each employee using a swipe card; and

•  The respondent would station persons at each gate to view the green tick or other method of establishing vaccination status.

[202] It is also the case that the groups of employees who have or have not provided consent for the collection of information evidencing their vaccination status could alter, as employees opt in and out of those groups. There is every likelihood that employees would opt out if producing the information was not required. Regardless of the numbers involved, on each shift worked at the Mine a group of employees would approach the gate to access the mine. The group would comprise some employees who have consented to the collection of information to verify their vaccination status and some who have not consented. The persons charged with checking the vaccination status of persons seeking to access the mine site would have no way of knowing which members of group have verified the vaccination status and which members of the group have not. If all members of the group have a swipe card to access the mine site, the verification process is dependent for its integrity on persons who have not verified their vaccination status doing so voluntarily, on each occasion they access the mine site.

[203] The fact that employees have swipe cards would not assist to streamline this process. If swipe cards can be programmed so that those who have verified their vaccination status in accordance with the SAR have automatic access to the mine site and those who are required to verify their vaccination status on each occasion do not, a manual intervention would be required to allow persons whose vaccination status was required to be established on each occasion, to access the mine site. If swipe cards could not be programmed in this way, then either all cards would need to be deactivated or remain as they are, with the risk that unvaccinated workers could skip the queue and enter the mine site. If employees were permitted to access the mine site via their swipe cards and then verify their vaccination status inside the gate, the risk of error or fraud increases.

[204] It is only necessary to attempt to document this process, to envisage the scene that would ensue. On the numbers provided by the Unions, if 100 workers approached a gate at a mine, 40 would be required to submit to having their vaccination status checked manually while 60 would enter the gate using their swipe cards. It is not difficult to envisage a queue of frustrated mine workers waiting for their vaccination status to be checked, being consequently late for work, despite the best intentions of all concerned. The 40 workers whose status was checked manually would then have to enter using a different process, probably with manual assistance from the persons who had checked their status. The whole situation would be further complicated because as the industrial instruments covering the mine workers indicate, different rosters may be worked by different employees with varying start times. It is also the case that employees may have a range of reasons for not starting work at the designated shift start times, such as compliance with fatigue management policies or attendance at training. Essentially, the Respondents would be required to have staff at access points constantly throughout each day.

[205] In the present case, the repercussions of a single unvaccinated person slipping through the net are catastrophic if that person is infected with COVID – 19. This can be contrasted with the factual circumstances in Lee. In that case, the evidence about the safety related aspect of the direction to supply his fingerprint was that it would have allowed the employer to ascertain whether Mr Lee was on the site in the event of an emergency. In that context, Mr Lee’s refusal to provide his fingerprint data could only have directly affected the safety of Mr Lee and could have had no impact on other employees who had complied with the request. It was also not unreasonable for Mr Lee to use a manual system by writing in an attendance book to record his presence at the site given that he was the only employee in the workplace who had objected to using the fingerprint scanner. Further, there was evidence that the manual attendance recording system remained in place after Mr Lee was dismissed, further indicating that Mr Lee’s fingerprint data was not reasonably necessary for the employer’s functions or activities.

[206] In the present case, 60% of employees have agreed to the provision of information and 40% have not, and it is unclear whether the basis of their present position is a concern about privacy of sensitive information or about vaccination itself. The alternative system is not a reasonable alternative and would cause significant disruption to the Respondents, the employees who have complied with the direction and those who have not complied. It would also place all persons at the worksite at risk.

[207] The process proposed by the Unions would be more susceptible to human error than that proposed by the Respondents. I also accept the Respondent’s argument that if no record could be made of the fact that information verifying a worker’s vaccination status had been sighted and found to be correct and sufficient, then the Respondents would be unable to satisfy themselves that the site access requirement had been met, notwithstanding the acceptance by all parties that it has a safety critical justification. In those circumstances, the SAR ceases to be a framework to manage the hazards posed by the COVID – 19 pandemic and becomes an exercise in in putting out bushfires.

[208] I also share the view advanced by Mr Neil for the Respondents in answer to the hypothetical question as to why the “green tick approach” is acceptable at the Blackwater Hotel and not the Blackwater Mine. Mine sites are not hotels, they are workplaces under the Respondents’ control and in respect of which there are a broad range of statutory and common law obligations to ensure the health and safety of all persons who access them. It is not neither safe nor reasonable to require that a coal mine operator use an access system for verifying vaccination status that is designed for hospitality and retail establishments.

[209] Accordingly, I find that the requirement in APP 3.3 (a)(i) is met and that the vaccination information is reasonably necessary for one or more of the Respondents’ functions or activities. It follows that the exclusion in APP 3.3 is established and the SAR and the direction do not contravene the Privacy Act and are not unlawful on this basis. For the same reasons, I am satisfied that the SAR and direction in relation to verification of vaccination status, is not unreasonable either, considered either alone, or in combination with the bodily integrity issue.

General permitted situation and other matters

[210] Given my findings in relation to the bodily integrity issue and the Privacy Act issue, it is not necessary that I consider whether a general permitted situation exists as provided in APP 3(b), 3.4(b) and s. 16A of the Privacy Act. It is also not necessary that I consider the arguments advanced by the Respondents in relation to the effect of a breach of the Privacy Act on the lawfulness and reasonableness of the SAR. Further, in circumstances where the parties have agreed that I make a Recommendation rather than arbitrating the dispute, it is not appropriate that I consider these matters.

Conclusion

[211] For these reasons, I conclude that the answer to the question is: Yes, the Site Access Requirement is a lawful and reasonable direction having regard to the Privacy Act and the right to bodily integrity.

DEPUTY PRESIDENT

Appearances:

Mr L Tiley for the CFMMEU and CEPU.

Mr P Turner for the AMWU.

Mr I Neil SC and Ms H Blattman of Counsel instructed by Mr M Coonan for the Respondents.

Hearing details:

11 January 2022.

By Video.

Printed by authority of the Commonwealth Government Printer

<PR737577>

 1   [2021] FWCFB 3 December 2021.

 2   Document 25, State Consultation Group Minutes and Q&A – 21 December 2021; Document 30, Peak Downs Consultation Meeting – 21 December 2021 – minutes and QA; Document 31, Goonyella GM Consultation Meeting – 22 December 2021

 3   Document 47, COVID-19 vaccination Health and Safety basis and rationale, 6 January 2022.

 4   Document 39, FAQs Vaccination – how to upload and data use, page 1

 5   Page 6-8 of the document that is annexed to these submissions and marked Attachment 1

 6   Page 8 of the document that is annexed to these submissions and marked Attachment 1

 7   Page 8 of the document that is annexed to these submissions and marked Attachment.

 8   45 Document 39, FAQs Vaccination – how to upload and data use, page 1.

 9   State Consultation Group Minutes and Q&A – 21 December 2021, paragraph 4, page 2.

 10   Frequently Asked Questions about COVID-19 Vaccination, paragraph 608, page 29.

 11   [2021] FWCFB 6059 at [67].

 12   (1938) 60 CLR 601.

 13   (1996) 70 FCR 16,

 14   (1996) 70 FCR 16 per Finn J at [21].

 15   [2021] FWCFB 6059 at [259].

 16   Secretary, Department of Health and Community Services (NT) v JWB and SMB (Marion’s Case) 175 CLR 218 at 233.

 17   McManus v Scott-Charlton (1996) 70 FCR 16, Finn J at 21.

 18   [2021] FWCFB 6059 at [220].

 19   Ibid at [223].

 20   [2021] FWCFB 6059 at [218]

 21   [2021] FWCFB 6059 at [216], citing Secretary, Department of Health and Community Services (NT) v JWB and SMB (Marion’s Case) (1992) 175 CLR 218 at 233.

 22   [2021] FWCFB 6059 at [215].

 23   [2021] FWCFB 6059 at [218].

 24   [2021] FWCFB 6059 at [222].

 25   see Favelle Mort Ltd v Murray (1976) 133 CLR 580 at [21].

 26   ANF v Alcheringa Hostel Incorporated PR951805 at [48]; Construction, Forestry, Mining and Energy Union v New Oakleigh Coal Pty Ltd [2012] FWAFB 5107 at [55]; see also [128]-[129]; Construction, Forestry, Mining, and Energy Union v Queensland Bulk Handling Pty Ltd [2012] FWAFB 7551 at [22]

 27   See Four Aviation Security Service Employees v Minister of COVID-19 Response [2021] NZHC 3012 at [125].

 28   [2021] FWCFB 6059 at [218].

 29   Kassam v Hazzard; Henry v Hazzard [2021] NSWCA 299 at [56], [95], [96], [97], [99].

 30   Tomlinson v Ramsey Food Processing Pty Ltd (2015) 256 CLR 507 at [25]-[26], and, by analogy, Snyder v Helena College Council, Inc. t/as Helena College [2019] FWCFB 815 at [24].

 31   [2021] FWCFB 6059 at [85].

 32   [2021] FWCFB 6059 at [223].

 33   [2021] FWCFB 6059 at [223].

 34   [2021] FWCFB 6059 at [252]; see also [253].

 35   [2017] FCAFC 42 at [89] to [90].

 36   [2021] FWCFB 6059 at [253].

 37   cf [2021] FWCFB 6059 at [224].

 38   Privacy Act, s.6.

 39   Privacy Act, s.15.

 40   Privacy Act, s.6.

 41   Lee v Superior Wood Pty Ltd [2019] FWCFB 2946 (Lee v Superior Wood)

 42   Lee v Superior Wood

 43   R v Darling Island Stevedoring & Lighterage Co Ltd; Ex parte Halliday (1938) 60 CLR 601 per Dixon J.

 44   [2019] FWCFB 2946.

 45   OAIC - Coronavirus (COVID-19) Vaccinations: Understanding your privacy obligations to your staff. Link: https://www.oaic.gov.au/privacy/guidance-and-advice/coronavirus-covid-19-vaccinations-understanding-your-privacy-obligations-to-your-staff

 46   Coronavirus (COVID-19) Vaccinations: Understanding your privacy obligations to your staff. Link: https://www.oaic.gov.au/privacy/guidance-and-advice/coronavirus-covid-19-vaccinations-understanding-your-privacy-obligations-to-your-staff

 47   Australian Privacy Principle Guidelines, B. 43, page 11.

 48   [2019] FWCFB 2946.

 49   Lee v Superior Wood at [58].

 50   Australian Privacy Principle Guidelines, B.114 to B.116, page 24.

 51   Frequently Asked Questions about COVID-19 Vaccination, paragraph 608, page 29.

 52   Australian Privacy Principle Guidelines, C.8, page 4.

 53   Lee v Superior Wood at [58].

 54   [2013] FWCFB 3316.

 55   [2017] FCAFC 42.

 56   APP 3.4(b); Privacy Act section 16A, Item 1

 57   In Queensland, for example, the Public Health and Social Measures linked to vaccination status Direction (No. 2)

 58   Document 39, FAQs Vaccination – how to upload and data use, page 1.

 59   Document 45, Frequently Asked Questions about COVID-19 vaccination. page 25

 60   Document 39, FAQs Vaccination – how to upload and data use, page 1.

 61   Document 39, FAQs Vaccination – how to upload and data use, page 1

 62   Document 39, FAQs Vaccination – how to upload and data use, page 1, Document 45, Frequently Asked Questions about COVID-19 vaccination, page 29 question 608

 63   Document 46, State Consultation Group Meeting – 6 January – Minutes and QA, page 1

 64   [2021] NSWCA 299.

 65   [2019] FWCFB 2946.

 66   [2019] FWCFB 2946 at [46] to [48].

 67   [2021] FWCFB 6059 at [212].

 68   [2021] FWCFB 6059 at [85].

 69   [2013] FWCFB 3316

 70   [2013] FWCFB 3316 at [3]

 71   (2017) 247 FCR 295 at [79]-[90]; particularly at [89] to [90]

 72   Document 39 and document 45 on the Consultation Hub.

 73   [2020] FWC 3324.

 74   [2020] FWC 3324 at [83] to [84], [92].

 75   [2021] FedCFamC2G 337.

 76   Mt Arthur Coal at [85], [266].

 77   Ibid at [222] citing the judgment of Beech-Jones CJ at CL in Kassam v Hazzard [2021] NSWSC 1320.

 78   Transcript of proceedings PN394 – 395.

 79    Pacific Access Pty Ltd v CPSU (1998) 83 IR 323 at 333 per Giudice P, McBean SDP and Lewin C.

 80   [2021] FWCFB 6059 at [215].

 81   (1992) 175 CLR 218 (Marion’s case).

 82   Ibid at 233.

83 Ibid.

 84   [2021] FWCFB 6059 at [218].

 85   Ibid at [223].

 86   Kassam v Hazzard; Henry v Hazzard [2021] NSWCA 299 per Leeming JA at paragraphs 168 – 172.

 87   [2019] FWCFB 2946.

 88   Ibid at [58].

 89   Ibid at [58].

 90   Lee v Superior Wood Pty Ltd [2020] FWCFB 1301.

 91   Ibid at [66].

 92   [2021] NSWCA 299 at 1320.

 93   Crescendo Management Pty Ltd v Westpac Banking Corporation (1988) 19 NSWLR 40 at 46 per McHugh J (with whom Samuels and Mahoney concurred).

SCHEDULE A

CFMMEU APPLICATIONS

AMWU APPLICATIONS

CEPU APPLICATIONS