top of page

Mandating vaccinations - thought about the risks?

What started as one company coming out with a strong leadership position to meet its obligations under the Work Health & Safety legislation to protect their workers, now seems to be the subject of much confusion. And some controversy.

I’m talking of course of the decision by an increasing number of businesses to mandate Covid-19 vaccination for their employees.

In a blog a few years back I noted that risk arises when there is a change in the environment in which an organisation operates, or where the organisation is out of line with the value demands of its stakeholders. In the present situation with the Delta variant of Covid-19 spreading rapidly through the population, we have two competing risk drivers.

So what happens when those two drivers of risk are in conflict?

On the one hand, we have the very specific obligation on organisations to provide a safe workplace for their employees mandated under WH&S laws. These require employers to assess risks and to mitigate them to a level ‘as low as reasonably practicable’. I think most people would agree that this is a realistic expectation for employers to meet.

Alignment is sometimes difficult between Unions, Employees and Management but the health, safety and wellbeing of employees is, refreshingly, one area of commonality.

The other risk driver however is the individual employee’s right to privacy and protection of their personally identifiable information (PII). What makes matters slightly worse in this scenario is that medical information is held even higher at law and determined as sensitive information.

There are of course other issues like freedom of choice, religious beliefs and medical conditions that are part of individual choice (we’ll return to these later).

So how do we proceed?

In Covid-19, organisations are facing what is classed as a dynamic risk - these types of risk arise from the external environment – other examples are economic conditions, the operations of the financial markets, competitor initiatives and customer preferences. It's management’s job to respond to these risks in a way that creates value for the organisation, capitalising on opportunities and minimising threats.

This means organisations will have to address the issue at some point – even if the result is to carry on with the current approach. However, even this decision requires due diligence.

Like any threat or opportunity (i.e. risk) facing the organisation, the key step is to conduct a robust risk assessment. Why robust? Given what’s at stake here and the potential for pushback from staff / unions and the potential for legal action, your decision making may come under significant scrutiny.

The test of your process will be how it looks under the spotlight of TV News cameras and front-page headlines.

But never fear – there is a sound and logic approach to ensure you cover all the elements that need to be part of your decision-making process. This will provide a defensible position should your organisation be taken to task for the position it has adopted.

The issues at play

The first and most obvious consideration is the employer’s obligations under Workplace Health and Safety (WHS) laws. For Covid-19, as with any other risk to the health and safety of employees, the requirement is to eliminate or minimise the risk to as low as reasonably practicable.

Therefore, the employer is required to consider its response to Covid-19 in this light. An additional challenge is the speed at which the situation changes – decision making timeframes in these pandemic times are considerably shortened. And the outcome of your decision will likely only apply till the next development in the public management of the pandemic response. We recently published an article about changing context which you can access here.

On cursory inspection then, mandating vaccination might be seen to be a proactive step in not only meeting workplace health and safety laws, but also in contributing to the community effort to manage the impacts of the virus. However there are other things to consider.

Before we do that, let’s just think about the consequences of an employer choosing to do nothing. What defence will an employer have if employees have raised their concerns about working with unvaccinated colleagues only to have the employer refuse to take any action at all? Has the employer met their obligations to eliminate or minimise the risk in their workplace?

If there is a ‘middle ground’ in this scenario, it is probably for an employer to actively encourage vaccination amongst its workforce. It will then be seen to be taking action to reduce the risk. A word of caution however – this is not a set and forget decision and the employer should ensure they are monitoring the operating environment for any changes (context) that may require them to dial up or down their position.

One of the fundamental elements of the workplace health and safety laws, and indeed most industrial laws, is the requirement for consultation with employees when considering major changes to the workplace. Employers would be well counselled to plan a thorough consultation and engagement program to meet this requirement.

One other point in the raft of considerations for employers is that of Workers Compensation coverage. If for instance an employer mandated vaccination and the employee suffered side effects, this would likely be considered compensable. Just one other issue to think about in the organisation’s position on vaccination.

The next issue for consideration by employers is Privacy. Australia, like most nations, imposes significant requirements on organisations that collect, use, and store the personal information of its citizens.

In the context of mandatory vaccination regimes for Covid-19, this would mean an employer would be seeking information from the employee to confirm their vaccination status. This is not just personal information under the legislation but the next tier ‘sensitive information’ in that it relates to a person’s medical data.

A decision to mandate vaccinations will require employers to make some key choices about this data. Firstly, will they require employees just to show proof of vaccination or will they require it to be collected (and stored)? If we determine that it will be collected, then there are several considerations:

  • Issuing a Privacy Collection Statement including:

- The purpose for collecting the information

- What information will be collected

- Where the data will be stored (including whether it will be transferred overseas)

- Whether the data will be shared with third parties

  • Minimising the amount of sensitive data collected

  • Wherever possible, collecting the data from the individual themselves

  • Determining who will have access to the data and for what purpose

Again, these issues are not insurmountable and merely require the employer to put their mind to them before taking any action.

The next major issue for employers to consider is that of potential Discrimination. In the case of mandating vaccinations, employers will potentially face pushback from employees on the following grounds:

  • A medical condition/s that precludes vaccination

  • Religious beliefs

  • Perceived impingement of an individual’s rights / freedom to choose

The last point can be interesting – an individual may be more than happy to get vaccinated for a free beer or additional Qantas points but may baulk at the prospect of it being mandated by their employer.

The determination of whether a potential action is discriminatory or not should be informed by legal opinion. Suffice to say that a person with a medical condition preventing vaccination is likely covered by the Disability Discrimination Act. Likewise, it would be prudent to seek appropriate counsel in the case of a person who objects on religious grounds.

Regardless of the circumstance, employers would be wise to engage with those that object to the vaccination in a consultative and caring manner. This should be aimed at better understanding the grounds of their concerns, offering to provide further information / fact sheets, or connecting them with independent experts.

The goal should always be to retain the experience and knowledge of your valued team members. But whatever the outcome - from providing accommodations for the person to work remotely to ultimately determining that their employment with the business is unsustainable – the person needs to be treated with dignity and respect at all times.

And of course, a final but no less important issue is that of Monitoring and Responding as the operating environment changes and evolves. As we have seen with the pandemic to date, this can be a day-to-day proposition.

As a result, organisations should not lock themselves rigidly into their decision regarding mandatory vaccination but rather understand that their position may change over time.

It is also key to ensure that whatever information that the organisation relies on for its decision making comes from reliable and trusted sources. Social media, and even some mainstream media is often corrupted by groups or individuals with agendas that are nothing to do with protecting the community at large.

Employers may also consider providing information and data to keep their employees informed or at least refer them to credible sources. To do nothing risks people looking to friends and family who, whilst well intentioned, won’t necessarily be using reliable or trusted resources.


If you have read this article and thought ‘this is too hard’, rest assured it is not. It does take some commitment and does rely on the organisation having a robust Risk Management Framework and Risk Culture.

ABM Risk Partnership specialises in helping organisations be the best they can be through a bespoke approach to risk management that enables taking more and smarter risks – after all our motto is ‘from risk comes opportunity!’

Recently we were pleased to announce that we have partnered with Decision Inc, a global technology services company specialising in data and analytics, to make the acquisition of insightful data analytics and robust risk management a seamless process for businesses.

Powerful data analytics and effective risk management enables businesses to reduce uncertainty and, through greater understanding, take advantage of opportunities. Combined, these data analytics and risk management capabilities support the achievement of organisational objectives.

If you’d like assistance to review and determine your stance on vaccination, or to have a broader conversation on your data analytics and risk management program, please get in touch by email, our website or you can call Anthony Wilson on 0404 829 040.


bottom of page