Vaccinations and the workplace

Things are changing quickly in the vaccination / workplace equation. Our HR teams provide this latest update for employers, including their most recent advice and some case examples. 

Time to read: 8 mins

Can I require vaccinations in my workforce?

Russell McVeagh and PwC have recently announced that only people who have had both doses of the Covid-19 vaccine will be allowed to enter their offices as of later this year. This has many of us wondering if we can implement a similar policy in our own workplace. The simple answer is yes, but before doing so we must consider some of our key legislative obligations, our process and conduct a risk assessment of each employee’s role. 

Can I ask my employees their vaccination status? 

The starting point would be to identify what percentage of your workforce are already vaccinated. An employee’s vaccination status is medical information and personal to them so it must be protected under the principles of The Privacy Act (the Act). 

Under the Act, employers generally cannot ask about someone’s medical information unless it affects their job. This is no different in this case, and you must have a lawful purpose for asking that is linked directly to their employment and/or the business function. Saying that you need the information to ensure your employee is contributing to the national public health response would in our view not be a lawful purpose. 

If you determine that a role can only be performed by a vaccinated person through a risk assessment (outlined later in this article), that may be a lawful purpose for asking an employee if they are vaccinated. As an employer, you have an obligation under the Health and Safety at Work Act to identify and minimise any health and safety risks in the workplace. The collection of this information for the safety of your employees and those they come into contact with while performing their job could be a lawful purpose. You can also lawfully ask for this information if your employee is in a role requiring vaccination under a Public Health Order.

You must also ensure you only use the information collected for your stated lawful purpose, so it is important to think carefully about how you may need to use the information in the future. 

How should I collect this information?

The Act states that collecting personal information must be necessary for your lawful purpose. You should only ask for the information you actually need, and you should store it only for as long as you need it to satisfy your lawful purpose. 

You are required to collect the information in a fair and unobtrusive way, and be transparent about why you need it, who will have access to it, and how it will be stored. You should ensure that the information collected is stored securely and is only available to the people you have stated will see it. 

We suggest sending out a staff survey to collect this information, making sure to set out your lawful purpose and intended use of information at the beginning for employees to consent to before answering.

You should also make clear what will happen if employees do not provide the information requested. You may need to treat these employees as unvaccinated. It is voluntary for employees to provide information, but since this information is being collected for health and safety reasons relating to employment, our view is employees should provide it in good faith. 

How do I assess whether I can make vaccination mandatory?

If you are considering making vaccinations a requirement for your employees, you must complete a risk assessment to assess which roles you can justifiably require a vaccination for. It is important to follow this process so you can demonstrate you have thoroughly considered and have grounds for your decision if it is challenged later. 

A Covid-19 risk assessment will be similar to the process you would follow for identifying any other risks in your business. We have outlined the key elements below, to help simplify this task for you. 


Before beginning a risk assessment, ensure you have a clear picture of the typical duties involved in each of the roles you are assessing, and whether these would differ at different alert levels. You should also identify what safety measures are currently in place to minimise the risk of exposure to Covid-19. 


Under the Health and Safety at Work Act there is a duty to consult, cooperate and coordinate with employees in identifying and minimising health and safety issues. This is an important part of the process for both practical and legal reasons, which should not be overlooked. Ways you can consult with employees are through a Health and Safety Committee, if you have one, or by speaking to a health and safety representative. 


The purpose of a risk assessment is to identify which roles in a company are exposed to a higher risk of contracting or transmitting Covid-19, and therefore require a vaccinated worker to perform them.  


The focus of a risk assessment must be the role itself, rather than the individual performing the role. While it is still important to take into account an individual's personal circumstances in your business setting and make adjustments accordingly, these must be treated on a case-by-case basis rather than forming part of your risk assessment. For example, one of your current employees may be immuno-compromised and need to work from home to minimise the risk of getting Covid-19. This does not necessarily mean the role the employee is performing is high risk and justifies mandatory vaccination.  

Suggested questions 

WorkSafe have developed questions to aid employers in completing a risk assessment, which we have attached in an Appendix to this article. These questions consider things like who your employees would come into contact with when performing their job, for how long, and in what proximity. Some questions may not be appropriate for your company, and similarly you may have other risk factors to consider which are specific to your workplace and type of work you carry out. You will need to decide on an appropriate rating scale in answering these questions. A suggested approach is to rate from 1 to 4, 1 = low risk, 2 = moderate risk, 3 = high risk and 4 = extreme risk.  

Review your results 

After you have completed your risk assessment, review your results and identify whether any of your roles are at high risk of exposure to Covid-19. Consider any steps you could take to mitigate this risk any further. If there aren't any, you may be justified in requiring a vaccinated employee to perform this role. Ultimately you are only required to control what you can within your workplace, and it may be that external factors which affect your employees outside of work increase your overall risk to health and safety.  

In summary, you can collect information about your workforce’s vaccination status as long as you are careful about how you gather it and comply with the Privacy Act. You can also require vaccination for your employees in some circumstances, but you must do a risk assessment beforehand. This does not guarantee you will be right in every instance, but you will be in the safest position by following the correct process with the right intentions.

It is important to remember that this advice only takes into account the current situation, and as with all Covid-19 response measures, new government legislation or an extension of the scope of Public Health Orders are always a possibility.

If you would like more information or guidance on this, please contact Chris Wright, Head of HR on 09 373 1101 or email


Considerations for a risk assessment as developed by WorkSafe: 

  1. How many people does the employee carrying out that work come into contact with? (very few = lower risk; many = higher risk)
  2. How easy will it be to identify the people who the employee comes into contact with? (easy to identify, such as co-workers = lower risk; difficult to identify, such as unknown members of public = higher risk)
  3. How close is the employee carrying out the tasks in proximity to other people? (2 metres or more in an outdoor space = lower risk; close physical contact in an indoor environment = higher risk)
  4. How long does the work require the employee to be in that proximity to other people? (brief contact = lower risk; lengthy contact = higher risk)
  5. Does the work involve regular interaction with people considered at higher risk of severe illness from COVID-19, such as people with underlying health conditions? (little to none = lower risk; whole time = higher risk)
  6. What is the risk of COVID-19 infection and transmission in the work environment when compared to the risk outside work? (equal to outside work = lower risk; higher than outside work = higher risk)
  7. Will the work continue to involve regular interaction with unknown people if the region is at a higher alert level? (no = lower risk; yes = higher risk)

DISCLAIMER: No liability is assumed by Baker Tilly Staples Rodway for any losses suffered by any person relying directly or indirectly upon any article within this website. It is recommended that you consult your advisor before acting on this information.

Sign up to our newsletter

Thanks for signing up!