As people head back into the workplace, employers may look to maintain a record of employees who’ve had a COVID-19 vaccine (Vaccine Data). But what data protection issues surround the processing of this data, and what steps can employers take now to address them?
Can employers ask for and process Vaccine Data?
The answer to this is yes, so long as employers comply with the applicable data protection legislation within the UK GDPR and Data Protection Act 2018.
Employers must have a legitimate reason for collecting and processing data, often referred to as the ‘lawful basis’ for processing. They also need to demonstrate that the data is:
- Used lawfully, fairly and in a transparent way.
- Collected for specified purposes and processed appropriately.
- Relevant to the specified purpose.
- Accurate and up to date.
- Kept only for as long as necessary.
- Kept secure.
The Information Commissioner’s Office makes clear in its guidance that in an employment setting, consent is rarely an appropriate basis given the imbalance of power between an employer and employee. Employers will need to be able to show that the processing of Vaccine Data is justified for other reasons, such as employment obligations or public health (the ‘lawful basis’ for processing).
Employers need to make sure that any information gathering in relation to Vaccine Data is necessary and proportionate. For example, if employees are not currently required to work from a place exposed to other people (such as an office building) then requesting Vaccine Data is unlikely to be considered reasonable or proportionate. But it may be reasonable at the point of them returning to the workplace. Employers should also only collect, process and retain the minimum amount of information to fulfil their specified purpose.
What action should employers be taking?
Data Protection Impact Assessment (DPIA)
Completion of DPIAs are a legal requirement for organisations who process special category data on a large scale. As Vaccine Data constitutes special category data, organisations should prepare a DPIA before any policy of Vaccine Data collection is introduced.
The DPIA should assess, amongst other things:
- Why the Vaccine Data is required?
- What potential risks there may be to the employees?
- How long the Vaccine Data will be retained?
- How the Vaccine Data will be stored?
- Who will have access to the Vaccine Data?
COVID-19 secure environment
It’s important for employers to remember that vaccination should not be treated as the sole way of preventing exposure to COVID-19. The government has produced lots of guidance about how to reduce the risk of the virus and, therefore, employers must continue to maintain safe working practices in line with national guidelines. This is for the benefit of all employees, including those who may choose not to have the vaccine, or who have not been offered one yet.
This article does not consider the various employment law implications that might arise from the Vaccine Data (e.g. whether an employee without a vaccine can be refused re-entry to the workplace).