COVID-19 vaccines and the workplace

Print this page Email a link to this page

As people head back into the workplace, employers may look to maintain a record of employees who’ve had a COVID-19 vaccine (Vaccine Data). But what data protection issues surround the processing of this data, and what steps can employers take now to address them?

Can employers ask for and process Vaccine Data?

The answer to this is yes, so long as employers comply with the applicable data protection legislation within the UK GDPR and Data Protection Act 2018.

Employers must have a legitimate reason for collecting and processing data, often referred to as the ‘lawful basis’ for processing. They also need to demonstrate that the data is:

  • Used lawfully, fairly and in a transparent way.
  • Collected for specified purposes and processed appropriately.
  • Relevant to the specified purpose.
  • Accurate and up to date.
  • Kept only for as long as necessary.
  • Kept secure.

Vaccine Data relates to an employee’s health and would be categorised as ‘special category data’ for the purposes of the UK GDPR. Special category data is particularly sensitive in nature and warrants more protection as a result. To process Vaccine Data, employers will need to identify an additional justification under Article 9 of the UK GDPR to legally process it. These justifications will need to be set out clearly within the applicable employee facing privacy policy if they are not already.

The Information Commissioner’s Office makes clear in its guidance that in an employment setting, consent is rarely an appropriate basis given the imbalance of power between an employer and employee. Employers will need to be able to show that the processing of Vaccine Data is justified for other reasons, such as employment obligations or public health (the ‘lawful basis’ for processing).

Employers need to make sure that any information gathering in relation to Vaccine Data is necessary and proportionate. For example, if employees are not currently required to work from a place exposed to other people (such as an office building) then requesting Vaccine Data is unlikely to be considered reasonable or proportionate. But it may be reasonable at the point of them returning to the workplace. Employers should also only collect, process and retain the minimum amount of information to fulfil their specified purpose. 

What action should employers be taking?

Data Protection Impact Assessment (DPIA)

Completion of DPIAs are a legal requirement for organisations who process special category data on a large scale. As Vaccine Data constitutes special category data, organisations should prepare a DPIA before any policy of Vaccine Data collection is introduced.

The DPIA should assess, amongst other things:

  • Why the Vaccine Data is required?
  • What potential risks there may be to the employees?
  • How long the Vaccine Data will be retained?
  • How the Vaccine Data will be stored?
  • Who will have access to the Vaccine Data?

Employee facing privacy policy

Employees should be kept fully informed as to what data their employer processes about them and why. This information should be reflected within any employee facing privacy policy.

Employers should review and, if necessary, update their employee facing privacy policy in order to set out how they intend to process any Vaccine Data. Employees should be notified of changes, for instance, in a letter or communication explaining the employer’s position on Vaccine Data. 

COVID-19 secure environment

It’s important for employers to remember that vaccination should not be treated as the sole way of preventing exposure to COVID-19. The government has produced lots of guidance about how to reduce the risk of the virus and, therefore, employers must continue to maintain safe working practices in line with national guidelines. This is for the benefit of all employees, including those who may choose not to have the vaccine, or who have not been offered one yet.

This article does not consider the various employment law implications that might arise from the Vaccine Data (e.g. whether an employee without a vaccine can be refused re-entry to the workplace).

If you wish to discuss this with one of our employment experts, please contact Roland Fairlamb on 0191 211 7935 or [email protected]