Covid Vaccination Status and Data Protection in the Workplace
- Data Protection & Privacy Law
- 25th Aug 2021
September is less than a week away, meaning the return of schools will coincide with the increasing return of employees to their physical workplaces, likely resulting in an increase in Covid cases. Indeed, Scotland is currently seeing such increases already, with the return to school having taken place over a week ago. It is therefore […]
By Stephen Attree
MLP LawSeptember is less than a week away, meaning the return of schools will coincide with the increasing return of employees to their physical workplaces, likely resulting in an increase in Covid cases. Indeed, Scotland is currently seeing such increases already, with the return to school having taken place over a week ago. It is therefore clear that Covid continues to pose a risk in society generally and employers will understandably wish to impose certain measures in response to help reduce that risk. We will therefore examine if one such measure can include keeping records detailing whether or not employees have had a Covid vaccination and the related data protection issues associated with collating that information.
It is key to note that this is not a reframing of the ‘no jab, no job’ debate. Instead, the focus is on the ability of an employer to note the vaccination status of each member of staff and then use that information during the course of the individual’s employment (for instance, to determine access to the workplace).
Employers are certainly not obliged to check if staff have had the Covid vaccine (except in care homes from 11 November 2021, when it will be compulsory for staff to have the vaccine unless medically exempt) but it is understandable that employers may wish to know this information, not least because it assists with workplace health and safety risk assessments and helps to avoid business disruption.
In keeping records regarding the vaccination status of staff – either through the NHS Covid Pass or through other means – the employer is processing special category health data and must comply with data protection legislation.
The ICO (Information Commissioner’s Office) has released updated guidance on vaccination status checks from a data protection perspective. In essence, to comply with data protection laws, employers are required to do the following:
● Identify the legal basis for collecting the data
● Carry out a data protection impact assessment
● Respect the principles of transparency, proportionality and security
Legal Basis for Collecting Data
The principal issue that employers should consider is what they seek to achieve by asking staff for their vaccination status. The safest legal bases to rely upon will be compliance with legal obligations and/or ‘substantial public interest’. This means that if the employer is trying to achieve the aim of preventing the spread of the virus and complying with its duty of care to its employees that will be more likely to be justifiable than, for example, customer or staff preference or boosting confidence. Employers should ensure that its aims are clear and necessary and that those aims could not be met without collecting the data; it is unlikely to be able to justify collecting the information ‘just in case’.
Specific factors that should therefore be considered by employers before deciding to record employee’s vaccination status include:
● The sector the business operates in, the kind of work its staff do and the health and safety risks in its workplace – are staff working with the clinically vulnerable or in an environment where they are more likely to encounter those infected with Coronavirus.
● The collection of this information must not result in any unfair or unjustified treatment, and should only be used for purposes people would reasonably expect. The business should treat people fairly and if the collection of this information is likely to have a negative consequence for an individual, the organisation must be able to justify it.
● If the use of this data is likely to result in a high risk to individuals (e.g denial of employment opportunities or services) then the employer will need to complete a Data Protection Impact Assessment before it starts processing the data.
Taking these factors into account, an example where a business may be able to justify checking employees’ vaccination status would be where some roles required international travel. In those circumstances, the employer may be able to justify requiring to know which employees have had both vaccine doses to allow it to allocate certain assignments or projects to those individuals, where international travel is necessary.
Data Protection Impact Assessment
This sets out the proposed ways that data will be processed, the risks to data subjects, and the ways in which such risks will be mitigated (e.g, by limiting the number of people who have access to the record, only keeping records for as long as they are necessary and complying with the other GDPR principles).
Transparency, Proportionality and Security
Employers need to be open with staff about:
● How they will store the information
● How long it will be kept
● Who will have access to it
● How it can be updated or corrected
Should an employer wish to undertake such vaccination status checks, they may also require to update their privacy notice to reflect that approach.
In short, employers can check and record the vaccination status of staff but it is not a step that should be taken lightly or without evidence of the decision-making process and justification for doing so in light of each business’s particular circumstances.
If you have any questions please contact the MLP Law Employment team at employment@mlplaw.co.uk or 0161 926 9969. Please also keep an eye out on our Twitter feed @HRHeroUK and for our regular blogs on all things Employment Law and HR.
About the expert
Stephen Attree
Managing Partner
Stephen is the Owner of MLP Law and leads our Commercial, IP and Dispute Resolution teams which provide advice on all aspects of the law relating to mergers, acquisitions, financing, re-structuring, complex commercial contracts, standard trading terms, share options, shareholder and partnership agreements, commercial dispute resolution, joint venture and partnering arrangements, IT and Technology law, Intellectual Property, EU and competition law, Brexit and GDPR.
Interested in working with Stephen?
Let’s start by getting to know you and your business - either on the phone or in person. Complete the form below and we’ll be in touch shortly.