Employers may seek to be aware of the vaccination status of staff to limit the spread of Covid-19. However, collecting this information must be done carefully.
The Covid-19 vaccine rollout in the UK continues, with all adults having now been offered a vaccination and over 45 million (almost 90% of the adult population) having received their first dose.
Some employers may consider that an awareness of the vaccination status of staff (i.e. whether someone has been partially/ fully vaccinated or not) will assist with limiting the spread of Covid-19 in the workplace. However, collecting this information must be done carefully.
The vaccination status of an individual is special category data, as it relates to an individual’s health. This means that in addition to identifying a lawful basis for processing the data, a further condition must be satisfied.
So, these questions need answering.
Why is it necessary for employers to collect the vaccination status of employees?
There must be a clear and necessary reason to collect this information and this question must be considered on a case-by-case basis. Workplaces which involve vulnerable individuals, or where there is a higher risk of the spread of Covid-19, for example, are more likely to have a clear and necessary reason to ask staff about their vaccination status.
Which lawful basis can employers rely on?
Once a reason for collecting the information is identified, the employer must then identify a lawful basis for processing it. The Information Commissioner’s Office (“ICO”) recently published guidance on which lawful basis and further conditions may be relied upon. According to the ICO guidance, legitimate interests “is most likely to be appropriate”, but a Legitimate Interests Assessment must be properly carried out and documented in order for an employer to rely on this basis. This involves assessing the purpose and necessity of the processing against the likely impact on individuals.
What further condition can employers rely on?
Explicit consent is often relied upon when collecting and using special category data. However, in the context of the employer/ staff relationship, consent is less likely to be freely given, due to the imbalance of power in this relationship.
The UK GDPR says that special category data may be processed if it is “necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment…pursuant to domestic law providing for appropriate safeguards for the fundamental rights and the interests of the data subject”.
The ICO guidance provides certain examples of where this may be the case, including ensuring the health, safety and welfare of employees. When relying upon this condition in the UK, employers must have an ‘appropriate policy document’ in place, i.e. a document outlining the organisation’s procedures for securing compliance with the data protection principles and the retention/ erasure policies of such data processed on reliance of this condition. Check if you have one, and if not implement one.
Alternatively, the UK GDPR allows special category data to be processed if it is “necessary for reasons of public interest in the area of public health”. This condition may only be relied upon where the processing is carried out by (or under the responsibility of) a health professional, or by someone else who owes a duty of confidentiality, under the circumstances. Reliance on this condition does not require an employer to implement an appropriate policy document.
What needs to be done?
The first step is to ensure that staff are aware that they will be asked about their vaccination status and how this information will be handled. This should be communicated in the form of a privacy notice (or an existing privacy notice can be amended to refer to this new processing). The employer should also consider managing the sensitivity of this communication and provide a contact for staff, should they have any concerns or queries.
The employer must carry out a Legitimate Interests Assessment if legitimate interests is relied on as a lawful basis, and, where the employer is relying on the employment law ground for processing special category data, it must also put an appropriate policy document in place.
It is prudent to also carry out a Data Protection Impact Assessment. A further assessment is necessary where the processing is likely to result in a high risk to individuals. The ICO guidance on covid vaccinations provides an example of denial of employment opportunities as likely to result in a high risk to affected individuals (recent news from the United States, for example, indicates that jobs may be at risk for employees that do not demonstrate that they are fully vaccinated).
Compliance with all the data protection principles is also required, particularly in the context of deleting the data once it is no longer needed.
What if we cannot identify a further condition?
Failure to identify a further condition (on top of, for example, legitimate interest) means that the processing of vaccination statuses will be unlawful. The processing of special category data must be handled with extra protection under UK data protection law and, given the broader contextual sensitivities regarding the vaccine rollout, collecting staff vaccination statuses brings additional risks. Unlawful processing of special category data is an aggravating factor for the ICO, when calculating fines for serious contraventions of the law.
What if employees are also based in the EU?
A number of data protection authorities across Europe have produced guidance similar to the ICO. However, given the differing labour laws, local data protection laws and approaches to vaccination status, employers should be wary of applying a broad-brush approach to the recommendations outlined in this note across the EU. Our comments are primarily based on the ICO’s recommendations.
For example, the Irish Data Protection Commission recently published guidance indicating that “the processing of vaccine data is likely to represent unnecessary and excessive data collection for which no clear legal basis exists”. Elsewhere under German law, an employer is likely to be prohibited from asking staff for their vaccination status.
The examples of Ireland and Germany indicate that the ICO takes a more flexible view on the interpretation of the rules. Following the right analysis and cautious practical steps, employers can proceed to collect the vaccination status of staff, under UK data protection law, provided they have a very good reason for collecting this information. A crucial question therefore that employers need to ask themselves is: Why do we need to collect and process this data?