In our latest news alert, Partner Emma Bartlett addresses the key employment law and GDPR considerations for employers in requiring employees to provide data about vaccination status.
The Coronavirus pandemic continues to have a significant impact on all aspects of life in the UK, including on businesses, employers and workers. Whilst the roll-out of vaccinations over the past year has provided us with a beacon of hope for a future in which the virus does not dominate, for the time being, there is no immediate fix and businesses must continue to operate within the Coronavirus landscape. It has been a very challenging time for employers as they have sought to keep up with the various iterations of government-issued guidance for working safely during the pandemic. However, it remains the case that only certain roles/industries are subject to mandatory vaccination requirements, with the majority of employers simply encouraged to make a commitment to driving vaccine uptake across the UK by supporting staff to get the vaccine.
Several national employers, such as IKEA, Asda, Slimming World, Metro Bank, Santander, and others, have put their weight behind promoting positive vaccination messages and pledging flexibility to help staff get the vaccine during working hours, and by giving employees time off to recover if they feel unwell as a result.
One of the reasons behind encouraging staff to get the vaccine is to ensure workplaces are safe. However, some employers are overlooking their data protection compliance obligations by uniformly requesting employees to confirm their vaccination status before entering the workplace. This article serves to remind employers of their obligations and the parameters in this regard.
Checking employees’ vaccination status
The data protection legislation in the UK places limits on how employers can “process” their employees’ personal data. An individual’s vaccination status constitutes personal data for these purposes and employers must, therefore, comply with the data protection legislation.
The form of data collection will affect an employer’s obligations; if, for instance, an organisation is only conducting a visual check of staff members’ vaccination passes and do not retain any personal data from this (either by keeping a record, taking a hard copy or digitally scanning it) then this should not constitute “processing” and no restrictions apply.
However, if an employer conducts checks digitally (e.g., by scanning the barcode on a vaccination passport) or by requiring hard-copy evidence or written confirmation of vaccination status to be kept on the employee’s HR file, then this would constitute “processing”.
Lawful basis for processing data
As set out above, vaccination status is personal data for the purposes of the data protection legislation. In addition, it is health data which has the more protected status of “special category data”. This effectively means that an employer must pay more careful attention to why it needs the information and what it does with it. An employer must:
- have a lawful basis for processing the data; and
- be able to identify what is known as an Article 9 condition (under the GDPR) for processing.
In terms of the valid lawful basis, the most likely one in the employment context is that an employer may have a legitimate interest in processing the vaccination data. This means processing is necessary for the employer’s legitimate interest or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. Importantly, however, employers do need to make their own assessment for their specific organisation and should not automatically assume they have a lawful basis.
In terms of the Article 9 condition for processing data in the employment context, the following could apply:
- Article 9(2)(b), where processing is necessary for the purposes of carrying out obligations in the field of employment law, such as ensuring health, safety and welfare of employees; or
- Article 9(2)(i), where processing is necessary for reasons of public interest in the area of public health.
An employer’s reason for recording its employees’ vaccination status must, therefore, be clear and necessary – they must not collect the data on a “just in case” basis, or if they can achieve their goal without collecting said data.
Employers must apply their minds carefully as to whether it is truly necessary to collect and process vaccination data. Analysis of the kind of work your staff do and the particular health and safety risks in your workplace should help you determine if there is a legitimate reason to record whether your staff have had the vaccine. For instance, if you have an employee who is clinically vulnerable and, therefore, at greater risk if exposed to the virus, then it could be legitimate for you to check the vaccination status of those fellow staff who work closely with the clinically vulnerable employee, to ensure that the risk posed to said employee is minimised as far as possible in the circumstances. Employers should not be collecting vaccination data just for the purpose of general monitoring or for boosting staff or customer confidence when attending the workplace.
Data protection obligations
There are a few general guiding principles that should be considered when processing vaccination data:
- Employees must understand why their employer needs to collect this information and what it is being used for – being open and transparent is central to this.
- Collection of the data must be secure, and any duty of confidentiality owed must be respected. For instance, an employer should not routinely disclose a person’s vaccination status to others, including colleagues, unless there is a legitimate and justifiable reason to do so.
- Before collecting the data, the employer must consider whether the use of the data is likely to result in a high risk to individuals (for example, denial of employment opportunities), because in these circumstances a data protection impact assessment would need to be completed before the data is collected and processed.
- The collection of the vaccine information must not result in any unfair or unjustified treatment of employees and if the collection of the information is likely to have a negative consequence for an employee, then an employer must be able to justify it.
- The information should not be held for longer than is necessary and it should not be used in ways employees would not reasonably expect. Employers should be clear on whether vaccination status is being checked on one occasion or whether it is being retained on an employee’s HR file. Any retention of data must be justified and should be regularly reviewed as to whether its continued processing is required.
Certainly, vaccination records should not be collected on a routine basis without sufficient justification, and it should not be unnecessarily or inappropriately relied on. Collection of vaccination data could, indeed, be seen as a health and safety measure in the workplace, but it should not form the only measure in place to protect staff against COVID-19. Employers must make sure to consider all aspects/factors as to why the vaccination data is needed and only if the purpose is unachievable without the vaccination data should it be collected.
For instance, if you have a member of staff who is clinically vulnerable and at greater risk of serious illness if they contracted Coronavirus, and this individual works in an office and shares desk space with a number of other colleagues via hot-desking, it could be that social distancing or providing the individual with a fixed desk that no other staff can use could limit the risk to that employee. Alternatively, if that individual shares an office with another individual and they are in close proximity all day, in those circumstances it might be appropriate to ask for the vaccination status of that specific individual alone, but it would not necessarily be vital to gather the vaccination status of all employees of an organisation to appropriately protect the clinically vulnerable employee.
Whilst it is possible for employers to have a lawful basis and condition for processing vaccination data in the workplace context, the ICO guidance is clear that the circumstances in which vaccination data can be collected in compliance with the legislation are, in fact, limited. The position is not straightforward, and employers carefully consider whether it is necessary to collect and store the relevant data, including thinking about why they are doing so and whether there are other ways of achieving those aims.
If you are considering collecting the vaccination data of your employees and would like to discuss how to assess what would be considered reasonable in the individual circumstances of your business, or for any other questions arising from this article, or for specific legal advice on particular circumstances, please contact our Partner, Emma Bartlett who specialises in employment and partnership issues for multinational employers, senior executives, partnerships and partners.
CM Murray is Ranked Band 1/Tier 1 for Employment (Senior Executives) by Chambers and Partners UK 2022 and Legal 500 UK 2022. ‘Brilliant employment law team…Incredibly talented knowledgeable and commercial in their very professional approach. Very able in international employment matters.’ (Legal 500 UK)
Read our Little Book of Employment Law here.