There is an ongoing debate in government and legal circles about whether employees can be required to have a Covid-19 jab. Some employers are already considering whether to require employees to provide information about their Covid vaccination status as part of their risk assessment.
Employers need to bear in mind the risk of complaints being made to the Information Commissioners Office (ICO). Vaccination data is a special category of personal data as it is health information and particular care needs to be taken.
The ICO has recently provided guidance on its website on vaccination. The first thing an employer should do is be clear about what they are trying to achieve by recording such information about employees. The use of the data must be fair, necessary and relevant for a specific purpose. Staff members need to be told about what personal data is required, who it will be shared with, how long it will be kept and what decisions will be made using that data.
There is a requirement to identify a lawful basis under Article 6.1 and a condition for processing under Article 9 of the General Data Protection Regulation (GDPR).
Post GDPR, there is less emphasis on consent as a condition of processing in the employment context. This is because consent may not be freely given as employers will often feel that they have no choice. A more appropriate basis is that there is a legitimate interest. In addition to a legitimate interest it has to be necessary to achieve this interest taking into account the interests, rights and freedoms of the employees.
The ground for processing could be that it is necessary for the performance and rights and obligations in connection with employment. Obligation here would be to ensure health and safety and welfare of workers and clients or service users.
In the guidance the ICO states that there needs to be a “clear compelling” reason for collecting the information. This may be easier to establish in a sector such as health and social care where there is exposure to clinically vulnerable individuals than in workplaces where this is not the case.
Another data protection requirement is only to hold data for as long as necessary. This is something to be kept under review as the vaccine is rolled out and (science willing) the pandemic abates.
While the data is held, care also needs to be taken about how it is used and how widely it is circulated. It should be securely held and only circulated among those who need to know. There would have to be a clear and compelling reason to disclose vaccine status to colleagues.
A sensible piece of advice could be to inform employees that not all of their colleagues have been vaccinated so that they are aware of potential risk of this.