As people begin to return to the workplace, many employers are asking whether they are able to collect information about COVID-19 vaccination status and, if so, how this information may be used.
Whether or not vaccination data may be collected by employers is a hotly debated topic around Europe. Many countries, including France, Germany and Ireland, have issued guidance indicating that employers should not generally collect vaccination data from employees because there is no valid legal reason for doing so (unless there are exceptional circumstances).
Conversely, the Information Commissioner’s Office (ICO) in the UK (along with various other regulators) has suggested that it may be appropriate for employers to collect vaccination data if you have a compelling reason to do so.
In this article, we consider the data protection implications of collecting vaccination data for organisations in the UK.
- Why is data protection relevant?
Collecting information about vaccination status involves the processing of special category personal data, and raises some complex data privacy issues. For example, asking employees whether they have received any COVID-19 vaccinations will involve the processing of special category personal data about those employees.
Employers must ensure that processing of personal data is compliant with data protection law. As part of this, they will need to consider their obligations under the data protection principles set out in the UK General Data Protection Regulation (UK GDPR) before collecting any information.
- How do employers make sure they are processing personal data lawfully?
As a starting point, employers must identify a clear reason as to why it is necessary to collect vaccination data. The ICO is clear that if information is merely being collected on a “just in case” basis (for example, to “get ahead of the game” in case rules change in the future) or you can achieve your purpose without collecting this information, then you are unlikely to be able to justify the collection of vaccination data.
Employers must then identify an appropriate legal basis under Article 6 UK GDPR, before collecting any information, in line with the first data protection principle (lawful, fair and transparent processing). The most appropriate legal basis will depend on the type of organisation, and the reasons why such information is needed. For example, under regulations due to come into force on 11 November 2021, it will be mandatory for persons working or providing professional services in a care home to have the COVID-19 vaccine unless the person has provided clinical reasons as to why they cannot be vaccinated. For care homes, understanding an employee’s vaccination status will be necessary to comply with a legal obligation.
In contrast, where uptake of the vaccine is voluntary, it is less straightforward to identify a legal basis under UK GDPR for processing. For many organisations, the most appropriate legal basis is likely to be that the processing is necessary for the purposes of the legitimate interests pursued by the employer or by a third party. If relying on legitimate interests, you should consider carrying out a legitimate interests assessment (LIA) in order to identify any potential risks. The “public task” legal basis may be available to you if you are a public authority carrying out your functions.
In addition to identifying a legal basis under Article 6, employers will also need to identify an appropriate legal condition from Article 9 UK GDPR for processing special category personal data. In an employment context, the most appropriate condition will likely be that processing is necessary for the purposes of carrying out legal obligations and exercising rights in the field of employment. To rely on this condition, a clear legal obligation or right must be identified. You must also have an appropriate policy document (APD) in place. Alternatively, the public health condition may apply to your organisation if a health professional carries out the processing, or you tell people you are treating their vaccination status as confidential and would only disclose it in clearly defined circumstances.
Where the vaccine is voluntary, steps should be taken to ensure that collection of vaccination data does not lead to negative consequences for individuals (e.g. discrimination against those who choose not to be vaccinated). If you determine this type of processing to be high risk, you must carry out a data protection impact assessment (DPIA).
- What else to we need to consider?
It addition to the lawfulness requirement of the first data protection principle, it is also important to consider your other obligations under data protection law. For example:
- Fairness and transparency: In addition to being lawful, collection of information about employee vaccination status must be fair and transparent. Unless an exemption applies, vaccination data should only be handled in a way that employees would reasonably expect, and they should have the right to be informed about the way in which their personal data is being processed, usually by way of a privacy notice.
- Purpose limitation: It is essential to be clear about your purposes for processing from the start, and vaccination data should not be processed in a way that is incompatible with these purposes. This means employers must be clear about why vaccination data is needed and what it will be used for.
- Accountability: In order to satisfy accountability obligations, it is essential to keep a clear record of the justification for collecting vaccination data, including the lawful basis identified, any risk assessments undertaken, and any objections you receive.
- Data minimisation: Employers must ensure that the personal data processed is adequate, relevant and limited to what is necessary. It is therefore important to ensure that superfluous information is not being collected. If the purpose identified can be achieved by less intrusive means, then collection of vaccine status may amount to excessive processing
- Data security: Employers will also need to ensure that appropriate security measures are in place to ensure the confidentiality, integrity and availability of vaccination data. Remember, special category data warrants a higher level of protection. Employers should also consider privacy enhancing techniques where appropriate, such as pseudonymisation.
- Checklist for employers considering collecting vaccination data
Unfortunately, there is no quick answer as to whether employers are legally permitted to collect vaccination data. As well as considerations under data protection law, employers must also be mindful of obligations arising under areas such as employment law, equality legislation, and human rights law.
From a data protection perspective, there are some initial steps that employers can take to help achieve compliance:
- Consider the objective you are trying to achieve/purpose for collecting the data: As a first step, consider whether you have a clear reason for collecting vaccination data. Does your organisation really need to know if employees have been vaccinated in order to achieve the objective identified? If not, then the processing may be excessive.
- If you do need to collect vaccination data, can you identify a legal basis under UK GDPR? Consider whether you are able to identify an appropriate legal basis under Article 6 UK GDPR, and also a condition for processing under Article 9 UK GDPR. Make sure to fulfil any additional requirements that must be satisfied (for example, having an APD in place). Depending on the Article 6 legal basis selected, individuals may have a legal right to object to the processing.
- Consider the risks: If relying on the legal basis of “legitimate interests”, carry out a LIA to identify potential risks. If you are concerned about the level of risk posed to employees then consider carrying out a DPIA.
- Be open and transparent: Unless a legal exemption applies, you should update your privacy notices and make sure employees understand their rights (such as the right to object). For example, if you rely upon “public task” or “legitimate interests”, individuals have a right to object and as such, must be informed of this.
- Document everything: Keep clear records, and make sure to document your decision making so that you are able to justify the processing in the event of a complaint.
- If in doubt, just ask: Good data protection compliance cannot be achieved in a day. If you need further advice about whether you can collect vaccination data or how it may be used then please contact a member of our Information Law Team.