Data Protection & Privacy Law Archives - MLP Law

Coronavirus and the GDPR

Back in 2018, the shakeup of the UK data protection regime brought in by the GDPR was seemingly all anyone in business was talking about. Now in 2021, it’s fair to say that the COVID-19 pandemic has replaced almost any other topic of conversation. However, the two topics are not entirely distinct, with the pandemic throwing up a number of challenging data protection considerations for employers, specifically in relation to the processing of health information relating to employees.

We have therefore decided to explore some of these issues in two separate blogs which analyse the two key situations which can result in employers needing to process their employees’ health information during the COVID-19 pandemic.

This blog covers scenarios where data processing is required in respect of employees who are absent from work due to coronavirus symptoms or because they are self-isolating in accordance with government guidance. Please look out for our other blog on Coronavirus and the GDPR, which covers data protection issues which arise when employers carry out workplace coronavirus testing and symptom monitoring programmes.

The processing of health information involves “special category data” under the GDPR, which means an employer must ensure that they have both a lawful condition for processing personal data and a “specific condition” for procession special category data, and this blog explores how an employer can demonstrate these required conditions.

Employee absences due to coronavirus and workplace outbreaks

If an employee is unwell due to coronavirus, the usual processing of health information will be required in order to record the absence and pay sick pay. However, additional processing may be required depending on the employee’s specific situation.

For example, an employee who receives a positive coronavirus test will be “encouraged” to alert the people that they have had close contact with in the 48 hours before the onset of symptoms. If this includes their work colleagues, the employee is also encouraged under the relevant government guidance to consider informing their employer so that their colleagues can be alerted.

If an employer is asked by an employee to alert their co-workers, ideally this should be done on an anonymous basis, although there will inevitably be situations where it will be easy to identify the employee who has tested positive.

Generally, however, it will be the responsibility of NHS Test and Trace rather than employers to alert close contacts of an individual who has tested positive for coronavirus, even if the close contacts are work colleagues. The exception to this is where there is more than one case of coronavirus associated with a particular workplace (i.e. where there is a “workplace outbreak”).

Where there is a workplace outbreak, the employer must contact its local PHE health protection team to report the suspected outbreak. If the local PHE health protection team declares an outbreak, the employer will be asked to record details of symptomatic staff and assist with identifying contacts.

The employer will be assisted with this by PHE, who will provide information about the outbreak management process and how to implement control measures, communicate with staff and reinforce prevention messages.

As for the lawful and specific conditions for processing health information and other personal data relating to employees in these circumstances, it is likely to be regarded as falling within the employer’s duties under health and safety legislation in which case the employer is likely to be able to rely on their need to “comply with a legal obligation” and “compliance with their obligations and rights under employment law” as lawful conditions.

Employees absent due to self-isolation

Throughout the pandemic, most employers are likely to have employees who are required to self-isolate, for example because they are a close contact of someone who has tested positive or they have travelled to England from abroad. An employee may also be self-isolating where they have symptoms of coronavirus, or have tested positive, but are nevertheless well enough to work from home (and it is possible for them to do so).

If an employee is self-isolating (for whatever reason) and cannot work from home, they will be eligible for SSP and the employer will need to process this in the usual way.

If it is necessary to process health information because an employee is self-isolating, the lawful and specific conditions for that processing may vary depending on the reason for self-isolation. For example:

  • if the employee is self-isolating because they have travelled to England from abroad, this is a legal requirement and arguably the conditions of “compliance with a legal obligation” and “compliance with obligations and rights under employment law” should apply;
  • if the employee is self-isolating because they have symptoms of coronavirus, have tested positive, or are a close contact of someone who has tested positive, these obligations are set out in non-statutory guidance only and so it is not clear that the conditions of “compliance with a legal obligation” or “compliance with obligations and rights under employment law” would apply. However, an employer might be able to assert that ensuring that employees self-isolate in these circumstances falls within the employer’s duty under health and safety legislation, and on this basis those conditions would arguably apply.
Employees unwilling or unable to return to work

Employees who are clinically vulnerable or clinically extremely vulnerable (or those who live with someone who is), as well as those who are otherwise anxious about contracting coronavirus may be unable and/or reluctant to return to work.

Dealing with these situations may require meetings and correspondence between the employee, their manager and HR. They may also involve requests for medical reports. Depending on the circumstances, employers processing health information for these purposes may wish to rely on the following:

  • as a lawful condition for processing: “compliance with a legal obligation” or “the employer’s legitimate business interests”, and
  • as a specific condition for processing: “compliance with obligations and rights under employment law or “establishment, exercise or defence of legal claims”.

If you have any concerns about your rights and obligations when it comes to processing employee health information during the pandemic, please get in touch with the MLP Law Employment team at or 0161 926 9969. Please also keep an eye out on our Twitter feed @HRHeroUK and for our other blog in this series.

Covid Vaccination Status and Data Protection in the Workplace

September is less than a week away, meaning the return of schools will coincide with the increasing return of employees to their physical workplaces, likely resulting in an increase in Covid cases.  Indeed, Scotland is currently seeing such increases already, with the return to school having taken place over a week ago.  It is therefore clear that Covid continues to pose a risk in society generally and employers will understandably wish to impose certain measures in response to help reduce that risk.  We will therefore examine if one such measure can include keeping records detailing whether or not employees have had a Covid vaccination and the related data protection issues associated with collating that information.

It is key to note that this is not a reframing of the ‘no jab, no job’ debate.  Instead, the focus is on the ability of an employer to note the vaccination status of each member of staff and then use that information during the course of the individual’s employment (for instance, to determine access to the workplace).

Employers are certainly not obliged to check if staff have had the Covid vaccine (except in care homes from 11 November 2021, when it will be compulsory for staff to have the vaccine unless medically exempt) but it is understandable that employers may wish to know this information, not least because it assists with workplace health and safety risk assessments and helps to avoid business disruption.

In keeping records regarding the vaccination status of staff – either through the NHS Covid Pass or through other means – the employer is processing special category health data and must comply with data protection legislation.

The ICO (Information Commissioner’s Office) has released updated guidance on vaccination status checks from a data protection perspective.  In essence, to comply with data protection laws, employers are required to do the following:

● Identify the legal basis for collecting the data
● Carry out a data protection impact assessment
● Respect the principles of transparency, proportionality and security

Legal Basis for Collecting Data
The principal issue that employers should consider is what they seek to achieve by asking staff for their vaccination status.  The safest legal bases to rely upon will be compliance with legal obligations and/or ‘substantial public interest’.  This means that if the employer is trying to achieve the aim of preventing the spread of the virus and complying with its duty of care to its employees that will be more likely to be justifiable than, for example, customer or staff preference or boosting confidence.  Employers should ensure that its aims are clear and necessary and that those aims could not be met without collecting the data; it is unlikely to be able to justify collecting the information ‘just in case’.

Specific factors that should therefore be considered by employers before deciding to record employee’s vaccination status include:

● The sector the business operates in, the kind of work its staff do and the health and safety risks in its workplace –  are staff working with the clinically vulnerable or in an environment where they are more likely to encounter those infected with Coronavirus.
● The collection of this information must not result in any unfair or unjustified treatment, and should only be used for purposes people would reasonably expect.  The business should treat people fairly and if the collection of this information is likely to have a negative consequence for an individual, the organisation must be able to justify it.
● If the use of this data is likely to result in a high risk to individuals (e.g denial of employment opportunities or services) then the employer will need to complete a Data Protection Impact Assessment before it starts processing the data.

Taking these factors into account, an example where a business may be able to justify checking employees’ vaccination status would be where some roles required international travel.  In those circumstances, the employer may be able to justify requiring to know which employees have had both vaccine doses to allow it to allocate certain assignments or projects to those individuals, where international travel is necessary.

Data Protection Impact Assessment
This sets out the proposed ways that data will be processed, the risks to data subjects, and the ways in which such risks will be mitigated (e.g, by limiting the number of people who have access to the record, only keeping records for as long as they are necessary and complying with the other GDPR principles).

Transparency, Proportionality and Security

Employers need to be open with staff about:

● How they will store the information
● How long it will be kept
● Who will have access to it
● How it can be updated or corrected

Should an employer wish to undertake such vaccination status checks, they may also require to update their privacy notice to reflect that approach.

In short, employers can check and record the vaccination status of staff but it is not a step that should be taken lightly or without evidence of the decision-making process and justification for doing so in light of each business’s particular circumstances.

If you have any questions please contact the MLP Law Employment team at or 0161 926 9969. Please also keep an eye out on our Twitter feed @HRHeroUK and for our regular blogs on all things Employment Law and HR.