Covid Vaccination Status and Data Protection in the Workplace - MLP Law

Covid Vaccination Status and Data Protection in the Workplace

September is less than a week away, meaning the return of schools will coincide with the increasing return of employees to their physical workplaces, likely resulting in an increase in Covid cases.  Indeed, Scotland is currently seeing such increases already, with the return to school having taken place over a week ago.  It is therefore […]

Covid Vaccination Status and Data Protection in the Workplace

September is less than a week away, meaning the return of schools will coincide with the increasing return of employees to their physical workplaces, likely resulting in an increase in Covid cases.  Indeed, Scotland is currently seeing such increases already, with the return to school having taken place over a week ago.  It is therefore clear that Covid continues to pose a risk in society generally and employers will understandably wish to impose certain measures in response to help reduce that risk.  We will therefore examine if one such measure can include keeping records detailing whether or not employees have had a Covid vaccination and the related data protection issues associated with collating that information.

It is key to note that this is not a reframing of the ‘no jab, no job’ debate.  Instead, the focus is on the ability of an employer to note the vaccination status of each member of staff and then use that information during the course of the individual’s employment (for instance, to determine access to the workplace).

Employers are certainly not obliged to check if staff have had the Covid vaccine (except in care homes from 11 November 2021, when it will be compulsory for staff to have the vaccine unless medically exempt) but it is understandable that employers may wish to know this information, not least because it assists with workplace health and safety risk assessments and helps to avoid business disruption.

In keeping records regarding the vaccination status of staff – either through the NHS Covid Pass or through other means – the employer is processing special category health data and must comply with data protection legislation.

The ICO (Information Commissioner’s Office) has released updated guidance on vaccination status checks from a data protection perspective.  In essence, to comply with data protection laws, employers are required to do the following:

● Identify the legal basis for collecting the data
● Carry out a data protection impact assessment
● Respect the principles of transparency, proportionality and security

Legal Basis for Collecting Data
The principal issue that employers should consider is what they seek to achieve by asking staff for their vaccination status.  The safest legal bases to rely upon will be compliance with legal obligations and/or ‘substantial public interest’.  This means that if the employer is trying to achieve the aim of preventing the spread of the virus and complying with its duty of care to its employees that will be more likely to be justifiable than, for example, customer or staff preference or boosting confidence.  Employers should ensure that its aims are clear and necessary and that those aims could not be met without collecting the data; it is unlikely to be able to justify collecting the information ‘just in case’.

Specific factors that should therefore be considered by employers before deciding to record employee’s vaccination status include:

● The sector the business operates in, the kind of work its staff do and the health and safety risks in its workplace –  are staff working with the clinically vulnerable or in an environment where they are more likely to encounter those infected with Coronavirus.
● The collection of this information must not result in any unfair or unjustified treatment, and should only be used for purposes people would reasonably expect.  The business should treat people fairly and if the collection of this information is likely to have a negative consequence for an individual, the organisation must be able to justify it.
● If the use of this data is likely to result in a high risk to individuals (e.g denial of employment opportunities or services) then the employer will need to complete a Data Protection Impact Assessment before it starts processing the data.

Taking these factors into account, an example where a business may be able to justify checking employees’ vaccination status would be where some roles required international travel.  In those circumstances, the employer may be able to justify requiring to know which employees have had both vaccine doses to allow it to allocate certain assignments or projects to those individuals, where international travel is necessary.

Data Protection Impact Assessment
This sets out the proposed ways that data will be processed, the risks to data subjects, and the ways in which such risks will be mitigated (e.g, by limiting the number of people who have access to the record, only keeping records for as long as they are necessary and complying with the other GDPR principles).

Transparency, Proportionality and Security

Employers need to be open with staff about:

● How they will store the information
● How long it will be kept
● Who will have access to it
● How it can be updated or corrected

Should an employer wish to undertake such vaccination status checks, they may also require to update their privacy notice to reflect that approach.

In short, employers can check and record the vaccination status of staff but it is not a step that should be taken lightly or without evidence of the decision-making process and justification for doing so in light of each business’s particular circumstances.

If you have any questions please contact the MLP Law Employment team at employment@mlplaw.co.uk or 0161 926 9969. Please also keep an eye out on our Twitter feed @HRHeroUK and for our regular blogs on all things Employment Law and HR.

Family Law Services

Have a question?

Simply complete the form below and one of
our experienced team we will be in touch soon.