COVID-19 vaccination status – processing pitfalls

News  |   25 October 2021

A woman working at a computer and wearing a mask

Public Health England research suggests that the COVID-19 vaccination programme has prevented over 30,000 deaths and over 11 million infections. There is further evidence to suggest that the vaccine also prevents those who catch the virus from infecting other people. It is not surprising, therefore, that many employers are now requesting that their employees confirm their vaccination status before entering the workplace with a view to ensuring a healthy and safe working environment.

With a plethora of new laws and regulations introduced since the emergence of COVID-19, it is perhaps all too easy for employers to overlook their data protection obligations.

The General Data Protection Regulation (GDPR) applies to ‘processing’ personal data. If you are merely conducting a visual check of your employees’ vaccination status and do not retain any personal data, this would not constitute ‘processing’ and would fall outside the scope of the GDPR. However, if you plan to make a record of your employees’ vaccination status, then the GDPR would apply – you must have a lawful basis for processing your employees’ vaccination status and should be able to identify a ‘condition for processing’ as set out in Article 9 of the GDPR.

Firstly, as a lawful basis, most employers should be able to rely on the fact that processing an individual’s vaccination status is necessary for the employer’s legitimate interest or the legitimate interests of a third party, unless there is a good reason to protect the personal data which overrides those legitimate interests.

Secondly, given that health data has the more protected status of “special category data” under the GDPR, employers will need to identify an Article 9 condition for processing. There are two main Article 9 conditions which may be relevant:

  • The employment condition - where processing is necessary for the purposes of carrying out obligations in the field of employment law, such as ensuring health, safety and welfare of employees; or
  • The public health condition - where processing is necessary for reasons of public interest in the area of public health.

Finally, to ensure compliance with the relevant data protection legislation, employees should be told why the information relating to their vaccination status is needed, how it will be stored, how long it will be retained and who will be able to access it.

The Information Commissioner’s Office applies a reasonably narrow approach to the recording of employees’ vaccination status in its guidance which states: “Your reason for recording your employees’ vaccination status must be clear and necessary. If you cannot specify your use for this information and are recording it on a ‘just in case’ basis, or if you achieve your goal without collecting this data, you are unlikely to be able to justify collecting it.”

Most data protection policies will need to be reviewed to take account of the above advice. If you have any questions or require our assistance in ensuring compliance with the relevant data protection regulations, please get in touch with a member of our Employment Team on 020 8290 0440.

Related Insights