[co-author: Allegra Dowley]

In this OnPoint we report on the data protection implications of collecting personal data concerning employees’ vaccination status.

Introduction

Employers formulating return to work plans for their employees in accordance with the UK Government’s Roadmap out of Lockdown will need to consider the relevant health and safety requirements, their contractual rights and obligations (as well as those of their employees), employment law and the latest Government guidance for their sector. Whilst many organisations will draw the line at implementing a “no jab no job policy”, they may want to establish which of their employees have been vaccinated against COVID-19, bringing into play important data protection considerations.

Employers considering collecting vaccination status data for their employees should have regard to the ICO’s guidance on this topic which also contains advice for those employers considering sharing their employees’ data with public health authorities or other relevant bodies wishing to invite their staff to have the COVID-19 vaccination.

The main points to note from the ICO’s guidance are as follows:

1. Establish the purpose of the processing

The ICO advises that, before employers decide to collect their employees’ vaccination status data, they should be clear about what they are trying to achieve and how collecting this data will assist them in that objective. This is in keeping with the second and third principles relating to the processing of personal data set out in Article 5 of the UK General Data Protection Regulation (the UK GDPR) - that personal data should be collected for specified legitimate purposes and that it should be relevant and limited to what is necessary in relation to the purpose for which it is processed.

The sector in which an organisation operates, the type of work it does and associated health and safety risks are likely to be relevant considerations when considering the justification for storing employees’ vaccination status data. Examples of instances which the ICO considers may justify collecting this type of data are:

• if the employees work in social or health care or are likely to come into contact with individuals who have COVID-19; or
• if employees could pose a risk to clinically vulnerable people.

If an employer would be able to achieve its stated aim without collecting this data, or is collating the data for monitoring purposes only, the processing is unlikely to be justified.

2. Determine and record the lawful basis for processing

Once employers have concluded that there is a legitimate purpose for processing vaccination status data, they must determine if there is a lawful basis under Article 6 of the UK GDPR for processing this data. Consent will rarely be an appropriate basis for processing in an employment context, due to the perceived imbalance of power between employers and employees. Consent also has practical limitations given that under data protection legislation it can be withdrawn at any time. For private sector employers, the basis on which processing by an employer is most likely to be justifiable is its “legitimate interests” – i.e. that

processing is necessary for the purposes of the legitimate interests pursued by the data controller except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data

This will involve the employer carrying out what the ICO describes as a “light touch risk assessment” to ensure that its employees’ interests do not override its interests in processing vaccination status data. The employer should also keep a record of the outcome of that risk assessment.

3. Particular considerations for “special category” data

Vaccination status constitutes data concerning health and will therefore be categorised as special category data for the purposes of the UK GDPR. As a result, in addition to a lawful basis for processing for the purposes of Article 6 (as described above), an employer will need to justify its processing of vaccination status data on the basis of one of the conditions for processing of special category data set out in Article 9 of the UK GDPR. The ICO suggests that the two conditions most likely to be relevant in this context are that:

• processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller in the field of employment law (the “employer condition”); or
• processing is necessary for reasons of public interest in the area of public health (the “public health condition”).

The Data Protection Act 2018 (DPA 2018) provides that, in order to rely on the public health condition, the processing must be carried out either by or under the responsibility of a health professional or by someone else who, in the circumstances, owes a legal duty of confidentiality. Since it is likely to be difficult for an employer to meet these criteria, the employer condition may be more appropriate. However, it is important to remember that, under the DPA 2018, if an employer is relying on this Article 9 condition, it must have a policy document in place outlining its compliance measures and retention policies for special category data.

4. Avoid unfair or unjustified treatment

The ICO points out that the collection of vaccination status data should not result in the unfair or unjustified treatment of an employee and employers should be alive to the risk of potential discrimination complaints in this regard.

If the use of vaccination status data is likely to result in a high risk to individuals (e.g. denial of employment opportunities), employers will need to complete a data protection impact assessment, a process designed to help employers to systematically analyse, identify and minimise the data protection risks of a particular project or plan.

5. Ensure transparency, accuracy, confidentiality and security of processing

Employees should understand their employer’s reason for collecting vaccination status data and how the data will be used, to ensure compliance with the requirement under the UK GDPR to process data in a transparent manner. In addition, employers should ensure that they:

• comply with any duty of confidentiality owed to their employees and that this data is not routinely disclosed within the organisation, unless there is a legitimate and compelling reason to do so;
• record the data accurately (which is particularly important where health data is concerned);
• store the data securely;
• consider the appropriate retention period for the data; and
• regularly review whether they still have grounds for retaining this data, as more people are vaccinated in-line with the Government’s vaccine roll-out plans.

Conclusions

The ICO clearly appreciates the potential need for employers to process vaccination status data. Subject to consideration of their own specific circumstances and the required data protection impact assessment, employers may be entitled to conclude that they have a legitimate basis upon which to collect vaccination status data in light of their obligations to conduct risk assessments and take appropriate health and safety measures with regard to the workplace. Nonetheless employers must ensure that they process this special category data in a way that is compliant with the UK’s data protection legislation and will almost certainly need to update their employee privacy notice and re-circulate it to employees, ensuring compliance with the principle of transparency of processing.