Data Protection issues associated with tracking and recording vaccinated employees

  • Posted

As the rollout of the COVID-19 vaccines continues, there are several questions facing businesses for the foreseeable future. These include:

  • Can I ask employees if they have been vaccinated?
  • Can I tell employees who has, and who hasn’t, been vaccinated?
  • Can I retain information about who has, and who hasn’t, been vaccinated?

It has been reported that just over half of HR leaders intend to track coronavirus vaccinations amongst their employees. However, in doing so, does this breach data protection laws? Are there any procedures that an employer needs to follow?

Information relating to an employee’s health falls into special category personal data. As such, in accordance with the Data Protection Act 2018, the employer must identify a lawful basis for processing the data and a condition for processing it. Employers need to be clear about what they are trying to achieve and how recording this data will help in doing so. The reason for recording the vaccination status of employees must be “clear and compelling” not “just in case”.

Consideration should be given to the industry or sector in which the employer operates, the type of work undertaken and whether there are any specific health and safety risks in that workplace. The Information Commissioners Office (ICO) recommend that the latest government guidance and scientific advice concerning the vaccine rollout and COVID-19 restrictions is regularly reviewed.

If an employer has good reason for collecting this information, then there is a lawful basis for processing it.

In addition to there being a lawful basis for processing this data, given it falls into the category of special category personal data, an employer must also identify a condition for processing the data in accordance with Article 9. Two conditions that could be relied on in this instance are (1) the employment condition or (2) the public health condition. If an employer relies on the latter, then a health professional must carry out the processing or ensure that employees are told their vaccination status is being treated as confidential.

Taking all this into account, the question of whether an employer can collect and retain data about whether employees have been vaccinated will depend on whether there is a lawful basis for processing this information and whether there is a condition for processing this information. This will, as so often, be considered on a case by case basis.

In terms of an employer telling staff who has and has not been vaccinated, the employer maintains a duty of confidentiality with its employees and should not, as a matter of course, disclose information about specific employees to other employees unless there is a legitimate or compelling reason to do so.

If you have any queries regarding this or any other employment matter, please do not hesitate to contact a member of the team.