Processing COVID 19 Vaccination Data in the context of Employment and the Work Safely Protocol
Version Last Updated: [November] [2021]
As the economy and society continue to open up with the lessening of some COVID-19 restrictions, many employers are seeking to understand what information they need to process in relation to their employees return to the workplace. In particular, the question has been raised as to whether employers can lawfully collect and process information about the COVID-19 vaccination status of their employees.
The advice from public health authorities in Ireland should indicate what data processing is necessary and legitimate in the context of managing COVID-19 in the workplace. The primary source of information in this context is the Work Safely Protocol: COVID-19 National Protocol for Employers and Workers.
The Protocol sets out a number of requirements that will require employers to process personal data. For example, employers should keep a log of contacts to facilitate contact tracing. Employees should also complete a pre-Return to Work form, which contains their personal data. The Protocol does not currently require employers to collect any information regarding vaccination status and this is not required for pre-Return to Work forms.
Employers should only process COVID-19 vaccination data where necessary to achieve a specific, legitimate purpose in line with general and sector-specific public health advice. This guidance document is based upon current public health guidance, and may be subject to change accordingly.
Data Minimisation
The Protocol states that, “Irrespective of the vaccination roll-out, Public Health infection prevention and control measures (such as physical distancing, hand hygiene, face coverings, adequate ventilation), and working from home unless an employee’s physical presence in the workplace is necessary, will all need to remain in place”. The full suite of measures that employers can employ to maintain workplace safety should be considered before making any assessment as to whether knowledge of vaccination status is necessary. In accordance with the principle of data minimisation, employers should implement all such measures that avoid processing the personal data of employees in the first place.
Voluntary Nature of Vaccination
Information about a person’s vaccination status is special category personal data for the purposes of the GDPR. It represents part of their personal health record, and is afforded additional protections under data protection law. The Protocol states that the decision to get a vaccine is voluntary and that individuals will make their own decisions in this regard. This suggests that COVID-19 vaccination should not, in general, be considered a necessary workplace safety measure and consequently, the processing of vaccine data is unlikely to be necessary or proportionate in the most employment contexts.
Specific Employment Contexts
There are some specific employment contexts within which the processing of data revealing vaccination status may be deemed necessary, subject to a risk assessment and with reference to sector-specific public health guidance.
The current version of the Protocol suggests that there are a limited set of circumstances in which vaccination should be offered as a workplace health and safety measure (as provided for under the Safety, Health and Welfare at Work (Biological Agents) Regulations 2013 and 2020).
There may be further situations, such as in the provision of healthcare services, where vaccination can be considered a necessary safety measure, based on relevant sector-specific guidance. For example, the Medical Council’s Guide to Professional Conduct and Ethics for Registered Medical Practitioners states that practitioners “should be vaccinated against common communicable diseases”.
In these various situations, it is possible that an employer will be able to identify a legitimate reason to know whether their employees have been vaccinated or not, for the purposes of managing the health of safety of workers and visitors. Employers should conduct a risk assessment, with reference to any sector-specific public health advice to determine whether the measures that they consider necessary require knowledge of employees’ vaccination status.
Imbalance of Power
The processing of personal data in the context of employment takes place in a situation where there is an imbalance between the data subject (employee) and data controller (employer). Therefore, employees should not be asked to consent to the processing of vaccine data, as this consent is not likely to be freely given. Therefore the processing of vaccine data will require a specific set of circumstances underpinned by a legitimate reason other than consent.
Medical Officer of Health
In the course of carrying out their public health duties under the Infectious Diseases Regulations 1981, as amended, a Medical Officer of Health may require access to the vaccination status of employees. This limited type of processing may occur where an outbreak of COVID-19 has been identified in a workplace, and is specifically permissible under data protection law where carried out on a case-by-case basis, subject to the determination of necessity and at the request of the Medical Officer of Health.
This guidance above will be subject to review if the public health advice and laws relating to the nature of the virus, the pandemic and the interplay with vaccination change. Employers with questions about the collection of vaccine information in their specific sector or in a particular context should have recourse to the most up-to-date public health guidance in the first place.