Processing COVID 19 Vaccination Data in the context of Employment and the Work Safely Protocol

Version Last Updated: [November] [2021]

As the economy and society continue to open up with the lessening of some COVID-19 restrictions, many employers are seeking to understand what information they need to process in relation to their employees return to the workplace. In particular, the question has been raised as to whether employers can lawfully collect and process information about the COVID-19 vaccination status of their employees.

The advice from public health authorities in Ireland should indicate what data processing is necessary and legitimate in the context of managing COVID-19 in the workplace. The primary source of information in this context is the Work Safely Protocol: COVID-19 National Protocol for Employers and Workers.

The Protocol sets out a number of requirements that will require employers to process personal data. For example, employers should keep a log of contacts to facilitate contact tracing. Employees should also complete a pre-Return to Work form, which contains their personal data. The Protocol does not currently require employers to collect any information regarding vaccination status and this is not required for pre-Return to Work forms.

Employers should only process COVID-19 vaccination data where necessary to achieve a specific, legitimate purpose in line with general and sector-specific public health advice. This guidance document is based upon current public health guidance, and may be subject to change accordingly.

Data Minimisation

The Protocol states that, “Irrespective of the vaccination roll-out, Public Health infection prevention and control measures (such as physical distancing, hand hygiene, face coverings, adequate ventilation), and working from home unless an employee’s physical presence in the workplace is necessary, will all need to remain in place”. The full suite of measures that employers can employ to maintain workplace safety should be considered before making any assessment as to whether knowledge of vaccination status is necessary. In accordance with the principle of data minimisation, employers should implement all such measures that avoid processing the personal data of employees in the first place.

Voluntary Nature of Vaccination

Information about a person’s vaccination status is special category personal data for the purposes of the GDPR. It represents part of their personal health record, and is afforded additional protections under data protection law. The Protocol states that the decision to get a vaccine is voluntary and that individuals will make their own decisions in this regard. This suggests that COVID-19 vaccination should not, in general, be considered a necessary workplace safety measure and consequently, the processing of vaccine data is unlikely to be necessary or proportionate in the most employment contexts.

Specific Employment Contexts

There are some specific employment contexts within which the processing of data revealing vaccination status may be deemed necessary, subject to a risk assessment and with reference to sector-specific public health guidance.

The current version of the Protocol suggests that there are a limited set of circumstances in which vaccination should be offered as a workplace health and safety measure (as provided for under the Safety, Health and Welfare at Work (Biological Agents) Regulations 2013 and 2020).

There may be further situations, such as in the provision of healthcare services, where vaccination can be considered a necessary safety measure, based on relevant sector-specific guidance. For example, the Medical Council’s Guide to Professional Conduct and Ethics for Registered Medical Practitioners states that practitioners “should be vaccinated against common communicable diseases”.

In these various situations, it is possible that an employer will be able to identify a legitimate reason to know whether their employees have been vaccinated or not, for the purposes of managing the health of safety of workers and visitors. Employers should conduct a risk assessment, with reference to any sector-specific public health advice to determine whether the measures that they consider necessary require knowledge of employees’ vaccination status.

Imbalance of Power

The processing of personal data in the context of employment takes place in a situation where there is an imbalance between the data subject (employee) and data controller (employer). Therefore, employees should not be asked to consent to the processing of vaccine data, as this consent is not likely to be freely given. Therefore the processing of vaccine data will require a specific set of circumstances underpinned by a legitimate reason other than consent.

Medical Officer of Health

In the course of carrying out their public health duties under the Infectious Diseases Regulations 1981, as amended, a Medical Officer of Health may require access to the vaccination status of employees. This limited type of processing may occur where an outbreak of COVID-19 has been identified in a workplace, and is specifically permissible under data protection law where carried out on a case-by-case basis, subject to the determination of necessity and at the request of the Medical Officer of Health.

This guidance above will be subject to review if the public health advice and laws relating to the nature of the virus, the pandemic and the interplay with vaccination change. Employers with questions about the collection of vaccine information in their specific sector or in a particular context should have recourse to the most up-to-date public health guidance in the first place.

With the roll out of the COVID-19 vaccine across the country, it is important for employers to consider their role in the process and the potential impact for their workforce. Here are the answers to some of the questions which might arise in the coming months.

Can an employer require its employees to be vaccinated?

The short answer is no. There is high legal risk in mandating that employees be vaccinated. We all have a right to privacy, autonomy, and bodily integrity under the Constitution. The right to bodily integrity is the right to protect our bodies from unjustifiable interference.

If there are people who do not want or cannot have the vaccine on grounds of religion or for medical reasons, employers must recognise that these are protected grounds under employment equality legislation. An employer may fall foul of discrimination against an employee in that context.

There is nothing stopping an employer from actively encourage its employees to receive the vaccine and it may even facilitate this in the workplace by arranging a health professional to administer the vaccine at a time that suits the employee.

At present, we are in a state of flux and there is a lot of unanswered questions which may, over time, be legislated for. For now, it is an area that must be kept under review by all employers.

Can an employer ask an employee if they have been vaccinated?

Technically no, an employer cannot ask an employee if they have or have not been vaccinated in the same way that an employer cannot ask an employee what their marital status or sexual orientation is. This is an extremely sensitive issue which requires careful consideration and planning by the employer. Employees have privacy and data protection rights that must be respected, and an employer would need to have a very strong justification for requiring an employee to disclose this information. However, there is nothing stopping an employee from volunteering this information up to their employer.

We expect that the Data Protection Commissioner will issue guidance at some stage on what information an employer can ask for and collect in respect of is employees and the COVID-19 vaccine. Until such time as further guidance is issued, it is recommended that employers only collect the minimum amount of data that is necessary to implement COVID-19 measures in the workplace.

Can an employer discipline or dismiss an employee for not disclosing that they are vaccinated or for refusing to be vaccinated?

Disciplining or dismissing an employee for not getting the COVID-19 vaccine or for not disclosing if they have had the vaccine would leave the employer exposed to legal action being taken by the employee against the employer.

Where an employee is not vaccinated, for whatever reason, the employer must explore all reasonable alternatives for that employee to continue to work safely, such as a working from home arrangement.

Do employees have a right to know if their colleagues have been vaccinated?

No, employees do not have a right to know if their colleagues have been vaccinated and will be at the mercy of their colleagues in this regard. An employee cannot be treated adversely, by their colleagues or employer, for not having the vaccine.

How do I provide a safe place to work in circumstances where some employees are not vaccinated?

It is important for employers to always follow public health guidance. The Government issued The Work Safely Protocol (November 2020) which provides information to employers on measures that need to be implemented to ensure that workplaces can operate safely. We expect that there will be an update to this protocol in light of the COVID-19 vaccine roll out.