Vaccination Passports: the “will they” or “won’t they” of the summer

Vaccination Passports: the “will they” or “won’t they” of the summer

By  Sanika Karandikar and Deborah Margolis – 17 September 2021

“Vaccination passports” have been one of the covid buzz words of the summer. One of the main concerns for employers is whether they will be able to (or required to) check employees’ vaccination records by way of a “passport” upon re-entry to the office.

Not currently in place in England

Although there were plans to put vaccination passports in place for large events, on 12 September 2021, the UK Health Secretary, Sajid Javid, announced that the government was scrapping its proposals for England. In Northern Ireland a covid certification service exists for international travel only and Scotland and Wales are doing their own thing – see below. However, in England, the NHS Covid Pass, which allows users to easily access their vaccination records, remains in operation for foreign travel and can be used (on a voluntary basis) by businesses as a condition to entry.


A few days after this announcement, on 14 September 2021, the government announced that vaccine passports remain on the list of the government’s ‘Plan B’ measures, to be rolled out if the situation with Covid cases worsens over the winter. Much will depend on how the covid statistics play out over the winter, as well as the progress we make with the vaccination and booster programmes.

Meanwhile in Scotland and Wales

In contrast, just a week before the UK abandoned its proposals, the vaccine certification scheme was launched in Scotland. From 1 October 2021, adults in Scotland will have to show that they have had both doses of a Covid vaccine before they are allowed entry into nightclubs and major events. The announcement in Scotland has been met with some concern from industry leaders, with ‘spot checks’ rather than large scale checks being considered as a way to keep large events safe, without being burdensome on businesses. There are currently no indications that Covid passports will be required to gain entry into Scottish workplaces in general, (only if they happen to be nightclubs and major events). In Wales, from 11 October 2021, adults will need to show the NHS Covid Pass as a condition to entry to nightclubs and large-scale events. In contrast to vaccine passports, Wales will have vaccine ‘passes’ instead, meaning people can use a negative lateral flow test to gain entry. First Minister Mark Drakeford has ruled out passes being used for public services.

The European approach

Similarly, several EU member states are operating the ‘EU Digital COVID certificate’ scheme – the details of which are outlined here. In Italy, for example, the certificate allows travel within the EU, but must also be presented to access rail, air transport and workplace canteens. Other EU member states are also operating certificate schemes both for travel and for accessing domestic venues. For a summary of the approach of EMEA jurisdictions towards vaccine passports and other Covid-related restrictions, please request a copy of our EMEA ‘At a glance’ guide here.

What does this mean for employers?

With the government’s announcement this week, it seems unlikely there will be a vaccine passport scheme rolled out for other indoor venues, including workplaces, in the near future, however this is a fast-developing area, and it is not inconceivable that we will see it in future.

In the event that employers are processing vaccination records for entry into the workplace, there are a number of data privacy considerations employers would need to take into account when collecting employee health data (which is considered special category data under the GDPR), including:

  • Ensuring a legal basis for processing – the most likely bases would be compliance with legal obligations and “substantial public interest”. Helpfully for employers, the ICO guidance states that if businesses simply conduct a visual check and do not scan a QR code and do not store the information in any way, this does not amount to “processing” personal data.
  • Complying with the general data protection principles – in particular, employers should ensure that the minimum data is collected for its use, that data is not kept any longer than necessary. Privacy notices should also be updated accordingly to inform employees why their data is being processed, who has access to it and how it will be stored.
  • Carrying out a data privacy impact assessment – the ICO considers that the processing of this data could result in a high risk to individuals, and any DPIA should set out in detail the reasons for the decision arrived at.
  • Ensure data is kept securely and is confidential.

This is a constantly changing area in terms of government policy and guidance, so watch this space!

For any questions, please get in touch with Deborah MargolisSanika Karandikar or your normal GQ|Littler contact.