Collecting vaccination data across EMEA

As the vaccination programme across EMEA continues at pace and workplaces start to re-open, employers are increasingly interested in whether they can collect employee vaccination data. In the UK, the government has met its target to offer all adults a first dose of a Covid-19 vaccine by 19 July 2021 and an NHS Covid pass has been tentatively introduced as a proof of vaccination status.

Whether an employee has had a vaccine is health data and is therefore ‘special category’ data for GDPR purposes. In the UK, the ICO has taken a relatively relaxed approach to employers collecting vaccination data and has taken the view that ‘if there is a good reason for collecting information about whether your employee has had a vaccine, there is a lawful basis for processing it’. Employers should ensure they have demonstrated a specified use for collecting this information and that they are not recording information solely on a ‘just in case’ basis. For more analysis on the UK and Irish regulators’ approach to collecting vaccination data, see here.

Across EMEA, the legal position varies depending on the jurisdiction and employers should consider if they have any legal basis to collection vaccination data from employees, considering in particular general data privacy principles, confidentiality and data retention. Common issues flagged by our EMEA Littler colleagues are as follows:

Vaccination Incentives: often if the employer is offering an incentive (e.g. a bonus), the employer can reasonably ask to see a proof of vaccination document from employees who have accepted the bonus.

• Consent: in several jurisdictions, the employee’s explicit consent is required to process sensitive data, and this consent is required to be ‘freely given’ which may be problematic given the imbalance in the employer-employee relationship. Therefore, consent remains a shaky legal basis on which to collect vaccination data.
• Data Retention: in certain jurisdictions employers are not permitted to store or make copies of proof of vaccination documents, although they may request an employee to display a proof document as a ‘one off’. Employers should take care not to store the information for any longer than necessary, in line with general data privacy principles.
• Confidentiality/Privacy: generally employers should ensure they have systems in place to store vaccination data securely and collecting this data in certain jurisdictions where vaccination is not mandatory could be seen as an affront to an employee’s right to privacy and freedom to choose.

In our traffic light table below, we outline the approach to collection in several EMEA jurisdictions, giving each a ‘low’, ‘medium’ and ‘high’ risk rating. For a more detailed analysis per jurisdiction please contact Sophia Cheraitia for a copy of our Covid-19: EMEA Lockdown Restrcitions Guide.

KEY

 

Jurisdiction