As the vaccination programme across EMEA continues at pace and workplaces start to re-open, employers are increasingly interested in whether they can collect employee vaccination data. In the UK, the government has met its target to offer all adults a first dose of a Covid-19 vaccine by 19 July 2021 and an NHS Covid pass has been tentatively introduced as a proof of vaccination status.
Whether an employee has had a vaccine is health data and is therefore ‘special category’ data for GDPR purposes. In the UK, the ICO has taken a relatively relaxed approach to employers collecting vaccination data and has taken the view that ‘if there is a good reason for collecting information about whether your employee has had a vaccine, there is a lawful basis for processing it’. Employers should ensure they have demonstrated a specified use for collecting this information and that they are not recording information solely on a ‘just in case’ basis. For more analysis on the UK and Irish regulators’ approach to collecting vaccination data, see here.
Across EMEA, the legal position varies depending on the jurisdiction and employers should consider if they have any legal basis to collection vaccination data from employees, considering in particular general data privacy principles, confidentiality and data retention. Common issues flagged by our EMEA Littler colleagues are as follows:
Vaccination Incentives: often if the employer is offering an incentive (e.g. a bonus), the employer can reasonably ask to see a proof of vaccination document from employees who have accepted the bonus.
In our traffic light table below, we outline the approach to collection in several EMEA jurisdictions, giving each a ‘low’, ‘medium’ and ‘high’ risk rating. For a more detailed analysis per jurisdiction please contact Sophia Cheraitia for a copy of our Covid-19: EMEA Lockdown Restrcitions Guide.