As we look ahead to the re-opening of workplaces, employers are considering if they can collect employee vaccination data. Whether an individual has been vaccinated or not is health data and is therefore a “special category” for GDPR purposes. As such, employers will need to overcome an additional legal hurdle in order for the processing to be lawful.
The Irish data protection regulator, the Data Protection Commission (the “DPC”) has recently published guidance for employers on this subject. The position is as follows:
This DPC’s guidance is based on the assumption that vaccinations are not required for return to workplace and the collection of such data is not mandatory for employers. It has recently been reported that the Cabinet, based on advice received from NPHET (the National Public Health Emergency Team), has agreed to postpone the reopening of indoor dining until there is a workable plan for customers to prove their vaccination status. If this proposal comes into force, it remains to be seen whether the public health guidance for employers will also change and in turn whether the DPC’s position will change.
By contrast, the UK’s data protection regulator, the Information Commissioner’s Officer (the “ICO”) has taken a more relaxed approach. The ICO’s view is that “If there is a good reason for collecting information about whether your employee has had the vaccine, there is a lawful basis for processing it”.
Although subject to the same GDPR-based considerations as in Ireland (what the purpose of collection would be and the most recent government/sector guidance, as well as the data protection principles) the ICO’s position is that it is for employers to reach their own conclusion as to whether their reason for recording vaccination status is “clear and compelling”. If an employer has not demonstrated a specified use for collecting this information and it is only being recorded on a “just in case” basis, this is unlikely to be justified. In practice, UK employers will need to take a decision based on relevant factors such as what sector they are in, how their workplace operates (e.g. inside/outside, office/warehouse), how may staff they have, how much face-to-face interaction is required on a daily basis (staff and clients), and how likely their staff are to interact with vulnerable individuals. The ICO will often give employers some degree of latitude in their decision-making, provided the employer keeps a solid written paper trail of how they reached their conclusion and on what basis.
If employers decide that they do need to process vaccination data they should bear in mind all of the usual data privacy considerations: