We use cookies to improve our site and your experience.

By continuing to browse on this website you accept the use of cookies.

Privacy Notice

Collection of employee vaccination data: Irish and UK regulators take different approaches

Collection of employee vaccination data: Irish and UK regulators take different approaches

By Deborah MargolisDarren Isaacs and Niall Pelly- 1 July 2021

As we look ahead to the re-opening of workplaces, employers are considering if they can collect employee vaccination data. Whether an individual has been vaccinated or not is health data and is therefore a “special category” for GDPR purposes. As such, employers will need to overcome an additional legal hurdle in order for the processing to be lawful.

The position in Ireland

The Irish data protection regulator, the Data Protection Commission (the “DPC”) has recently published guidance for employers on this subject. The position is as follows:

  • In the absence of clear advice from the Irish public health authorities that employers are required to collect staff vaccination data, the processing of this data is likely to be unnecessary and excessive, for which there is no clear legal basis.
  • This is particularly the case where there is no public health advice about what the purpose of such data collection would be - for example, whether employers would be expected to treat non-vaccination staff any differently or prevent them from coming into the office.
  • There are some limited situations (i.e. frontline health services) where the government’s guidance has suggested that vaccinations will be considered a necessary safety measure. In those situations, it is likely that an employer will be able to lawfully process vaccination data.
  • In line with government guidance, there are a number of health and safety measures that employers will need to implement, for example physical distancing, hygiene and face-coverings. Bearing in mind the principle of data minimisation, employers should put these measures in place as a starting point before considering whether vaccination status is necessary.
  • The decision whether to get a vaccine is voluntary and prioritised according to age. Collection is therefore unlikely to be necessary or proportionate in the employment context.
  • Even where an employee is required to self-isolate after travel to Ireland, an employer should not ask an employee’s vaccination status, and instead the employee should only be asked to confirm the day that they will be able to return to work.

This DPC’s guidance is based on the assumption that vaccinations are not required for return to workplace and the collection of such data is not mandatory for employers. It has recently been reported that the Cabinet, based on advice received from NPHET (the National Public Health Emergency Team), has agreed to postpone the reopening of indoor dining until there is a workable plan for customers to prove their vaccination status. If this proposal comes into force, it remains to be seen whether the public health guidance for employers will also change and in turn whether the DPC’s position will change.

The position in the UK

By contrast, the UK’s data protection regulator, the Information Commissioner’s Officer (the “ICO”) has taken a more relaxed approach. The ICO’s view is that “If there is a good reason for collecting information about whether your employee has had the vaccine, there is a lawful basis for processing it”.

Although subject to the same GDPR-based considerations as in Ireland (what the purpose of collection would be and the most recent government/sector guidance, as well as the data protection principles) the ICO’s position is that it is for employers to reach their own conclusion as to whether their reason for recording vaccination status is “clear and compelling”. If an employer has not demonstrated a specified use for collecting this information and it is only being recorded on a “just in case” basis, this is unlikely to be justified. In practice, UK employers will need to take a decision based on relevant factors such as what sector they are in, how their workplace operates (e.g. inside/outside, office/warehouse), how may staff they have, how much face-to-face interaction is required on a daily basis (staff and clients), and how likely their staff are to interact with vulnerable individuals. The ICO will often give employers some degree of latitude in their decision-making, provided the employer keeps a solid written paper trail of how they reached their conclusion and on what basis.

If employers decide that they do need to process vaccination data they should bear in mind all of the usual data privacy considerations:

  • Ensuring privacy notices are up to date;
  • Ensuring appropriate security and confidentiality measures;
  • Considering how long they will need to retain this data; and
  • Completing a data privacy impact assessment (the ICO considers that this data could result in a high risk to individuals) which will set out in detail the reasons for the decision arrived at.

If you would like more information about this topic, or data privacy more generally please contact Deborah Margolis and Darren Isaacs (UK) and Niall Pelly (Ireland).