If you follow the German sports news, then you might have noticed in the last few weeks that there has been a bit of a media storm surrounding the footballer Joshua Kimmich (the Germany and Bayern Munich midfielder). In a nutshell: the German news publication Das Bild published the fact that Kimmich is not currently vaccinated against Covid-19, Kimmich then went live on Sky to explain his position (that he is “vaccine-hesitant”, not an “anti-vaxxer”), and all of this has resulted in a media furore and an avalanche of public criticism aimed directly at Kimmich. It all escalated very quickly.
I’m not particularly interested in any discussion about whether Kimmich should be vaccinated or not – we’ve all had enough of talking about that. However, I did find it interesting that this was in the news in the first place, especially given how sensitive sports clubs in the UK have been to protect their players’ identities when discussing vaccine take-up. It’s worth mentioning that this probably shouldn’t have become a news story at all – Das Bild published the story without Kimmich’s permission before it was public knowledge that he was unvaccinated, on the basis that it was in the public interest. This made me think: how did Das Bild get hold of this information, and what would the implications have been if this had happened within an employment context, i.e. if Bayern Munich (Kimmich’s employer) had released this information without Kimmich’s consent?
Over the last year, employment lawyers have spent a lot of time talking with their clients about the challenges they face if they want to collect data about employees’ vaccination status. Under EU and UK data protection laws, an employee’s vaccination status qualifies as “special category” personal data. In basic terms this means employers have to be extra careful to ensure that, in addition to having a ‘standard’ lawful reason for processing ‘ordinary’ personal data, they also have a lawful reason under one of the additional gateways applicable to special category data. In the context of collecting vaccination data, that means employers have to evaluate whether they have the correct lawful basis for processing that data before collecting it – but what is often forgotten is that they should also be extra careful about how they process such data once it has been collected. Even if an employer is able to demonstrate that it has a good, legal reason for keeping a record of which of its employees have been vaccinated, if that information were compromised and somehow fell into the wrong hands, or if the employer used the information in an unauthorised way, the employer could be in breach of data protection laws… and breaching data protection laws can be expensive.
This may partly explain why, in the UK, so many sports coaches, managers etc. are so tight-lipped about which of their players are vaccinated and unvaccinated. While the club may have a lawful basis for collecting data about their athletes’ vaccination status, the club still has a responsibility to safeguard that information (the integrity and confidentiality principle, Article 5(1)(f) GDPR) and to ensure the information is only used for the purpose for which it was originally collected (the purpose limitation principle, Article 5(1)(b) GDPR), as well as the other data protection principles. Most sports organisations probably have a decent idea about which of their athletes are vaccinated/unvaccinated, but this doesn’t given them licence to speak publicly about which of their players is/isn’t vaccinated (unless they have explicit permission to do so, or the information is already in the public domain as a result of the player’s own choice). With vaccination among sportspeople being such a hot topic, there is also a real threat that this sort of information could find its way into the public discourse by unauthorised means, so employers in the sports industry have to be careful that they have put in place appropriate measures to ensure the data’s security.
In this instance, Kimmich’s vaccination status was not disclosed by his employer (so a lot of these legal considerations are not really an issue), but it’s not difficult to see how easily these sorts of issues could come up for employers in the sports sector, or indeed in any industry. It’s fair to say that there is quite a bit of tension in the public debate about vaccination, so it’s not surprising that those who choose – for whatever reason – not to be vaccinated might want that information to remain confidential and secure. Employees are unlikely to look kindly upon their employers if their vaccination status suddenly becomes company-wide (or indeed public) knowledge without their permission.
Employers in all industries would do well to remember that their legal obligations in relation to employees’ personal data (including vaccination status) do not suddenly come to an end once the data has been collected; employers then have to ensure that, that data is processed securely and only for the purpose for which it was collected for as long as it is in their possession, and also consider how long they need to hold on to that data for. Otherwise, we might begin to see similar Kimmich-style situations happening within our workplaces (followed by a raft of ER issues and a knock on the door from the ICO). For more information on collecting employee vaccination data click here.