As workplaces reopen after COVID-19, many employers are considering whether to implement policies requiring employees to be fully vaccinated before returning to the workplace. We explore whether this policy is enforceable and the associated risks.
The current UK Government rules are that (from 11 November 2021) only those working in care homes in England are required to be fully vaccinated. For all other employers, there is no requirement that staff be vaccinated and whether to be vaccinated is a choice for each individual. Furthermore, the UK Government has ruled out making vaccination a requirement for the adult population at large. Understandably, many employers are concerned about the impact of sickness absence on their workforce, as well as the safety of their staff and clients, and are considering putting in place policies mandating that their employees are vaccinated if they want to return to the workplace.
Employment risks of mandatory vaccination policies
There are a number of risks that employers considering mandatory vaccination policies should consider:
- Indirect discrimination – any policy requiring all employees to be vaccinated may indirectly discriminate against individuals who hold protected characteristics. For example, those who cannot be vaccinated for health reasons might be able to claim that the mandatory requirement is indirect disability discrimination. There are also potential arguments relying on other protected characteristics, such as age, pregnancy and maternity, race, and religion or belief. For instance, confused messages relating to the safety of the vaccine for pregnant women, or those wishing to become pregnant, has meant that they have been less likely to get vaccinated, which concerns the protected characteristic of sex. For this reason it is inadvisable to put in place a “blanket” vaccination policy and there should be scope for individuals’ specific circumstances to be taken into account.
- Unfair dismissal – where there is a mandatory vaccination policy, there is a risk of constructive dismissal claims where employees have over two years’ continuous service (i.e. employees resigning and alleging that they have been put in a position akin to dismissal). In order to defend this claim, an employer will need to show that its mandatory vaccination policy constituted a reasonable management instruction, which will largely depend on the nature of the job and the circumstances at the time (e.g. did the individual come into contact with vulnerable people or is there another compelling reason?).
There are other risks that employers should bear in mind. Under the Human Rights Act 1998, everyone has a right to privacy, which may be violated by a mandatory vaccination policy. There is also the risk of personal injury claims arising from any significant side effects that an employee suffers as a result of being vaccinated following policies of this kind, although on the current medical evidence this will likely be a low risk for employers.
Data Protection Implications
There are also various data protection implications that employers must consider before implementing any mandatory vaccination policy, as it will normally require some sort of confirmation/collection of vaccination status:
- Employers should note that current guidance from the UK’s data protection regulator, the Information Commissioner’s Office (“ICO”), distinguishes between simply visually checking COVID passes (i.e. not logging this information in any way) and actively scanning employees’ QR code from the NHS COVID Pass app. The ICO considers that the former does not constitute data processing (and therefore the provisions of the GDPR do not apply) whereas the latter does. For further information, the ICO has created a dedicated resource covering the key data protection considerations relating to COVID-19.
- Vaccination status is “special category data”. Therefore, any employer intending to record whether employees have been vaccinated must ensure that it satisfies the appropriate legal bases for doing so. The ICO considers that the most likely conditions that employers will be able to rely upon are the employment condition or the public health condition.
- In addition, employers will need to comply with all of the normal data protection requirements, such as ensuring security of the vaccination information, ensuring that it is kept for no longer than is necessary and no more data is collected than is required. Employers will also need to update their privacy notice to ensure that staff are aware of how their data is being processed, shared and for what purpose.
How can employers mitigate the risks?
Any employer considering implementing a mandatory vaccination policy may want to consider taking the following actions to reduce the risk of claims:
- Risk assessment – undertake a detailed data protection risk assessment to consider why vaccinations are required and to assess the risks to individuals of disclosing their health data.
- Consider individual circumstances – allow exemptions to the policy and consider individuals on a case-by-case basis.
- Other options – consider less intrusive ways to achieve the same objective, such as requiring lateral flow tests prior to visits to the office for un-vaccinated employees.
- Consultation – consult with workplace representatives and trade unions (if applicable).
- Regular review – regularly review the vaccination requirement as the current mass vaccination program progresses and government guidance changes.
This is a fast-moving area and constant developments mean that it is essential that employers keep any policy concerning the vaccination requirements for their employees under review for the foreseeable future.