David Edwards, partner, and head of Harrison Drury’s regulatory team, considers whether employers can maintain a record of which employees have been vaccinated against coronavirus, and if they do so, how that sits with the UK General Data Protection Act (UK GDPR) and Data Protection Act 2018 (DPA).
Businesses must do all they can to ensure health and safety of their employees is protected.
The Information Commissioners Officer (ICO) has advised that before businesses decide to collect data concerning employees’ vaccination status, including protection from COVID-19, they must be clear about what they are trying to achieve.
The key consideration when collecting and processing sensitive data of any sort is that there must be a legitimate reason for doing so, whilst taking steps to seek to ensure transparency, fairness and proportionality.
Special Category Data
An employees’ vaccination status will be regarded a ‘special category’ data, as it relates to data concerning health.
Article 9 of the UK GDPR makes it clear that when processing special category data, an additional justification must be demonstrated in order for that data to be lawfully processed. One justification listed under Article 9 of the UK GDPR, is explicit consent.
For consent to be valid, it must be freely given, and one must be able to demonstrate that processing data pertaining to an employee’s vaccination status is necessary for reasons relating to employment obligations or public health, and not solely on employee consent.
Data Protection Impact Assessment
Before collecting any data regarding an employee’s vaccination status, a business must conduct a data protection impact assessment, which is a process which will assist in identifying and minimising the data protection risks of the exercise.
A Data Protection Impact Assessment must contain the following:
- a general description of processing operations and the purposes
- an assessment of the risks to the rights and freedoms of individuals
- measures envisaged to address those risks
- safeguards, security measures and mechanisms in place to ensure protection of personal data
- a demonstration of how you are complying with Part 3 of the Act, taking into account the rights and legitimate interests of the data subjects and any other people concerned.
Depending on the nature of work, some businesses may feel it necessary to process information regarding employees’ vaccination status, to help plan employees’ return to work, as an example.
Employees right to object to the processing of personal data
Employees have the right to object to the processing of their personal data and may even refuse to provide consent.
If an employee raises an objection to you processing their vaccination status, you should discuss their concerns with them and carefully consider their views.
You must ensure that they fully understand why you need the data and reassure them that it will be held in confidence. If they still object, you may have to weigh their individual rights against business interests in processing their data.
Your employees should be kept fully informed as to why you might need to process information regarding their vaccination status and how you will keep this information secure. Any privacy notices or data protection policy should be updated.
Businesses are also urged to review contracts of employment and policies, and particularly provisions of them relating to overall health and safety requirements and rights concerning equality and equal treatment.
Harrison Drury’s regulatory team can assist you by preparing a Data Protection Impact Assessment document in relation to processing data employees’ vaccination status. As highlighted by the ICO, it is important to document this process, ensuring you have a legitimate reason for collecting and processing it.
If you wish to discuss any issues raised in this article, please contact Harrison Drury’s regulatory team on 01772 258321.