Employers risk breaking the law as they respond to UK government guidance about policing staff vaccination. We will see vaccine mandates across the pond from September by Microsoft, United Airlines, Google, Walmart and others. However, UK and European law is quite different and in general does not permit measures of this kind.
The UK government may have given the impression that processing the Covid vaccination status and test results of staff is approved in a formal sense, but it isn’t. Encouraging staff to get vaccinated is fine, but checking whether they have been isn’t acceptable under data protection law. Regular testing remains acceptable but must comply with strict privacy and security rules.
September will see many teams heading back to the office. With this in mind, companies have to navigate the guidance, along with the mix of staff who are and aren’t vaccinated – some of whom aren’t vaccinated by choice.
Employers seeking to collect the vaccination status of staff, or to impose screening checks, should follow these simple rules to stay on the right side of the law.
1/ Where possible do not collect, process or record information
By verbally requesting a vaccination status, visually checking a Covid test or looking at but not scanning the NHS app, companies can avoid the implications of data protection law. But they might be in breach of the Equality Act if they exclude non-vaccinated staff.
Be careful not to record information inadvertently, by creating a list of people who don’t need daily testing because they’re vaccinated, or a list of those who can’t come into the office because they aren’t.
Those would be considered records of vaccination status, which is protected medical data.
2/ You need employee consent to collect a vaccination status
Employee consent is difficult to obtain safely. Legal precedent suggests employees may feel coerced – so companies have to be very careful to demonstrate that refusing consent has no adverse effects on the employee.
3/ Evidence of a negative test is appropriate – but short-lived
The regulator, the Information Commissioner’s Office presently supports the view that under Health and Safety regulation, providing a safe working environment, it is appropriate to ask for negative Covid tests. But companies must be careful not to exempt the vaccinated from testing.
Employers may make the tests compulsory and record the results. A negative test only has value for a short time, 72 hours seems to be the consensus. So, there is no need to retain the result for any longer than that and employers should delete the data at that point.
Those testing daily don’t need to record data at all, since anyone with a positive result will not be admitted and everyone will be re-tested the next day.
4/ If someone tests positive, it can be recorded
If someone calls in sick with a positive test, this too may be recorded as part of their employment file.
We encourage employers to minimise what they record. It’s important that the employee who tested positive is not identified to others.
If two or more employees test positive, this must be reported to Public Health England or the appropriate public health authority.
5/ Recorded medical data is subject to a higher standard of protection
Medical data is considered more sensitive than other personal data. Companies must ensure medical data is properly protected: this includes minimising access to it and applying additional levels of security such as encryption or pseudonymisation.
The NHS app is designed with a QR code encouraging the viewer to scan it for verification. However, even if you record nothing, just the act of verification counts as data processing and means that data protection law comes into play.
Employers should be very careful about the basis for requesting medical information. Vaccination is not a 100 per cent barrier to transmission. So, asking for a vaccination status cannot be justified on the basis of ensuring a safe workplace.
It is doubtful that there is a legal basis for preventing unvaccinated staff from coming to work.
There are certainly difficulties in processing the related data lawfully, as the European Data Protection Supervisor has recently made clear. Although the EDPS is no longer directly binding on the UK, our law is identical.