There are a number of factors that employers need to balance when considering whether they can ask employees about their vaccine status.
From a data protection perspective, employers cannot as a matter of course ask employees if they have been vaccinated.
The collection and use of vaccine information must be for a lawful purpose under the UK General Data Protection Regulation (UK GDPR). One of the lawful purposes an employer might rely on is for its own and/or a third party’s legitimate interests. However, the use of the information must be ‘necessary’ for that purpose and employers must ensure that the employees’ interests, rights and freedoms are not overridden in the process.
Employers must be able to justify their use of vaccine information and be satisfied that their reasons for using the information cannot be achieved by other means. Information Commissioner’s Office (ICO) guidance says that the reason for recording vaccination information must be “clear and compelling”. It goes on to say that “the sector you work in, the kind of work your staff do and the health and safety risks in your workplace should help you to decide if you have compelling reasons to record whether your staff have had the COVID-19 vaccine.”
If relying on the legitimate interests as a lawful basis, employers need to carry out a careful balancing exercise and ICO guidance is that it is good practice to record this (so that any decision can be justified and to demonstrate compliance if required).
Vaccine information is health information and is afforded greater protection than routine information about an individual. This means that as well as having a lawful basis to use vaccine information, employers must also identify an additional condition under the UK GDPR for processing the information. This could include it being necessary to use the information to ensure that the employer complies with its obligations in connection with employment (e.g. to ensure a safe workplace).
If an employer cannot rely on 1) a lawful basis and 2) an additional condition to collect and use vaccination information, any such collection/use will be in breach of the UK GDPR.
As well as processing vaccine information lawfully, employers also need to comply with the other data protection principles contained in the UK GDPR, such as:
- Processing the information fairly and not for a purpose which employees might not reasonably expect or which might result in any unfair or unjustified treatment. If the processing of vaccination information is likely to result in a high risk to employees e.g. impacting on job opportunities, then employers will need to carry out a data protection impact assessment.
- Ensuring transparency about the use of the information, who it will be shared with, how long it will be kept for etc. Privacy notices (and other data protection documentation which demonstrate compliance with data protection law) will need to be checked to see if they need updating.
- Recording the information accurately and keeping it up to date.
- Only holding onto the information for as long as is necessary for the reason it was collected – this should be kept under review as government advice changes.
- Keeping the information secure and confidential. ICO guidance says that employers “should respect any duty of confidentiality you owe to employees and should not routinely disclose vaccine status among colleagues unless you have a legitimate and compelling reason to do so.”
What is clear is that before asking staff about their vaccination status, employers should think carefully about why they are asking for this information, what action – in practical terms – they intend to take once they have that information, and whether that action can be justified.