“Have you had your jab?”: Navigating the vaccine status of your workforce
As the NHS continues to roll out the Covid-19 vaccine, your organisation might be beginning to consider whether or not you need to collect data regarding your employees’ vaccination status. The starting point is that, as any employer, you may request information about the vaccination status of your employees but, as with all personal data, you must consider your compliance with the data protection requirements of the UK GDPR and Data Protection Act 2018.
Whilst data protection law does not prevent employers from collecting data about the vaccination status, employers should only request this information if it is absolutely necessary and proportionate to do so. Employers should consider the necessity of collecting vaccination data whilst taking into account: (i) the roles of their employees; (ii) the working environment; (iii) the risk of the employees' exposure to others; and (iv) the health status of the employee.
If an organisation's employees work remotely and are unlikely to require face to face contact with other people in the course of their employment, the collection of vaccination data is therefore unlikely to be necessary or proportionate.
An employee's vaccination status is special category data under data protection law. A key consideration when collecting this kind of data is what your organisation's grounds are for collecting and using it. As well as needing a legal basis for processing under Article 6 of the UK GDPR, vaccination status information will require an additional basis under Article 9 of the UK GDPR in order to be lawful. Some potential justifications for processing in the context of vaccinations might be that vaccination status information is necessary for the purposes of carrying out the obligations and exercising specific rights in an employment (Article 9(2)(b)) or necessary for the public interest for public health reasons (Article 9(2)(i)). The Information Commissioner’s Office also considers that organisations should conduct a Data Protection Impact Assessment prior to any processing, to identify and mitigate any risks and for the purpose of meeting the accountability principle.