In this post we discuss:
- Collection of Covid-19 vaccination data
- GDPR lawful basis for collecting and retaining this data
- Employee confidentiality.
As the vaccination programme gathers speed, many offices will soon be re-opening, allowing workers to return.
This means that firms will need to address data protection compliance when planning how to respond to the vaccination of colleagues or their failure to get vaccinated. The ICO Covid-19 guidance has recently been updated to cover GDPR compliance when collecting data relating to employee vaccinations.
The vaccination status of workers, as health data, is a “special category data” which means it is usually difficult to justify collecting and processing this type of information. However, firms may be able to rely on the condition that it is necessary to process the data relating to vaccination status to comply with legal obligations in connection with employment, or that it is necessary in the public interest relating to public health.
If a public health authority or relevant body wants to offer the vaccine to a firm’s employees, the firm should not rely on consent as the lawful basis to share staff data with them because:
- Consent is not valid if it has not been freely given, which is often the case in an employer/employee relationship.
- Consent is only appropriate if someone can withdraw it at any time.
There are several different lawful bases available to a firm for sharing this information besides consent, but ‘legitimate interests’ is most applicable in the case of a firm being requested for vaccination data by a public body. This is because the sharing of data is likely to be in the interests of the individual, the organisation and the public health efforts to tackle Covid-19. However, the individual’s rights still need to be protected and data protection principles followed.
The firm must ensure that it is able to fulfil a duty of confidentiality to the employee whose information is being processed. This can be achieved by making it clear when sharing the data that it is treated in confidence and that the disclosure is for defined purposes only.
It is important that the firm informs its employees about this data sharing, explaining what data is being shared and why, ensuring that staff can exercise their information rights. Additionally, the firm must have appropriate mechanisms in place to transfer the data securely.
The data protection law gives employees the right to object to the sharing of their personal data in certain circumstances. If a firm receives a request from an employee exercising this right, it should consider the employee’s views and then decide whether the need to share the data overrides the interests of the individual and any applicable duty of confidentiality, considering the context of the pandemic. The firm should make sure that the process it follows to make these decisions is fully documented and can be audited in the future.
A firm’s reason for recording employees’ vaccination status must be clear and compelling, recording it on a ‘just in case’ basis is not an acceptable justification for collecting it. Account should be taken that the offer of a vaccine is a personal decision which could be influenced by a number of factors. When deciding whether to record this data, the firm needs to consider current public health advice about the vaccine and government guidelines.
The collection of this information must not result in any unfair or unjustified treatment of employees and should only be used for purposes they would reasonably expect. Staff should be treated fairly and if the collection of this information is likely to have a negative consequence for an employee, there must be suitable justification. Firms should remember that people are offered the vaccine at different times and some may not yet have been offered a vaccination.
If the firm decides that it can justify recording whether staff have had the vaccine, then it must be transparent. Employees should be informed so they understand why there is a need to collect this information and what it is being used for.
The information must be accurately recorded and securely stored. The firm has a duty of confidentiality to its employees and so it should not routinely disclose vaccine status among colleagues unless there is a legitimate and compelling reason to do so.
At regular time periods the information should be reviewed to determine whether there are still grounds for the collection and retention. This should include monitoring the latest government and scientific advice on the vaccine roll-out and Covid-19 restrictions.
If you would like help understanding this or any other GDPR issues, please contact either Dan, Simon or one of the team.