In our latest alert, Associate Sophie rothwell and partner Emma Bartlett Address key employment law and GDPR considerations for employers by requiring employees to provide immunization status data.
The coronavirus pandemic continues to have a significant impact on all aspects of life in the UK, including businesses, employers and workers. While the rollout of vaccinations over the past year has provided us with a glimmer of hope for a future in which the virus does not dominate, at the moment there is no immediate solution and companies must continue. to operate in the coronavirus landscape. . It has been a very difficult time for employers as they have sought to follow the different iterations of government issued guidelines for working safely during the pandemic. However, the fact remains that only certain roles / industries are subject to mandatory vaccination requirements, with the majority of employers simply being encouraged to make a commitment to drive vaccine uptake across the UK by helping staff to do so. vaccinate.
Several national employers, such as IKEA, Asda, Slimming World, Metro Bank, Santander and others, have gone to great lengths to promote positive immunization messages and pledge to be flexible in helping staff to cope. getting vaccinated during working hours, and giving employees time off to recuperate if they feel unwell as a result.
One of the reasons to encourage staff to get vaccinated is to make sure workplaces are safe. However, some employers are neglecting their data protection compliance obligations by consistently requiring employees to confirm their immunization status before entering the workplace. This article serves to remind employers of their obligations and the parameters in this regard.
Verification of employee immunization status
UK data protection law places limits on how employers can ‘handle’ the personal data of their employees. An individual’s immunization status is personal data for these purposes and employers must therefore comply with data protection legislation.
The form of data collection will affect an employer’s obligations; If, for example, an organization only visually checks staff members’ immunization cards and does not keep any personal data (either by keeping a record, taking a hard copy or digitally scanning it), this should not not constitute “processing” and no restrictions apply.
However, if an employer performs digital checks (for example, scanning the barcode of a vaccination passport) or requiring that paper proof or written confirmation of vaccination status be kept in the HR file of the employee, this would constitute “treatment”.
Legal basis for data processing
As indicated above, vaccination status is personal data within the meaning of data protection legislation. In addition, health data has the most protected status of “special category data”. This effectively means that an employer must pay more attention to why they need the information and what to do with it. An employer must:
- have a legal basis for data processing; and
- be able to identify what is called a condition of Article 9 (according to the GDPR) for the processing.
In terms of a valid legal basis, the most likely in the context of employment is that an employer may have a legitimate interest in processing vaccination data. This means that the processing is necessary for the legitimate interest of the employer or the legitimate interests of a third party, unless there is a good reason to protect the personal data of the individual who prevails. on these legitimate interests. It is important to note, however, that employers should do their own assessment for their specific organization and should not automatically assume that they have a legal basis.
With regard to the condition of Article 9 for the processing of data in the context of employment, the following provisions could apply:
- Article 9 (2) (b), where the processing is necessary for the fulfillment of obligations in the field of labor law, such as the health, safety and well-being of employees; Where
- Article 9 (2) (i), where the processing is necessary for reasons of public interest in the field of public health.
The reason why an employer records the immunization status of its employees should therefore be clear and necessary – they should not collect the data just in case, or if they can achieve their goal without collecting the said data.
Employers should carefully consider whether there is a real need to collect and process immunization data. Analyzing the type of work performed by your staff and the particular health and safety risks at your workplace should help you determine if there is a legitimate reason to record whether your staff have been vaccinated. For example, if you have an employee who is clinically vulnerable and therefore at greater risk if exposed to the virus, it might be legitimate for you to check the immunization status of colleagues who work closely with the employee. clinically vulnerable, to ensure that the risk posed to that employee is minimized as much as possible under the circumstances. Employers should not collect immunization data only for general surveillance purposes or to build the confidence of staff or clients when they come to the workplace.
Data protection obligations
Some general guiding principles should be taken into account when processing immunization data:
- Employees need to understand why their employer needs to collect this information and what it is used for – being open and transparent is essential for this.
- Data collection must be secure and any duty of confidentiality due must be respected. For example, an employer should not routinely disclose a person’s immunization status to others, including co-workers, unless there is a legitimate and justifiable reason to do so.
- Before collecting the data, the employer should determine whether the use of the data is likely to result in a high risk to individuals (e.g. denial of employment opportunities), because in these circumstances an analysis of The impact on data protection should be realized before the data is collected and processed.
- The collection of immunization information must not lead to unfair or unjustified treatment of employees and if the collection of information is likely to have a negative consequence for an employee, then an employer must be able to justify it.
- Information should not be retained longer than necessary and should not be used in a way that employees would not reasonably expect. Employers should be clear about whether immunization status is checked once or if it is kept in an employee’s HR file. Any data retention must be justified and must be regularly reviewed to determine whether its continued processing is necessary.
Of course, immunization records should not be routinely collected without sufficient justification, and should not be relied on unnecessarily or inappropriately. The collection of immunization data could indeed be considered an occupational health and safety measure, but it should not be the only measure in place to protect staff against COVID-19. Employers should make sure to consider all aspects / factors for which immunization data is needed and only if the goal is unachievable without immunization data should be collected.
For example, if you have a staff member who is clinically vulnerable and at greater risk of serious illness if they contract the coronavirus, and that person works in an office and shares office space with a number of other colleagues via hot-desking, it could be that social distancing or providing the individual with a fixed office that no other staff member can use could limit the risk to that employee. Alternatively, if that person shares an office with another person and is nearby all day, under these circumstances it might be appropriate to ask for the immunization status of that particular person, but it might not necessarily be essential to ask. collect the vaccine. status of all employees in an organization in order to appropriately protect the clinically vulnerable employee.
While it is possible for employers to have a legal basis and condition for processing immunization data in the context of the workplace, the ICO guidelines make it clear that the circumstances under which immunization data can be collected in accordance with the law are, in fact, limited. The position is not straightforward, and employers are carefully considering whether there is a need to collect and store relevant data, including asking why they are doing it and whether there are other ways to achieve these goals.