Can employers ask staff whether they have been vaccinated?

As the roll-out of Covid-19 vaccination advances in the UK, employers will be considering the implications for their staff and workplace. Many employers are likely to opt to encourage employees to take up the vaccine, without mandating it.

With the lifting of the working from home guidance in England, the high COVID infection rates across the UK and the government advising that double vaccinations reduce significantly the risk of both catching and spreading the virus, it is likely that many employers will start to reconsider whether they want to ask their staff about vaccination status so that they can factor this information into their risk assessments to make the workplace as COVID-secure as possible.   

The government’s recent announcement that from the end of September entry to nightclubs may require evidence of double vaccination, the large uptake of the vaccine in the UK amongst the adult population, compulsory vaccinations in care homes from 11 November 2021, and the changes in France (with vaccinations being required for various activities) are also relevant considerations and factors in shifting a culture in the UK which has previously been very much against any requesting of (or processing of) information regarding vaccinations.

But so that employers can collect this data in compliance with data protection laws, it will be essential to assess why the data is needed. 

Can it be lawful to ask for vaccine information?

Yes, it is possible and can be lawful provided that you have made an assessment of (i) why the data is being captured, and (ii) you have decided that it is necessary to capture this data, and the relevant lawful bases are established.

Why are you collecting the data?

Having and recording clear rationales about why this data needs to be captured and what it will be used for means you need to establish that there a compelling reason for you to capture this data.  The Information Commissioner’s Office (ICO) guidance says that “The sector you work in, the kind of work your staff do and the health and safety risks in your workplace should help you to decide if you have legitimate reasons to record whether your staff have had the COVID-19 vaccine.” The rationale will need to go well beyond a basic desire to monitor, and be clearly based on other business obligations such as health and safety obligations. Capturing data about vaccination status will then need to be shown to be necessary to meet those obligations. Your health and safety assessment should determine whether, for example, you would be justified gathering vaccination data for the purpose of only permitting vaccinated staff into the workplace. Although, except in certain workplaces such as health care settings, this is unlikely to be a good enough reason due to the discrimination implications (see below).

Do you have lawful reasons for processing the data?

If you have a compelling reason to capture the data, and can demonstrate you need this data, you will be able to have lawful reasons for doing so.  Whether an employee has been vaccinated is health data (special category personal data under the GDPR), so from a legal standpoint there needs to be a lawful basis for processing the data as well as an additional processing condition:

• Lawful basis: this could be legitimate interest, relating to the considerations above (understanding how well protected the workforce is and how this impacts health and safety risk assessments, and prioritising groups for testing that may not have been vaccinated).
• Additional condition: as above, the employment condition of ensuring the health, safety and welfare of employees is likely to be the relevant additional condition for processing.

Can you achieve your purpose for collecting the data in a less intrusive way?

The use of the vaccinations information must be ‘necessary’ for the purpose you’ve identified, and you must ensure that the interests of your employees and their rights and freedoms are not overridden in the process. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis.  Consider here how much information you need to achieve your stated purpose.   Bearing in mind the low level of protection given by one dose of the vaccine, is it sufficient to collect data on two doses only?  What about when a third dose is available?  Will you need to collect that information as well or is the information on two doses sufficient for your needs?  Do you need to collect information on names and job title or department where the employee works?  What about age?  Do you need to know when the vaccine was given? How much information you need may change over time depending on government guidance and the scientific evidence at the time so it will be important to keep this in mind and review your reasoning regularly as government guidance changes.   You also need to consider whether other mechanisms can be put in place to avoid needing to ask about vaccinations.  The use of social distancing, systems in the office for COVID secure environments etc – why will those mechanisms not work anymore and why do you need to know about vaccinations?   This may be because you need more office capacity – but these issues need to be thought through.

What else should you do to comply with data protection laws?

• You would need to ensure that if the above are established, that you are transparent with employees about why the information is being collected and what it will be used for. Privacy notices (and other data protection documentation which demonstrate compliance with data protection law) will need to be checked to see if they need updating.
• In terms of the data you collect, this should be minimised to the extent possible (e.g. simply capturing “Y/N” to whether an individual has received a COVID-19 vaccine, rather than data about which type of vaccine, reasons why the individual chose not to be vaccinated, etc.).  You should  ensure that the information is recorded accurately and kept up to date; that it is only held as long as is necessary for the reason it was collected (keep under review as government advice changes) and is kept secure and confidential. ICO guidance says that employers “should respect any duty of confidentiality you owe to employees and should not routinely disclose vaccine status among colleagues unless you have a legitimate and compelling reason to do so.”

• Finally, the processing of the information you collect should be done fairly and should not be used for a purpose which employees might not reasonably expect or which might result in any unfair or unjustified treatment. If for example the processing is likely to result in high risk to individuals (eg denial of employment opportunities), then you will need to carry out a data protection impact assessment.

What other factors should employers consider when asking for vaccination information?

In addition to data protection and health and safety issues, it is also important to consider discrimination risk when asking for vaccination data.  For example, refusal to allow the unvaccinated into the office could expose you to discrimination claims, particularly disability discrimination but also potentially discrimination on the grounds of religion or philosophical belief or even indirect race discrimination if it can be shown that less ethnic minorities tend to take up the vaccine.   Refusal to pay sick pay for the unvaccinated who are unable to work because they are sick with COVID also throws up similar discrimination risks.   

In summary before you ask your staff about their vaccination status, you need to think carefully about why you want this information and what action you intend to take once you have it, and whether that action can be justified.  However, the culture may be shifting with more employers considering asking for this information if the cases of COVID keep on increasing, and the UK Government do bring in vaccination status as a requirement for certain activities.

For further information, see the latest ICO guidance

https://ico.org.uk/global/data-protection-and-coronavirus-information-hub/coronavirus-recovery-data-protection-advice-for-organisations/vaccination-and-covid-status-checks/