20 April, 2021
As the lockdown restrictions begin to ease and employers are making plans for staff to return to the office, we have been contacted by a number of RP clients to ask whether or not it is lawful to collect information from staff about whether or not they have been vaccinated against Covd-19.
The issues raises a number of data protection questions which will need to be addressed before the information is collected in order to avoid complaints about the way in which staff data is used. However, data protection is not the only legal issue to consider when making the decision to collect vaccination data and you should consider your employment law obligations and seek advice if necessary.
When deciding whether or not to collect vaccination data from staff, your starting point will be to be clear about your reasons for collecting this data. Information relating to vaccination status will be 'special category data' for the purposes of data protection law and is therefore given a higher level of protection. Your collection and use of vaccination data must be fair, necessary and relevant for a specific purpose - it is not appropriate to collect the data 'just in case' it may be useful at a later date.
When looking at your reasons for collecting vaccination data, you should take into account the type of work your staff do and the health and safety risks of the workplace they are working in. It will be easier to justify the collection of vaccination data where staff work in situations where they are likely to come into contact with those infected with Covid-19 or where they could pose a risk to vulnerable individuals. Conversely, it will be more difficult to justify the collection of vaccination data where staff are working from home or unlikely to come into contact with other individuals likely to be infected with Covid-19.
In addition, you will need to consider what you will use the vaccination data for and take into account that the collection of the data must not result in any unfair or unjustified treatment of staff and should only be used for purposes they would reasonably expect. You should also take into account that different people are offered the vaccine at different times and there will be personal reasons affecting individuals' decision about whether or not to have the vaccine, such as pregnancy or underlying health conditions.
Currently, the clinical trials have shown that Covid-19 vaccines can prevent individuals becoming seriously ill and hospitalised. However, it is not yet known whether the Covid-19 vaccines prevent transmission of the disease. Therefore, guidance will need to be reviewed on a regular basis to determine whether you have sufficient reasons for collecting and holding information relating to the Covid-19 vaccination.
Vaccination data will be classed as 'special category data' under the UK GDPR. Therefore, RPs will need a lawful basis under both Article 6 and Article 9 of the UK GDPR in order for the collection and retention of vaccination data to be lawful.
The most appropriate lawful basis for the collection and retention of vaccination data are as follows:
If you decide to go ahead with the collection of vaccination data, staff should be informed about what information you will be collecting, your reasons for collecting this data and how the data collected will be used. This information should be provided to staff in a 'privacy notice' which sets out these details and provides additional information to staff about their rights under data protection law. This privacy notice can be provided to staff along with your communication explaining that you wish to commence the collection of vaccination data.
As part of your decision-making process, you will need to decide how long you keep this information for. This will depend on your reasons for collecting the data in the first place and should therefore be linked to this purpose. Vaccination data should not be kept for any longer than is necessary for the purpose in which it was obtained.
Finally, you will need to ensure that information collected from staff in relation to vaccination data should be held securely in the same way other health information about staff is stored. It should only be accessible by a small number of authorised members of staff on a need to know basis. You should not routinely disclose vaccine status among other members of staff unless you have a legitimate and compelling reason to do so.
In order to ensure all of these points are addressed fully, we would recommend a data protection impact assessment is conducted prior to any information being collected. For further advice and assistance in relation to conducting a data protection impact assessment or for further information please don't hesitate to contact us.
The ICO has recently published further guidance on the collection of vaccination data and can be found here - Vaccinations | ICO
For more information contact Bethany Paliga in our Housing & Regeneration department via email or phone on 01254 222347. Alternatively send any question through to Forbes Solicitors via our online Contact Form.