The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Can I check my employees, customers, or visitors’ COVID status?

In some parts of the UK, it is now a legal requirement to check people’s COVID status in certain settings, and for some people working in health and social care roles to have been vaccinated against COVID-19.

Where it is not a legal requirement, checking this information is at the discretion of the business or organisation. Before you decide to voluntarily check people’s COVID status, you should be clear about what you are trying to achieve and how asking people for their COVID status helps to achieve this. A person’s COVID status is special category data, as it is their private health information. Your use of this data must be fair, relevant and necessary for a specific purpose.

Data protection is one of a number of factors to consider when thinking about implementing COVID-status checks. You should take into account:

  • employment law and your contracts with employees (if you are considering checking employees’ COVID status);
  • health and safety requirements; and
  • equalities and human rights, including privacy rights.

You should also consider other regulations specific to your sector, as well as current public health advice and the latest government guidance in your part of the UK.

Your reason for checking or recording people’s COVID status must be clear, necessary, and transparent. If you cannot specify a use for this information and are checking it on a ‘just in case’ basis, or if you can achieve your goal without collecting this data, you are unlikely to be able to justify collecting it.

You should check government guidance for your part of the UK to determine whether your sector is required to check people’s COVID status. If you are not required to collect this information but are considering doing it on a voluntary basis, you should consider the sector you operate in and the health and safety risks in your setting to help you to decide if you have compelling reasons to check people’s COVID status.

The use of this information must not result in any unjustified treatment of employees, customers, or visitors. You should only use it for purposes they would reasonably expect. Your processing of this information must be fair and if the collection or use of COVID status information is likely to have a negative consequence for someone, you must be able to justify it.

If the use of this data is likely to result in a high risk to individuals (eg denial of employment opportunities or services), or you will be processing health data on a large scale, then you need to complete a data protection impact assessment.

For further reading, see our tips for looking after your customers’ personal data when completing vaccination and COVID status checks.

Does the UK GDPR apply if I decide to check people’s COVID status?

If you are only conducting a visual check of someone’s COVID status (either a hard-copy document or a pass held on a digital device) and do not retain any personal data from it, this would not constitute ‘processing’ personal data under UK GDPR. The activity would therefore fall outside of the UK GDPR’s scope.

However, if you are conducting checks digitally (for example, by scanning the QR code displayed on the pass), this would constitute processing of personal data – even if you do not keep a record of it. The UK GDPR would therefore apply.

If you make a record of any personal data, whether you conduct visual or digital checks, then you would be processing personal data and the UK GDPR would apply.

For further reading, see our tips for looking after your customers’ personal data when completing vaccination and COVID status checks.

What lawful basis should I use for checking people’s COVID status?

If there is a good reason for checking people’s COVID status, it is highly likely there would be an appropriate lawful basis for processing it. For public authorities carrying out their function, public task may be applicable. For other public or private organisations, legitimate interests is most likely to be appropriate, but you need to make your own assessment for your organisation.

In some parts of the UK, it is now a legal requirement for certain venues and employers to check people’s COVID status. Where these checks are required by law, you may be able to rely on legal obligation as your basis for processing.

A person’s COVID status is health data, which has the protected status of ‘special category data’ under data protection law. This means it requires extra protection. You must also identify an Article 9 condition for processing. The two you could consider are:

  • the employment condition; or
  • the public health condition.

For either of these conditions to apply, you must be able to demonstrate that the processing is necessary. This doesn’t mean that the processing must be absolutely essential, but you must be able to show that you can’t achieve the same purpose by less intrusive means.

If you intend to rely on the public health condition, you must ensure that either a health professional carries out the processing, or that you tell people you are treating their COVID status as confidential and would only disclose it in clearly defined circumstances. Under the public health condition, it is important to be aware of the requirement to handle personal data with the necessary degree of confidentiality and ensure you have measures in place to do so.

Consent as a lawful basis under UK GDPR is rarely appropriate in an employment setting given the imbalance of power between the employer and employee. Similarly, consent is unlikely to be appropriate where checking someone’s COVID status is a legal requirement or a condition of entry to your premises. This is because you cannot consider consent to be ‘freely given’ in these circumstances. You can find more information about consent under the UK GDPR here.

For further reading, see our tips for looking after your customers’ personal data when completing vaccination and COVID status checks.

What else do we need to do if we process the COVID status of staff, customers, or visitors?

If you are implementing COVID status certification, you must be open and transparent. You must make sure that people understand why you need to collect this information, and what you’re using it for.

You should ensure that the collection of this data is secure. You should respect any duty of confidentiality you owe, and you should not disclose a person’s COVID status unless you have a legitimate and justifiable reason to do so.

If you record this information, you must ensure that you do not hold the information for longer than is necessary, and do not use the data in ways people would not reasonably expect. If you are conducting a one-off check for visitors or customers, you probably only need to make a check of someone’s COVID status and would not need to retain any information. You would need to clearly justify any records you keep or retention of information.

You should only request the minimum amount of data necessary for your purpose. For example, if an individual has a clinically approved exemption status, you should not be routinely requesting further information about the clinical reason behind the exemption.

You should regularly review whether you still need to process COVID status data.

For further reading, see our tips for looking after your customers’ personal data when completing vaccination and COVID status checks.

Can I record information about my employees’ vaccine status?

The advice set out above in relation to COVID status also applies to checking and recording your employees’ vaccine status. However, there are some additional factors to consider.

Your reason for recording your employees’ vaccination status must be clear and necessary. If you cannot specify your use for this information and are recording it on a ‘just in case’ basis, or if you can achieve your goal without collecting this data, you are unlikely to be able to justify collecting it.

The sector you work in, the kind of work your staff do and the health and safety risks in your workplace should help you to decide if you have legitimate reasons to record whether your staff have had the COVID-19 vaccine. For example, if your employees:

  • are legally required to be vaccinated against COVID-19 to perform their role;
  • work somewhere where they are more likely to encounter those infected with COVID-19; or
  • could pose a risk to clinically vulnerable individuals,

this may form part of your justification for collecting employee vaccination status. However, if you only keep on record who is vaccinated for monitoring purposes and are not legally required to collect this information, it may be more difficult to justify holding this information.

The collection of this information must not result in any unjustified treatment of employees, and you should only use it for purposes they would reasonably expect. Your processing of this information must be fair and if the collection of this information is likely to have a negative consequence for an employee, you must be able to justify it. You must clearly explain to your employees why you are collecting this information and how it will be handled.

If the use of this data is likely to result in a high risk to individuals (eg denial of employment opportunities) or you will be processing health data on a large scale, then you need to complete a data protection impact assessment before you start processing the data.

From 11 November 2021, those working in a Care Quality Commission-registered care home for adults in England need to be fully vaccinated, or medically exempt. Care home managers should consult government guidelines for further information about their obligations.

You should accurately record the information that you collect and ensure that the collection and storage is secure. You should respect any duty of confidentiality you owe, and you should not disclose a person’s vaccine status unless you have a legitimate and necessary reason to do so.

If you are recording vaccination information, you must ensure that you do not hold the information for longer than is necessary, and do not use the data in ways people would not reasonably expect.

For further reading, see our tips for looking after your customers’ personal data when completing vaccination and COVID status checks.