- I have been contacted by a public health authority / relevant body wishing to invite my employees to have the COVID-19 vaccine. Can I share this data?
- Can I collect data about whether my employees are vaccinated against COVID-19?
- What lawful basis should I use to record my employees’ vaccination status?
- What else do I need to do if I collect information about whether my staff are vaccinated?
I have been contacted by a public health authority / relevant body wishing to invite my employees to have the COVID-19 vaccine. Can I share this data?
Yes. Data protection law is not a barrier to sharing information where it is necessary and proportionate to do so.
It is up to the individual to decide whether they want to have the COVID-19 vaccine. There is a difference between sharing someone’s data so they can be offered the vaccine, and that person then agreeing to have the vaccine once invited.
If a public health authority or relevant body wants to offer the vaccine to your employees, you don’t need to rely on consent as your lawful basis to share staff data with them. Consent isn’t valid if it’s not freely given and this is often the case in an employer to employee relationship because of the imbalance of power. Consent is also only appropriate if someone can withdraw it at any time.
There are several different lawful bases available to you for sharing this information besides consent. Our guidance on lawful bases will help you to decide which applies to your data sharing. Some options to consider are:
- Public task. This is likely to be applicable if you are a public authority and you can identify a task, function or power with a clear basis in law – such as your legal responsibilities around public health – which requires you to share this data.
- Legitimate interests. This is applicable where there is a compelling justification for the processing. This basis recognises that sharing the data is likely to be in the interests of the individual, the organisation and the public health efforts to tackle COVID-19, as long as you protect individuals’ rights and you follow data protection principles.
- Legal obligation. You can rely on this lawful basis if you need to share personal information to comply with the law.
If the data you share implies something about someone's health, this is special category data and you will need to identify an additional condition for processing. There are two relevant conditions you could consider – the employment or the public health condition. Confidentiality is a key safeguard when relying on the public health condition and you should ensure that you are able to fulfil any duty of confidentiality to the person whose information you are processing. You could do this by making it clear that the data is treated in confidence, and that you are disclosing it for defined purposes.
There will be an appropriate gateway for sharing the data, as long as you are not collecting or sharing irrelevant or unnecessary data or sharing it in an irresponsible or unsecure way.
You should tell employees about this data sharing, explaining what data you share and why, ensuring that staff can exercise their information rights. You should have appropriate technical mechanisms in place to transfer the data securely to a relevant organisation, sharing just what is necessary to fulfil this purpose.
Data protection law gives people the right to object to the sharing of their personal data in certain circumstances. If you receive a request from an employee to exercise this right, you should consider their views and decide whether the need to share the data overrides the interests of the individual and any applicable duty of confidentiality, considering the context of a global pandemic.
Before you decide to collect your employees vaccination status, you should be clear about what you are trying to achieve and how recording staff vaccination status will help you to achieve this. Whether your employee has been vaccinated is their private health information and is therefore special category data. Your use of this data must be fair, necessary and relevant for a specific purpose.
Data protection is only one of many factors to consider when asking employees whether they have received the COVID-19 vaccine. You should take into account:
- employment law and your contracts with employees;
- health and safety requirements; and
- equalities and human rights issues.
You should also consider other regulations in your industry and the latest government guidance for your sector.
Your reason for recording your employees’ vaccination status must be clear and compelling. If you have no specified use for this information and are recording it on a ‘just in case’ basis, or if you can achieve your goal without collecting this data, you are unlikely to be able to justify collecting it. You should also take into account that accepting the offer of a vaccine is a personal decision which could be influenced by a number of factors. When deciding whether to record this data, you should also consider current public health advice about the vaccine and government guidelines.
The sector you work in, the kind of work your staff do and the health and safety risks in your workplace should help you to decide if you have compelling reasons to record whether your staff have had the COVID-19 vaccine. For example, if your employees:
- work in a health and social care setting or somewhere they are likely to encounter those infected with COVID-19; or
- could pose a risk to clinically vulnerable individuals,
this may form part of your justification for collecting employee vaccination status. However, if you only keep on record who is vaccinated for monitoring purposes, it is more difficult to justify holding this information.
The collection of this information must not result in any unfair or unjustified treatment of employees and should only be used for purposes they would reasonably expect. You should treat staff fairly and if the collection of this information is likely to have a negative consequence for an employee, you must be able to justify it. When considering fairness, you should remember that different people are offered the vaccine at different times and some people may not yet have been offered a vaccination.
If the use of this data is likely to result in a high risk to individuals (eg denial of employment opportunities) then you need to complete a data protection impact assessment.
If there is a good reason for collecting information about whether your employee has had the vaccine, there is a lawful basis for processing it. For public authorities carrying out their function, public task may be applicable. For other public or private employers, legitimate interests is most likely to be appropriate, but you need to make your own assessment for your organisation.
Vaccination status is health data, which has the protected status of ‘special category data’ under data protection law, meaning it requires extra protection. You must also identify an Article 9 condition for processing and there are two you could consider:
- the employment condition; or
- the public health condition.
If you intend to rely on the public health condition, you must ensure that a health professional carries out the processing, or that you tell people you are treating their vaccination status as confidential, and would only disclose it in defined circumstances.
Consent is rarely appropriate in an employment setting given the imbalance of power between the employer and employee. You can find more information about consent under the UK GDPR here.
If you decide that you can justify recording whether your staff have had the vaccine, you must be transparent. You must make sure that your employees understand why you need to collect this information, and what you’re using it for.
You should accurately record the information that you collect and ensure that the collection and storage is secure. You should respect any duty of confidentiality you owe to employees and should not routinely disclose vaccine status among colleagues unless you have a legitimate and compelling reason to do so.
You should regularly review whether you still have grounds for the collection and retention of this information as the vaccination roll-out progresses and more people receive the vaccine. This should include monitoring the latest government and scientific advice on the vaccine roll-out and coronavirus restrictions.