Should companies be recording their employees’ vaccination status and test results?

Following a People Management Insight webinar on the topic, hosted in partnership with ELMO UK, the software provider's CEO Adam Reynolds explores the legality of collecting workers' Covid-related data

Just when we thought it was safe to resume our pre-pandemic lives, up popped Omicron – a new Covid-19 variant that is potentially more transmissible than its predecessors. Omicron’s advent underlines what the scientists have long maintained: we need to learn to live with the virus, particularly as large swathes of the world’s population remain unvaccinated. Covid-19 is not going anywhere anytime soon.

Vaccination is clearly our best defence against infection and serious illness. Dr Albert Bourla, CEO of vaccine maker Pfizer, said recently that people are likely to need annual Covid-19 vaccines for the foreseeable future, and the UK has now secured an extra 114m doses of Pfizer and Moderna jabs to be delivered over the next two years.

Since November, it has been a legal requirement for all employees in the care sector to be fully vaccinated in order to protect the vulnerable people they are looking after, and by next April all other frontline healthcare workers will need to be vaccinated – unless they are exempt.

But with more employees returning to workplaces, do employers in other sectors have a similar duty of care to their staff and customers? Could proof of vaccination become a condition of employment across industry and commerce? If so, how should employers gather, store and track the data in a way that complies with data protection laws? And how can they tread the fine line between keeping everyone safe while at the same time respecting individuals’ right to choose?

These were questions discussed at a recent webinar hosted by People Management Insight, in partnership with ELMO UK, which provides HR and talent management software – including a ‘Covid-secure module’ for tracking employees’ vaccination and test data.

To record, or not to record

ELMO UK CEO Adam Reynolds says: “Organisations – and, more specifically, HR – will need to get used to managing Covid-19 as a health and safety issue, and tracking the vaccination and test information of their employees may be part of that.”

He expects growing numbers of organisations will start doing this as more variants appear on the horizon, and as people grow increasingly accustomed to reporting their vaccine and testing status in other aspects of their lives – travel, football matches, live events and so on.

But there is, as Reynolds observes, “a significant way to go.” A snap poll of some 400 HR participants in the webinar found that just 33% currently record vaccine data, with a further 9% considering it. Nearly half – 48% – don’t record data and 10% are unsure whether they do or don’t.

And the responses to another question – how participants felt about their vaccination status being recorded – suggests that employees are going to take some convincing to share their data with their bosses. Just 59% felt positive about their vaccination status being recorded, 19% were negative and 22% unsure.

Take a holistic approach

Rachel Suff, senior policy adviser, employment relations, at the CIPD, is not surprised by these findings. “Outside healthcare settings, where this is being mandated, the legal landscape around an employer justifying why they are asking for this kind of data, is complicated” she says. “The Information Commissioner’s Office (ICO) has produced guidance in the UK, pointing organisations to GDPR as the key piece of data protection legislation to adhere to. The ICO says that if there is a good reason for collecting the data, then there is a lawful basis for processing it.”

The CIPD advises employers to take a holistic approach to keeping their staff and customers as safe from Covid-19 as possible, with measures such as working from home, ventilation, social distancing, regular handwashing and so on, as important as they ever were. “Within that wider picture you need to weigh up whether it is justifiable to ask people to divulge their vaccine status,” says Suff, advising companies to take legal advice based on their own specific circumstances.

Is your purpose clear?

Ben Favaro, senior associate at law firm Lewis Silkin, says that because vaccine data is classed as ‘special category data’ under GDPR, “you need to be really sure about your purpose before you collect it.”

Employers also need to adhere to a number of principles, first among them being fairness. “You have to be clear to people that you will not use the data to discriminate, for example.” Another principle, transparency, is not only a legal requirement, but also good practice, says Favaro, because it helps to bring employees onboard. You must also collect only what data is necessary to your purpose, and not use the exercise as a way to obtain more intrusive health information. You have to think hard about how long you need to keep the data, which links to your purpose. And you need to go ‘above and beyond’ to ensure the data is secure, limiting access to just a few people.

GDPR requires you to be accountable on all these principles: “If someone complains, and a regulator asks, you need to be able to demonstrate compliance with these obligations,” says Favaro.

And this works both ways: there’s always a chance that a pro-vaccine employee might complain that an organisation hasn’t done enough to comply with their health and safety obligations, and refuse to go into the office. Being able to demonstrate the steps you’re taking to keep employees safe can help you fight claims.

But given this is a new area, and given differences of opinion even among the legal profession, such claims are likely to be tested out in case law, suggests the CIPD’s Suff. “Lots of this has not played out yet. And the fact is, the workplace is a key centre for transmission of the virus. There’s been a lot of responsibility on employers for the past 20 months or so for putting in measures to keep people safe.”

And much of the responsibility, of course, has fallen on HR. “HR has had to balance health and safety with individuals’ choice and attitude to risk, with the needs of the organisation and potentially vulnerable clients,” says Suff. “It’s a very complex landscape, and trying to navigate all those different perspectives is not at all easy.”

Get the messaging right

The CIPD and legal experts advocate a softly, softly approach based on communication, education and careful listening – which, they point out, is more likely to inspire trust and confidence in employees than a rigid approach such as mandating vaccinations or the divulgence of vaccine status.

“It is crucial to get the right messaging,” says Favaro, who advocates the use of Plain English rather than technical language, and fully briefing line managers so they can have their own conversations with staff.

But there are situations, even outside healthcare settings, where vaccination is a requirement of the job – for example, for employees whose job involves overseas travel. Clearly, understanding someone’s vaccination status is critical in such circumstances, but even here, the prospect of the individual losing work tends to act as a greater spur than being forced to get vaccinated.

The bottom line is that declaring our vaccine and test status is becoming part of our lives. “We’re all getting used to things that at the beginning sounded ‘creepy’,” says Favaro, who suggests that this may increasingly apply in the workplace too so long as people see their data is not being misused. “It’s important to maintain good practice or employers will meet resistance.”

According to government figures at the beginning of December, 70% of the adult population had had two doses of vaccine, and 30% had had a booster. However, Omicron has been a spur for many – including those who were previously vaccine-hesitant – to take up their jabs and boosters.

While they may have the loudest voices, the dissenters are less prevalent than some might think, says Reynolds. “We find that employees and clients are often driving this. They want reassurance that employees are taking their duty of care seriously.”

Watch the webinar in full.

About ELMO Software

Established in 2002, ELMO is a cloud-based HR, learning and talent management software provider. The company offers customers across the UK, Australia and New Zealand a unified platform to help organisations streamline their people and processes. ELMO operates on a software-as-a-service (“SaaS”) business model based on recurrent subscription revenues.  For more information, please visit