What data can employers ask for on vaccination status?

With regulations mandating staff in care homes to have the Covid jab coming into force soon, James Cassidy discusses the complexities of handling privacy data

Employees and vaccination status

Regulations making it compulsory for those working in care homes to be vaccinated against Covid-19 will come into force on 11 November 2021. The government is also expected to consult on mandatory vaccination against Covid-19 for wider healthcare staff. 

Mandatory vaccination will require employers to gather and process the vaccination status of their employees and in doing so will be processing personal data and special category data. While there may be a legal obligation to do this, the UK GDPR together with the Data Protection Act 2018, requires an employer as a data controller to still ensure that the processing is fair and transparent. 

In addition, firms should carefully consider how to manage mandatory vaccination issues in relation to job applicants, because employers can only lawfully make pre-employment health and disability enquiries, which would include asking questions about vaccination status, in certain prescribed circumstances. 

For employers in other sectors where vaccination is not mandatory, there may still be a need to gather and process the vaccination status of employees to conduct health and safety risk assessments. It may still be lawful to process this data in the absence of a statutory obligation, but careful consideration should be given to identifying a suitable legal basis. 

A further issue for employers to grapple with from an employment law perspective may be how to manage those staff who refuse to provide data or evidence of their vaccination status. Employers should be transparent with staff about any requirement to provide proof of vaccination status, and the possible consequences of failing to do so. 

Gathering and processing vaccination status data

The Information Commissioner’s Office (ICO) has provided some helpful guidance to assist employers in ensuring that they have a lawful basis under UK GDPR upon which to process details of the vaccination status of employees. 

An employer’s reason for checking or recording employees’ vaccination status must be clear and necessary, and employees must be informed as to what data will be gathered and how it will be used. The sector you operate in, type of work your staff do (for example, coming into contact with vulnerable people) and health and safety risks in your setting will all be important factors to consider. 

Employers should also consider conducting a Data Protection Impact Assessment which will identify ways in which to mitigate the risks of processing data in this manner. The ICO has made it clear that collecting information about vaccination status must not result in unfair or unjustified treatment of employees. 

There are practical issues to consider too. The information regarding vaccination status must be accurately recorded and stored securely. Additionally, the data processed in relation to vaccination status should only be the minimum required to achieve the aims and should not be held for longer than necessary. For example, for those who are medically exempt, the guidance confirms that an employer should record the fact they are exempt, but should not record the clinical reason for the exemption.

Questions about vaccination status

Employers may receive questions from staff or members of the public seeking confirmation that all staff, or particular members of staff, have been fully vaccinated. This can raise some complex data protection, employment law, regulatory and ethics questions. 

For patients or service users in the health and social care sector, understanding whether or not staff have been vaccinated could potentially impact on whether an individual would accept care, but equally the vaccination status of an employee is confidential information and should only be disclosed in very limited circumstances.

Employers would rarely consider sharing information about an employee’s health status with a member of the public and striking a balance between a desire to provide individuals with sufficient information on risks and the need to protect medical information relating to staff is incredibly complex. For the social care sector, responding to questions of this nature are likely to be more straightforward post 11 November given that Covid-19 vaccination will be mandatory for care home staff.

While Covid-19 looks set to be something we need to learn to live with, the complexities about how employers deal with data about the vaccination status of staff is not going to go away. Many employers are developing specific Covid-19 privacy notices for employees to set out clearly how their data will be processed going forward, to ensure they are being as open and transparent as possible.

James Cassidy is partner and head of information law & privacy at national law firm Bevan Brittan LLP