• Leigh Payne

COVID-19 Vaccinations and The GDPR - What Employers Need To Know


As the COVID-19 vaccination programme continues to roll out across the UK and the working population becomes eligible, the inevitable questions surrounding vaccinations have begun to vex employers.


In these days of uncertainty, the whispers of “no jab, no job” can still be heard, although it is already recognised that (in certain cases, at the very least) it would be a breach of established employment law to compel employees to be vaccinated before permitting them to work.


Understandably, questions arise between the employer’s lack of authority to compel its workforce to vaccinate, and its statutory obligation to ensure proper safeguarding procedures are carried out to best protect the safety of its employees as well as that of customers, clients, suppliers or any other third parties with whom the organisation may come into contact. In order to comply with statutory obligations of safety, there will be some instances in which it will be necessary for an employer to record which members of the workforce have been vaccinated and which have not. Recording this data would be an acceptable route for an employer to take as it will ensure that appropriate safety measures can be put in place without treading on employees’ rights to choose whether or not to be vaccinated.


The General Data Protection Regulation (GDPR)


When an employer identifies a need to process any personal data about its employees, all due consideration must be given to the processing of that data before any collection even takes place.

The definition of special category data


The GDPR defines special category data as:

  • personal data revealing racial or ethnic origin;

  • personal data revealing political opinions;

  • personal data revealing religious or philosophical beliefs;

  • personal data revealing trade union membership;

  • genetic data;

  • biometric data (where used for identification purposes);

  • data concerning health;

  • data concerning a person’s sex life; and

  • data concerning a person’s sexual orientation.


In this instance, regarding vaccination status, the category would be data concerning health.

Processing personal data


Article 6 of the GDPR sets out that at least one of the following criteria must apply for personal data to be lawfully processed:


(a) Consent: the individual has given clear consent for their personal data to be processed for a specific purpose.

(b) Contract: the processing is necessary for a contract the data controller has with the individual, or because the individual has asked the data controller to take specific steps before entering into a contract.

(c) Legal obligation: the processing is necessary for the data controller to comply with the law (not including contractual obligations).

(d) Vital interests: the processing is necessary to protect someone’s life.

(e) Public task: the processing is necessary for the data controller to perform a task in the public interest or for their official functions, and the task or function has a clear basis in law.

(f) Legitimate interests: the processing is necessary for the data controller’s legitimate interests or the legitimate interests of a third party, unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if the data controller is a public authority processing data to perform its official tasks.)


In the case of collecting vaccination records, as this is data concerning the health of an individual, it is classed as ‘special category personal data’ under Article 9 of the GDPR, which means that there are additional processing considerations for the employer as the data controller of that information.


In addition to having at least one lawful basis under Article 6, the data controller must also have an additional basis under Article 9 to process that data which is special category:


(a) Explicit consent

(b) Employment, social security and social protection (if authorised by law)

(c) Vital interests

(d) Not-for-profit bodies

(e) Made public by the data subject

(f) Legal claims or judicial acts

(g) Reasons of substantial public interest (with a basis in law)

(h) Health or social care (with a basis in law)

(i) Public health (with a basis in law)

(j) Archiving, research and statistics (with a basis in law)


For example, it may be necessary for an employer to process vaccination information to comply with a particular legal obligation under the Health and Safety at Work etc Act 1974 to ensure the health, safety and welfare of its employees.


Whatever the basis, it is for the data controller to ensure that an appropriate assessment of data processing activities is carried out before any processing takes place and that the data is always processed in accordance with the GDPR, in particular those principles set out at Article 5.


Documenting the decision process


Whatever the employer decides is the lawful basis on which the data can be processed, the method by which that decision was reached must be documented. Further, it is advisable to carry out a Data Protection Impact Assessment (DPIA) which would formally set out the justifications. Undertaking a DPIA would provide an employer with best protection should the processing ever be questioned or in the event that there are any complaints made to the regulator, the Information Commissioner’s Office.


Once the decision has been made (and ideally a DPIA carried out), it is imperative that employees are informed of any new processing activities. This can be achieved through the use of a specific privacy notice – to which employees’ attention must be expressly drawn - which outlines what data is being gathered, why, and what will happen to it when it is no longer needed.


The employer will also require a specific policy document in relation to the processing of special category data. In the event that a DPIA is carried out, it can be used as the foundation of such a policy document.


How long should employers hold vaccination data?


Any data collected relating to employees’ vaccination status should only be held for as long as is required to comply with the purposes for which it is collected; once that purpose is no longer applicable and the data no longer a necessity, it should be deleted. This is required by Article 5 of the GDPR and so the same applies to the processing of all data, whether personal or special category.


Can employers share information about vaccination with colleagues?


If information about vaccination status must be shared, it should be done on a fully anonymised basis, where there is a clear business purpose for doing so. To ensure lawful sharing of the data, there can be no possible way in which anyone examining the data could identify who has (or has not) been vaccinated. Even with full anonymisation in place, the circulation list must be as short as possible – only those with an absolutely necessary business need to know can be included.


Although employers should not share data about an individual employee’s immunisation status with other colleagues, information about the rates of vaccination within the workforce as a whole can be shared, providing that no particular employee can be identified.