Ireland’s DPC issues guidance on the collection of data regarding vaccination statuses in the context of employment.
As the world slowly opens up again, and employees are being encouraged, in certain industries to move back into the workplace setting, employers are seeking guidance on what approach is best taken with regard to employee vaccination and employee data. Can, or should employees be required or encouraged to get vaccinated? Can employers lawfully collect and process employee vaccination statuses? What can be done with any information on employee vaccination status? As vaccination programmes develop throughout the EU and several persons are at least partially, or fully vaccinated, public health authorities and data protection authorities are giving guidance to employers on whether they require specific information, how much information they can lawfully collect and what exactly they are allowed to do with this information. DPC, the Irish supervisory authority, has recently issued a statement, guiding employers on how best to deal with employee vaccination data.
The processing of health data should be in line with governmental public health policies.
The processing of health data should be guided by the government’s public health policies. The work safety protocol suggests that there are very few circumstances in which vaccination should be offered as a health and safety measure in the workplace. This is set out in the Health and Welfare at Work Regulations of 2013 and 2020. There are exceptions to this, for example in healthcare, for frontline workers, vaccination can be considered necessary for safety. In these situations,employers are lawfully allowed to process vaccine data for employees. Regardless of the vaccine rollout however, in a general workplace setting, measures like physical distancing, wearing masks, and working from home unless absolutely necessary should remain in place. These should all be considered and enforced before considering whether the knowledge of employees’ vaccination status is a necessary measure. The principle of data minimisation suggests that these measures should be implemented, avoiding the need to process employee data unless absolutely necessary.
Under the GDPR, health data is considered special category data, and afforded protection.
Long term efficacy of vaccination is currently not clear. With the possibility of new variants being spread, or the possible necessity for regular, or semi regular vaccine top-ups to maintain immunity, the processing of data concerning vaccine status cannot currently be considered necessary across the board at this time. In addition, a person’s vaccination status is part of their personal health record, and considered special category personal data as per the GDPR. This category of information is afforded certain protection under EU data protection law. The requirement for processing of personal data by an employer may create a situation where there is an imbalance between the data subject and data controller, with the controller being an employer, with control over the data subject’s employment status. Employees should not be asked to consent to having their vaccine data processed, as in this instance, this data is not likely to be freely given.
Even in situations where certain information may be required from employees in the context of the pandemic, personal health data remains protected.
There are certain situations in which an employer, or a medical officer may need to request certain categories of health data from employees. In the COVID-19 context, for example, if an employee were to travel in this current climate, an employer may need to know when an employee may be available to work following their trip. In some cases, a period of isolation or quarantine will be required following travel. The information to be requested or recorded from employees in this instance is not limited or specific to their vaccination status, however. Employees should instead be asked to indicate the date on which they would be available to return to the workplace. As public health advice and information regarding the nature of the virus is updated, protocols may change. However, in sectors where the collection of vaccine information may be necessary, employers should remain up to date on public health guidance.
Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 during the COVID-19 pandemic? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.