| HR & EMPLOYMENT LAW
Jackie Le Poidevin, Editor-in-Chief, HR Adviser |
Can We Ask Our Employees for their Vaccination Status?
Question: With the new guidance coming in on Monday regarding double vaccinated people not having to isolate if they have been in contact with a positive case, do you have information on where we stand as a business? Are we legally allowed to ask for the vaccination cards as proof to say the individual is double jabbed? How would you advise we approach this?
Answer: This isn’t clear cut. The UK Information Commissioner’s Office (ICO) guidance states that if you only check someone’s status on the NHS Covid app or a physical document and don’t retain the information, this isn’t processing and the GDPR doesn’t apply. If you make a record of the person’s vaccination status, the GDPR will apply. The ICO state that:
‘Your reason for recording your employees’ vaccination status must be clear and necessary. If you cannot specify your use for this information and are recording it on a ‘just in case’ basis, or if you can achieve your goal without collecting this data, you are unlikely to be able to justify collecting it.’
‘Legitimate interests is most likely to be appropriate’ as your lawful basis for collecting and storing information about vaccination status ‘but you need to make your own assessment for your organisation’. Also, ‘Consent is rarely appropriate in an employment setting given the imbalance of power between the employer and employee.’
So, it’s not saying that you definitely can’t collect this information – but it’s not exactly giving you an enthusiastic thumbs up either. In contrast, the data protection regulator in Ireland has said there’s no legal basis for collecting vaccination data under the GDPR. Obviously, companies based in the UK don’t need to follow what the Irish regulator is saying but if different regulators can’t even agree on this issue, that makes it quite difficult to know what advice to give.
Think Carefully Before You Ask for this Information
As the ICO says, the starting point is to think about why you want to collect this information. You may feel that it’s important from a legal point of view to check whether an employee is exempt from the duty to self-isolate. However, it’s the individual who has a legal obligation to comply with the self-isolation rules – you will only commit an offence if you ‘knowingly’ allow someone who ought to be self-isolating to attend work. Except in the care sector, where different rules apply, it’s therefore unlikely you can argue you need to collect information on vaccination status to comply with a legal duty (which is the third permissible reason, along with legitimate interests and freely given consent, for collecting personal data).
From a practical point of view, it seems likely that those employees who are happy to share their vaccination status would do the right thing and self-isolate when they’re meant to in any case. Someone who reluctantly shares their vaccination status, isn’t double jabbed and is supposed to self-isolate, might keep quiet and come into work regardless so they don’t lose pay. So you won’t have achieved anything by forcing them to reveal their vaccination status.
You also need to bear in mind that asking about vaccination status on its own isn’t necessarily very helpful. Someone can be double jabbed but still catch and transmit the virus. The government is recommending these people take a PCR test if they come into contact with someone who’s positive but this isn’t a legal requirement. So you would need to think if you also wanted to ask for proof of a positive or negative test in appropriate cases.
Is the Data Absolutely Necessary?
Also, the ICO says you shouldn’t collect data about vaccination status if you can achieve your goal without collecting this data. Presumably, your goal would be to reduce the risk of staff catching the virus from colleagues. Although the social distancing requirements have been removed, you could still require employees to keep 2 metres apart (unless there’s a really good reason why this isn’t possible). Along with measures such as good ventilation and cleaning, this should be enough to show you’ve complied with your health and safety duties, without needing to ask about vaccination status.
What You Can Do Next
One option would be simply to write to staff setting out:
- How the self-isolation rules are changing.
- That if they attend work when they should be self-isolating, you will treat this as a serious disciplinary offence and they could face dismissal.
Alternatively, you could ask employees if they’re willing to share their vaccination status on a purely voluntary basis. You should make clear they’re entitled to withhold the information and won’t face disciplinary action or detrimental treatment if they do so. Explain why you are asking and what you’re going to do with the information and follow the data protection rules on storage and so on.
Despite what the ICO has said about consent not being a lawful basis, this seems much safer to me than relying on ‘legitimate interest’ (i.e. saying, ‘We need this information so you have to give it to us’). Those who happily give you the information (which is likely to be most employees) are unlikely to complain to the ICO. And those who don’t give it to you haven’t been forced to reveal their sensitive medical information on pain of dismissal.
If anyone does refuse, you can then think about whether you’re going to move on to demanding the information on the grounds that you have a legitimate business interest in doing so. At the moment, going that extra step seems risky but attitudes may change.