Vaccine passport landscape and data protection
At this time, our understanding is that a ‘vaccine passport’ is a general term used to describe a form of proof of vaccination received by the individual once they’ve received their Covid-19 vaccine. Proof of vaccination is medical information and would therefore be categorised as ‘Special Category Data’ and requires a higher level of protection than standard, non-sensitive personal data.
We are beginning to witness a vaccine passport/other proof of vaccination being sought in a number of situations – for example prior to allowing international travel and in certain circumstances, employment and access to services, events and hospitality.
From a data protection and privacy perspective, the vaccine passport gives rise to a number of considerations. Data protection is a fundamental human right, founded on fairness and transparency, and is not a barrier to sharing information where it is necessary and proportionate to do so.
This article covers the following:
Can I collect data about whether my employees are vaccinated against Covid-19?
An employer must be very clear about what they are trying to achieve and how recording staff vaccination status will help achieve this. Whether an individual has been vaccinated is their private health information and is therefore special category data. The use of this data must be fair, necessary and relevant for the specific purpose it is being processed.
You must have a clear and compelling reason for recording an employee’s vaccination status. If you have no specified use or real need for this information and are recording it on a ‘just in case’ basis, or if you can achieve your goal without collecting this data, you are unlikely to be able to justify collecting it. You should also bear in mind that accepting the offer of a vaccine is a personal decision, which could be influenced by a number of factors.
Data protection is only one of many factors to consider when asking employees whether they have received the COVID-19 vaccine. You should take into account:
Consideration should also be given to other regulations in your industry and the latest government guidance for your sector.
The sector you work in, the kind of work your staff do and the health and safety risks in your workplace should help you to decide if you have compelling reasons to ask and/or record whether your staff have had the COVID-19 vaccine. For example, if your employees:
This may form part of your justification for collecting employee vaccination status. However, if you only keep on record who is vaccinated for monitoring purposes, it is more difficult to justify holding this information.
The collection of this type of information must not result in any unfair or unjustified treatment of employees and should only be used for purposes they would reasonably expect. You should treat staff fairly and if the collection of this information may have a negative consequence for an employee, you must be able to justify its collection and how you use it. When considering fairness, you should also remember that the vaccine is being offered to people at different times (e.g. elderly or those with pre-existing conditions first) and some people may not yet have been offered a vaccination/it may be some time before they receive it.
If the use of this personal information is likely to result in a high risk to individuals (e.g. denial of employment opportunities) then you need to complete a data protection impact assessment. (You may also need to take specific employment advice.)
What lawful basis should I use to record my employees’ vaccination status?
Vaccination status is health data, which has the protected status of ‘special category data’ under Data Protection (Jersey) Law 2018, meaning it requires extra protection. You must therefore identify one of the conditions for processing as set out in Schedule 2 Part 2 of the Law before you start any processing.
For public authorities carrying out their function, public function may be an appropriate legal basis for processing.
Consent is rarely appropriate in an employment setting given the imbalance of power between the employer and employee, and maybe withdrawn by the data subject. You can find more information about consent under DPJL here.
What else do I need to do if I collect information about whether my staff are vaccinated?
If you decide that you can justify recording whether your staff have had the vaccine, you must be transparent, for example, this includes it being noted in the staff privacy policy, clear and concise communication to the staff etc. You must make sure that your employees understand why you need to collect this information, and what you’re using it for.
You should accurately record the information that you collect and ensure that the collection and storage is secure. You should respect any duty of confidentiality you owe to employees and should not routinely disclose vaccine status among colleagues unless you have a legitimate and compelling reason to do so.
You should regularly review whether you still have grounds for the collection and retention of this information as the vaccination roll-out progresses, more people receive the vaccine and more information becomes available about its effectiveness. This should include monitoring the latest government and scientific advice on the vaccine roll-out and coronavirus restrictions.
Can I request to know if visitors, suppliers and contractors are vaccinated against COVID-19?
You will need to assess this in the same manner as the employee question. What is the purpose and why. Is it proportionate? Are there other means of achieving the same objective?
What employee privacy and confidentiality concerns should employers bear in mind when deciding how to handle employee vaccinations?
Data protection law approaches any initiative that processes (uses) high volumes of personal information, and especially high-risk medical information, with these questions;
