Spring is here. Restrictions are lifted (at least some of them). Vaccinations under way. International travel may not be on the cards yet, but at least we are finally able to enjoy what Ireland’s wider outdoors have to offer. All is good. Even the return to the office might be possible soon. If you are a business owner, you may need to start planning for your employees’ return. You may be tempted to think that, to ensure a safe return to the office for everyone, you can just ask for employees’ vaccination status before they come in. Slow down now. Hold on. There are some things to consider first.

As with all data, you need a legal basis for processing it. Vaccination status is the employee’s health status and as such is private to them. The vaccination status therefore falls under what is considered special category data like any other of your employees’ health data. Due to its sensitivity, special category data has a higher level of protection under the EU General Data Protection Regulation (GDPR). An employer’s use of this data must be fair, necessary and relevant (my emphasis).

First of all, you are likely to need a Data Protection Impact Assessment (DPIA) to establish the purpose and justification for collecting such data, as there may be a high risk to individuals. (For example, it could lead to them being denied employment opportunities).

What is your purpose?

Before you decide on collecting employee vaccination status, you must be clear about what you are planning to use it for and how the vaccination status would help you to achieve this.

The reason for recording your employee’s vaccination status must be compelling. It is unlikely to fit this description if you have no specific use for the information and are only recording it ‘just in case’ you might need it later.

Is the purpose necessary and proportionate?

To test if it is necessary and proportionate to ask employees for this data, you should consider the sector you work in, the kind of work your staff do, and the health and safety risks in your workplace.

For example, if your employees are working in a hospital or care facility where they are likely to come into contact with COVID-19, collecting the vaccination status is likely to help you reduce the risk to your employees’ health and further spread of the virus. In this case, collecting the data may be necessary and proportionate.

If you can achieve the same purpose by other means, then collecting the data can not be seen as necessary. For example, you might achieve the same outcome simply by asking employees to read and agree to the public health guidelines before coming into the office.

Collecting this information should also not result in any unfair or unjustified treatment of employees (such as denial of employment). You must only use the data for its intended purpose.

What is your legal basis?

If there is a good and compelling reason for collecting the vaccination status, there needs to be a lawful basis for processing it. For public authorities, this might be a ‘public task’, whereas for public/private employers, legitimate interest is most likely to be appropriate, although you must also conduct a legitimate interest assessment.

Given the vaccination status is special category data, you must also identify a lawful basis in Article 9. There are two to consider:

  • Article 9 (2) (b) – processing is necessary in the field of employment
  • Article 9 (2) (i) – processing is necessary for reasons of public interest in the area of public health.

If you use public interest as the lawful basis, you must ensure that a health professional carries out the processing, or you must keep the data confidential.

Consent is rarely appropriate in an employment setting given the imbalance of power between employer and employee.

Do I have to inform my employees?

Yes. If you have a compelling reason to collect the data, you must tell your employees – providing the details as per Article 14. This includes the specific reason for collecting the data, how it is used and processed, who it is shared with, and how long you are planning to keep the data. Providing this information is necessary to ensure that the processing is fair and lawful.

The information should be provided when collecting the data and as relevant to the process of collecting the data. In other words, if you ask employees to fill out a paper form, the form may also contain this information rather than for example referring people to a website they may not have access to at the time of collection.

What else do you need to consider?

You must ensure that the data is kept safe and secure. Do not disclose it to other colleagues routinely: only people who need to see the information – for the purpose it was collected – should have access to it.

Finally, you should only retain data as long as is necessary, for the purpose it was collected. You should regularly review whether you still have grounds for collecting and retaining this information. This review should include monitoring the latest government and scientific advice on the vaccine roll-out and coronavirus restrictions.