Processing COVID-19 Vaccination Data in the workplace
The Data Protection Commission (DPC) has issued guidelines relating to what information employers can process in relation to their employees under COVID-19 return to work procedures and their vaccination status. They examine the question as to whether employers can lawfully collect and process information about the COVID-19 vaccination status of their employees.
The DPC considers the processing of an employee’s vaccine data is likely to represent an unnecessary and excessive data collection for which no clear legal basis exists. This position has been arrived at in the absence of clear advice from public health authorities in Ireland that it is necessary to establish vaccination status of employees and workers. This is especially so where there is no public health advice stating for what purpose the data would be collected.
One of the main principles of GDPR is data minimisation. Processing of personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed. Personal data should be processed only if the purpose of the processing could not reasonably be fulfilled by other means. In practical terms this means that you should employ the recommended methods for achieving workplace safety before considering whether the processing of an employee’s personal data is necessary. These measures include, hand washing, physical distancing, adequate ventilation, and working from home where possible.
Special category personal data
An employee’s health record is afforded additional protections under GDPR. It follows that information about an employee’s vaccination status is covered under this category.The vaccination is not compulsory. It is being rolled out on an age related basis. These are further reasons why processing vaccination data is not considered necessary or proportionate.
Employers should not ask their employees for vaccination data as there is an imbalance between the data controller (employer) and the data subject (employee). The necesssary consent may not be freely given.
Medical Officer of Health
Where a Medical Officer of Health while carrying out their duties under the Infectious Diseases Regulations 1981 requires information regarding the vaccination status of employees, this limited type of processing is permissible when carried out on a case by case basis, on the grounds of necessity.
The Work Safely Protocol: National Protocol for Employers and Workers
The guidelines recommend that in all contexts, the processing of health data in response to the COVID-19 Pandemic, should be guided by the Government’s public health policies. The current version of the Work Safely Protocol suggests that there is a limited set of circumstances in which vaccination should be offered as a workplace health and safety measure (as provided by the Safety,Health and Welfare at Work (Biological Agents) Regulations 2013 and 2020 ). Frontline health care services may consider vaccination as a sector specific safety measure. For example, the Medical Council’s Guide to Professional Conduct and Ethics for Registered Medical Practitioners states that practitioners “should be vaccinated against common communicable diseases”.
What about travel?
In a situation where an employee is available for work after travelling to Ireland from abroad and undergoing any required period of self-isolation, the employee should be asked on what date they will be in a position to return to work. It is not necessary to record the employee’s vaccination status.
Subject to change
The guidelines clearly state that they follow the Government’s public health policies. It follows, therefore, that the guideline may change if the public health advice changes in response to the evolving status of the response to the COVID-19 pandemic. Stay up to date as far as possible.
Where can I get help with implementing the Return to Work Safely Protocol?
Getting the business back to full swing can be challenging enough. If you would like some help applying the Work Safely Protocol to your workplace, so as to ensure that the safety of your employees and clients is paramount, please feel free to contact us using the orange Yes! Tell Me More button below.. We will contact you at a time that suits.
For more on GDPR see
For more see Return to Work COVID-19 Induction course here
Download DETE booklet Data Protection Work Safely Protocol here