Make your Free Employee Vaccination Policy

Create an employee vaccination policy to set out your business’ approach towards coronavirus (COVID-19) vaccines in the workplace and where possible, encourage staff to be vaccinated. 

Recently reviewed by Lauren Delin, Solicitor. 

This employee vaccination policy was last reviewed on 17 August 2021.

An employee vaccination policy sets out an employer's approach to staff coronavirus (COVID-19) vaccinations. It supplements the employer’s existing Health and safety and Sickness policies and encourages staff to be vaccinated against coronavirus (COVID-19) where possible.

Use this vaccination policy if you:

• are a business engaging staff

• want to encourage staff to get vaccinated against coronavirus (COVID-19), where possible

• are not a healthcare provider or care home

This employee vaccination policy covers:

• the important of coronavirus (COVID-19) vaccines

• the employer’s position regarding coronavirus (COVID-19) vaccinations

• steps taken to reduce the risk of coronavirus (COVID-19) 

• time off for vaccinations

• time off for vaccination side effects 

• the processing of staff personal data

Employers have a duty to ensure the health and safety of staff. This includes the obligation to ensure the safety of staff returning to work during the Coronavirus (COVID-19) pandemic, which may include encouraging staff vaccinations. Having a written vaccination policy in place demonstrates that employers are complying with these obligations.

While employers can encourage staff to be vaccinated where possible, employers cannot require staff (or potential staff) to be vaccinated. Even if an employer prefers staff to be vaccinated, care must be taken not to discriminate (eg some individuals may be advised not to have the vaccine due to health reasons).

If a staff member does not get vaccinated, employers should listen to their concerns, bearing in mind that some individuals may not be able to get the vaccination (eg because of health reasons, such as a compromised immune system) or may have health concerns (eg an allergic reaction to the vaccine). 

Employers should remain sensitive to personal situations and keep concerns (especially those relating to health) confidential.

For more information, read Coronavirus (COVID-19) vaccinations in the workplace.

Employers can ask staff if they have or have not been vaccinated, provided they have a good reason for needing to know. An example of a good reason for needing to know is to ensure the health and safety of the wider workforce. 

An employer’s reason for checking (or recording) vaccination status must be clear and transparent. This means that if an employer cannot provide a specific use for this information and is recording it ‘just in case’, or if they can achieve their goal without collecting this data, employers are unlikely to be able to justify collecting it.

To decide if you have a justified reason for checking vaccination statuses, consider:

• the sector you operate in

• the kind of work staff do

• relevant workplace health and safety risks

• sector-specific government guidance

For more information, read How to record the Coronavirus (COVID-19) vaccination status of staff.

To comply with staff health and safety obligations, employers need to assess any risks created or posed in the course of their business, including the risk of Coronavirus (COVID-19) infection. The legal requirement to explicitly consider COVID-19 in risk assessments will end on 1 April 2022, but considering related risks is still good practice. Employers should complete a Return to work risk assessment to identify and implement measures of avoiding or mitigating any risks in accordance with health and safety laws. 

Considering the government’s vaccination programme and encouraging staff to be vaccinated is an example of a step taken to reduce the risk of Coronavirus (COVID-19). 

For more information read Employee health and safety in the workplace during the Coronavirus (COVID-19) crisis and Risk assessments at work.

Information about staff vaccination status constitutes 'special category sensitive personal data' (as it relates to personal health) and employers who decide to keep a record of this data must do so in accordance with data protection laws (eg the UK General Data Protection Regulations (GDPR) and Data Protection Act 2018). This is especially important as sensitive personal data is awarded greater protection than other forms of personal data (eg names and contact details). 

The processing (eg obtaining and recording) of sensitive personal data is not permitted unless the use of the data is fair, relevant and necessary for a specific purpose. For example, employers may ask staff about their vaccination status in order to comply with employment law, the employer’s health and safety duties and for reasons of the public interest in health.

The recording of staff vaccination status constitutes the processing of personal data. When collecting and recording such data, employers should: 

• undertake a data protection impact assessment where necessary

• identify a lawful basis for processing (eg ‘legitimate interest’ for health and safety reasons)

• consider and document why other methods of protection are insufficient (eg social distancing, face coverings) and determine why it is necessary to collect data on staff’s vaccination

• inform staff about what personal data is required, what this data will be used for, who the data will be shared with, how long the data will be stored for and  what decisions we will make based on the data held

A data protection impact assessment (DPIA) needs to be completed before data is collected if the use of the data is likely to result in a high risk to staff (eg denial of work opportunities). This is likely to be the case with health data such as vaccination status.

A DPIA is a process that helps identify and minimise data protection risks, by analysing the processing to be carried out. A DPIA template can be found on the Information Commissioner’s Office (ICO) website.

For more information, read How to record the Coronavirus (COVID-19) vaccination status of staff.

A Data protection and data security policy sets out the policies and procedures a business will comply with when dealing with staff personal information and personal data. Where an employer is processing personal data (eg recording or storing information relating to staff vaccination status) a data protection and data security policy: 

• ensures that employers have a systematic approach to comply with any laws and regulations

• informs staff about the employer’s duties in relation to staff personal data

• clearly sets out the procedures for collecting, storing and processing staff data

For more information, read How to record the Coronavirus (COVID-19) vaccination status of staff.

If staff members refuse vaccination, employers will need to consider other steps that can be taken to ensure the health and safety of all staff.

Where staff refuse an employer’s reasonable instruction regarding vaccination, the employer may consider disciplinary action. However, this is not without risk as it has not yet been established in the courts that requiring a Coronavirus (COVID-19) vaccine is reasonable.

As a result, any disciplinary action carries with it risks unfair dismissal, discrimination or other claims being brought against the employer. Employers should therefore be very careful when considering taking steps towards the disciplinary processes and dismissal.