Can employers ask if staff have been vaccinated?
If employers have a good reason for needing to know, they may be able to ask if staff have or have not received a certain vaccination. An example of a good reason for needing to know is to ensure the health and safety of the wider workforce or of a business’ customers or clients.
While asking potential candidates if they have been vaccinated during recruitment may be justified in certain sectors or job roles (eg where there is a particular health and safety exposure), asking health-related questions in interviews is likely inappropriate in most situations. Instead, medical information should be dealt with as a condition of an offer.
Employers should bear in mind that, while they can encourage staff members to receive certain vaccines (eg by adopting an Employee vaccination policy), they cannot require staff members or potential staff members to be vaccinated.
For more information on staff vaccinations, read Vaccinations in the workplace.
Data protection considerations when recording staff vaccination statuses
Medical information relating to staff members’ vaccination statuses constitutes 'special category ‘sensitive’ personal data' (also known as ‘special category ’ or ‘sensitive’ personal data), as it is information from which individuals could be identified that relates to personal health. Employers who decide to keep a record of this data must do so in accordance with the UK’s data protection laws (including those set out in the UK General Data Protection Regulations (GDPR) and the Data Protection Act 2018). Employers should take extra care with these records as sensitive personal data must receive greater protection than other forms of personal data (eg greater protection than names and contact details).
For more information, read Data protection.
Reasons for collecting vaccination information
Collecting, recording, storing, or using information about a staff member’s vaccination status constitutes ‘processing’ of this sensitive personal data. The processing of sensitive personal data is not permitted unless the use of this data is fair, relevant, and necessary for a specific purpose. For employers, this means that they can typically only process data about vaccinations if vaccination records are necessary and proportionate.
Proving that your data processing is necessary involves identifying which of the 6 lawful bases (ie grounds) for processing you are relying on. For example, you could be processing vaccination data:
-
to enable you to protect others’ health and safety (ie because doing so is in the vital interests of your other staff members)
-
for reasons of public interest related to health (eg to protect high-risk individuals)
-
to comply with a legal obligation (eg a specific piece of legislation, like a currently effective Act of Parliament)
When considering whether it’s necessary to process data about a staff member’s vaccination status, employers should be aware that they’re unlikely to be able to justify collecting this data if they cannot specify a specific use for this information (ie they are recording it ‘just in case’) or if they could achieve their goal (eg safety) in another way without collecting this data. For example, an employer should consider and document why other methods of protection are insufficient for achieving their purpose. Considering the sector the employer operates in, the kind of work staff do, and the workplace’s specific health and safety risks should help employers decide if they have a justified reason for checking vaccination statuses.
Transparency
An employer’s reason for checking and/or recording staff members’ vaccination statuses must also be clear and transparent. This means making it clear to staff:
-
the reason why the employer is collecting this data (ie what they are trying to achieve), and
-
how collecting vaccination information will help the employer to achieve this aim (including why other measures would not be sufficient alternatives)
Employers should also inform staff about:
-
which personal data is required
-
what this data will be used for
-
who the data will be shared with
-
what decisions will be made based on the data
High risk data processing
Because information about vaccinations is related to staff health, it is special category personal data. This means that, as well as relying on a lawful basis, in order to lawfully process this data employers must identify a ‘condition for processing’ that justifies their collection of vaccination information. Conditions for processing that may be relevant include:
-
explicit consent
-
vital interests
-
substantial public interest
-
health and social care
For more information, read Compliance for DPIAs.
If the use of data collected is likely to result in a high risk to staff members (eg denial of work opportunities), as is likely to be the case with health data, an employer also needs to complete a Data protection impact assessment (DPIA) before they begin processing this data. This will also be necessary if you’re processing the data on a large scale. A DPIA is a process that helps to identify and minimise data protection risks by analysing the data processing that is to be carried out. For more information, read Data protection impact assessments.
Equal treatment
Employers must also be careful that collecting vaccination information doesn’t result in any staff or others being treated unfairly. For example, if it’s likely that collecting vaccination information will lead to consequences like fewer job advancement opportunities, an employer must be able to justify collecting it despite this. For more information, read Data protection principles (particularly the section on lawfulness, fairness and transparency).
If you have any questions about processing sensitive personal data, Ask a lawyer. For more information, read Processing personal data.
How should information related to staff vaccinations be recorded?
There is no hard and fast rule for how information relating to staff vaccinations should be recorded.
When storing information on staff members’ health (like vaccination statuses), employers must have appropriate security measures in place to protect this data. As health information is special category personal data, employers must have a high level of security in place (ie the data must be kept particularly secure). Depending on the nature of the employer’s business, it may be advisable to keep information about staff health on a separate database or system or subject to separate access controls (eg password protection).
Further, access to this type of special category data should only be granted on a ‘need to know’ basis, with only those who absolutely need to know having access to the data. Managers should only have access to this data where it is necessary for them to undertake their management responsibilities.
For more information, read Data protection principles (particularly the section on integrity, confidentiality, and security) and Information security and cyber security.
For how long should records of staff vaccination statuses be kept?
There is no hard and fast rule on how long records of staff vaccination statuses should be kept. However, employers should not keep personal data (including health data, like vaccination statuses) for longer than needed. Employers need to carefully consider how long they need to keep this type of staff data for (including for former staff members). They also need to be able to provide a justification for retaining this data. Employers should also regularly review their records and delete or anonymise them when they are no longer needed.
For more information, read Data retention and document destruction. Creating a Data retention policy can help manage staff vaccination data storage.
If you have any questions or require assistance, Ask a lawyer. Consider using our GDPR compliance service to ensure your business complies with all relevant data protection laws.
