Dashboard
Dashboard Make a document Ask a lawyer Get guidance Home
Account
Profile information Account settings
Logout
Help
Help Contact us
Explore
Make documents Ask a lawyer Get guidance About us
Account
Sign up Log in
Help
Help Contact us
Make documents
Easily make legal documents
See all documents
Popular business documents
Popular employment documents
Popular property documents
Popular family documents
Terms and conditions Privacy policy Non disclosure agreement Shareholders' agreement
Employment contract Health and safety policy Settlement agreement Consultancy agreement
Tenancy agreement Lodger agreement Eviction notice Declaration of trust
Affidavit Prenuptial agreement Last will and testament Power of attorney
Ask a lawyer
Get quick legal advice from a lawyer
Ask your question
Popular legal topics
Bespoke legal drafting Start a business Startup legal help Run an online business
Hire employees Manage employees Discipline employees Dismiss employees
Rent residential property Rent commercial property Manage rented property Tenant eviction service
Get divorced Apply for probate IR35 status determination advice Settlement agreement advice
Get guidance
Get reliable legal guidance
Read legal guides
Popular business guides
Popular employment guides
Popular property guides
Popular family guides
Make terms and conditions Run a private limited company Types of shares Ending a contract
Overpayment of wages Notice periods Summary dismissal Implied employment terms
Declaration of trusts Legal interests in property Section 21 notices Security of tenure
Affidavits Executing a will Changing your name Getting married
About us
Learn more about Rocket Lawyer
Contact us
Get more information
Pricing
Help
About us
Careers
  1. /gb/en
  2. Legal guides
  3. How to record the Coronavirus (COVID-19) vaccination status of staff

How to record the Coronavirus (COVID-19) vaccination status of staff

Employers need to ensure the health and safety of staff returning to work during the Coronavirus (COVID-19) pandemic and this may include encouraging all staff to be vaccinated. Employers need to make sure to comply with data protection requirements when recording the vaccination status of staff.

How to make an Employee vaccination policy
Get started
Answer a few questions. We'll take care of the rest

Provided they have a good reason for needing to know, employers can ask if staff have or have not been vaccinated. An example of a good reason for needing to know is to ensure the health and safety of the wider workforce.

While asking potential candidates if they have been vaccinated during recruitment may be justified in certain sectors or job roles (eg where there is a particular health and safety exposure), asking about health-related questions in interviews is likely inappropriate. Instead, medical information should be dealt with as a condition of an offer.

Medical information relating to a staff member’s vaccination status constitutes 'special category sensitive personal data' (as it relates to personal health) and employers who decide to keep a record of this data must do so in accordance with the UK General Data Protection Regulations (GDPR) and Data Protection Act 2018 (DPA). This is especially important as sensitive personal data is awarded greater protection than other forms of personal data (eg names and contact details). For more information, read Data protection.

The processing (eg obtaining and recording) of sensitive personal data is not permitted unless the use of this data is fair, relevant and necessary for a specific purpose. For employers, this means that they can typically only process data regarding vaccinations if vaccination records are necessary and proportionate. Employers may, for example, ask staff about their vaccination status in order to comply with employment law, the employer’s health and safety duties and for reasons of the public interest in health.

An employer’s reason for checking (or recording) staff’s vaccination status must also be clear and transparent. This means that if an employer cannot specify a specific use for this information and is recording it ‘just in case’ or if they can achieve their goal without collecting this data, employers are unlikely to be able to justify collecting it. The sector the employer operates in, the kind of work staff does and the workplace health and safety risks should help employers decide if they have a justified reason for checking vaccination statuses.

If the use of the data collected is likely to result in a high risk to staff (eg denial of work opportunities), as is likely to be the case with health data, employers need to complete a data protection impact assessment (DPIA) before they begin processing the data. A DPIA is a process that helps identify and minimise data protection risks, by analysing the processing to be carried out. More information on DPIAs, and a DPIA template, can be found on the Information Commissioner’s Office (ICO) website.

When making a record of staff’s vaccination status this constitutes processing personal data which must be processed lawfully, fairly and transparently. When collecting these records employers should: 

  • undertake a Data Protection Impact Assessment where necessary

  • identify a lawful basis for processing eg ‘legitimate interest’ for health and safety reasons 

  • consider and document why other methods of protection are insufficient (eg social distancing, face coverings, and determine why it is necessary to collect data on staff’s vaccination)

  • inform staff about:

    • what personal data is required

    • what this data will be used for

    • who the data will be shared with

    • how long the data will be stored for

    • what decisions we will make based on the data held 

If you have any questions about processing sensitive personal data, Ask a lawyer. For more information, read Processing personal data and the ICO guidance.

As with staff members, businesses can check visitors’ COVID-19 status, provided they are clear about what they are trying to achieve (eg ensuring the health and safety of staff) and how asking for visitors’ COVID-19 status helps to achieve this.

English residents can show their COVID-19 status by using the NHS Covid Pass, which shows the visitor’s vaccination details or test results. 

As with members of staff and recording their vaccination status, care needs to be taken when asking visitors to show their COVID-19 status, as this private health information is special category data and therefore subject to greater levels of data protection requirements. For more information, read Data protection for Test and Trace and the ICO guidance.

How to make an Employee vaccination policy
Get started
Answer a few questions. We'll take care of the rest

Follow us

We use cookies to provide the best experience