Profile information Account settings
Logout
Sign up Log in

How to record the Coronavirus (COVID-19) vaccination status of staff

Employers need to meet their legal duty to ensure the health and safety of staff during the Coronavirus (COVID-19) pandemic. Doing so may involve encouraging staff to be vaccinated. It may also include collecting information about staff members’ vaccination statuses. 

Employers must be careful to comply with data protection requirements when recording the vaccination status of staff. This is particularly important now that dealing with Coronavirus (COVID-19) has become part of everyday life.

Last updated 3 November 2022.

How to make an Employee vaccination policy
Get started
Answer a few questions. We'll take care of the rest

If they have a good reason for needing to know, employers may be able to ask if staff have or have not been vaccinated. An example of a good reason for needing to know is to ensure the health and safety of the wider workforce or of a business’ customers or clients.

While asking potential candidates if they have been vaccinated during recruitment may be justified in certain sectors or job roles (eg where there is a particular health and safety exposure), asking health-related questions in interviews is likely inappropriate in most situations. Instead, medical information should be dealt with as a condition of an offer.

Earlier in the Coronavirus (COVID-19) pandemic, collecting information about staff’s vaccination status was easier to justify in order to comply with data protection laws. Now that Coronavirus (COVID-19) mitigation measures have been relaxed in the UK, businesses must be extra careful to have a good reason for collecting this information.

Medical information relating to a staff member’s vaccination status constitutes 'special category sensitive personal data' (also known as ‘special category personal data’), as it is information from which individuals could be identified that relates to personal health. Employers who decide to keep a record of this data must do so in accordance with the UK’s data protection laws, as set out in the UK General Data Protection Regulations (GDPR) and the Data Protection Act 2018 (DPA). Employers should take extra care with these records as sensitive personal data must receive greater protection than other forms of personal data (eg names and contact details). For more information, read Data protection.

Reasons for collecting vaccination information

Collecting, recording, storing, or using information about staff’s vaccination status constitutes ‘processing’ (eg obtaining and recording) of this sensitive personal data. The processing of sensitive personal data is not permitted unless the use of this data is fair, relevant, and necessary for a specific purpose. For employers, this means that they can typically only process data about vaccinations if vaccination records are necessary and proportionate

Proving that your data processing is necessary involves identifying which of the 6 lawful bases (ie grounds) for processing you are relying on. For example, you could be processing vaccination data:

  • to enable you to protect others’ health and safety (ie because it’s in the vital interests of your staff, who are the ‘data subjects’)

  • for reasons of public interest related to health (eg to protect high-risk individuals)

The lawful basis of complying with a legal obligation can no longer be used if the specific legislation that your processing was necessary to comply with has expired (ie if it’s no longer effective). This will be the case for most short-term legislative measures that were put in place to manage the immediate effects of the pandemic. If you’re still processing data to comply with Coronavirus (COVID-19) related legislation, you should check that this legislation is still in place and, if it’s not, rely instead on a different lawful basis or stop processing vaccination data.

When considering whether it’s necessary to process data about staff’s vaccination status, employers should be aware that if they cannot specify a specific use for this information and they are recording it ‘just in case,’ or if they could achieve their goal (eg safety) in another way without collecting this data, they’re unlikely to be able to justify collecting it. For example, employers should consider and document why other methods of protection are insufficient (eg social distancing and face coverings) for achieving their purpose. Considering the sector the employer operates in, the kind of work staff do, and the workplace’s specific health and safety risks should help employers decide if they have a justified reason for checking vaccination statuses.

Transparency

An employer’s reason for checking (or recording) staff’s vaccination status must also be clear and transparent. This means making it clear to staff: 

  • the reason why the employer is collecting this data (ie what they are trying to achieve), and

  • how collecting vaccination information will help the employer to achieve this aim (including why other measures would not work as alternatives)

Employers should also inform staff about:

  • which personal data is required

  • what this data will be used for

  • who the data will be shared with

  • how long the data will be stored for, and

  • what decisions will be made based on the data

High risk data processing

Because information about vaccinations is related to staff’s health, it is special category personal data. This means that, as well as relying on a lawful basis, in order to lawfully process this data employers must identify a ‘condition for processing’ that justifies their collection of vaccination information. Conditions for processing that may be relevant include:

  • explicit consent

  • vital interests

  • substantial public interest

  • health and social care

For more information, read Compliance for DPIAs.

If the use of the data collected is likely to result in a high risk to staff (eg denial of work opportunities), as is likely to be the case with health data, employers also need to complete a Data protection impact assessment (DPIA) before they begin processing the data. This will also be necessary if you’re processing the data on a large scale. A DPIA is a process that helps to identify and minimise data protection risks by analysing the data processing that is to be carried out. For more information on DPIAs, read Data protection impact assessments.

Equal treatment

Employers must also be careful that collecting vaccination information doesn’t result in any staff or others being treated unfairly. For example, if it’s likely that collecting vaccination information will lead to consequences like fewer job advancement opportunities, an employer must be able to justify this. For more information, read the Information Commissioner’s Office’s (ICO’s) guidance on fairness in data protection.  

If you have any questions about processing sensitive personal data, Ask a lawyer. For more information, read Processing personal data and the ICO’s guidance on data protection during Coronavirus (COVID-19).

As with staff members, businesses can check visitors’ Coronavirus (COVID-19) vaccination status if they are clear about what they are trying to achieve (eg ensuring the health and safety of staff) and about how asking for visitors’ vaccination status helps to achieve this. When collecting visitors’ vaccination data, the principles and information above (eg concerning lawful bases and conditions for processing) will apply as for employees. 

As for members of staff, care needs to be taken when asking visitors to disclose their Coronavirus (COVID-19) status, as this private health information is special category data which is subject to greater levels of data protection requirements than normal personal data. For more information, read Data protection for Test and Trace and Coronavirus (COVID-19) mitigation.

How to make an Employee vaccination policy
Get started
Answer a few questions. We'll take care of the rest