Medical information relating to a staff member’s vaccination status constitutes 'special category sensitive personal data' (also known as ‘special category personal data’), as it is information from which individuals could be identified that relates to personal health. Employers who decide to keep a record of this data must do so in accordance with the UK’s data protection laws, as set out in the UK General Data Protection Regulations (GDPR) and the Data Protection Act 2018 (DPA). Employers should take extra care with these records as sensitive personal data must receive greater protection than other forms of personal data (eg names and contact details). For more information, read Data protection.
Reasons for collecting vaccination information
Collecting, recording, storing, or using information about staff’s vaccination status constitutes ‘processing’ (eg obtaining and recording) of this sensitive personal data. The processing of sensitive personal data is not permitted unless the use of this data is fair, relevant, and necessary for a specific purpose. For employers, this means that they can typically only process data about vaccinations if vaccination records are necessary and proportionate.
Proving that your data processing is necessary involves identifying which of the 6 lawful bases (ie grounds) for processing you are relying on. For example, you could be processing vaccination data:
to enable you to protect others’ health and safety (ie because it’s in the vital interests of your staff, who are the ‘data subjects’)
for reasons of public interest related to health (eg to protect high-risk individuals)
The lawful basis of complying with a legal obligation can no longer be used if the specific legislation that your processing was necessary to comply with has expired (ie if it’s no longer effective). This will be the case for most short-term legislative measures that were put in place to manage the immediate effects of the pandemic. If you’re still processing data to comply with Coronavirus (COVID-19) related legislation, you should check that this legislation is still in place and, if it’s not, rely instead on a different lawful basis or stop processing vaccination data.
When considering whether it’s necessary to process data about staff’s vaccination status, employers should be aware that if they cannot specify a specific use for this information and they are recording it ‘just in case,’ or if they could achieve their goal (eg safety) in another way without collecting this data, they’re unlikely to be able to justify collecting it. For example, employers should consider and document why other methods of protection are insufficient (eg social distancing and face coverings) for achieving their purpose. Considering the sector the employer operates in, the kind of work staff do, and the workplace’s specific health and safety risks should help employers decide if they have a justified reason for checking vaccination statuses.
An employer’s reason for checking (or recording) staff’s vaccination status must also be clear and transparent. This means making it clear to staff:
the reason why the employer is collecting this data (ie what they are trying to achieve), and
how collecting vaccination information will help the employer to achieve this aim (including why other measures would not work as alternatives)
Employers should also inform staff about:
which personal data is required
what this data will be used for
who the data will be shared with
how long the data will be stored for, and
High risk data processing
Because information about vaccinations is related to staff’s health, it is special category personal data. This means that, as well as relying on a lawful basis, in order to lawfully process this data employers must identify a ‘condition for processing’ that justifies their collection of vaccination information. Conditions for processing that may be relevant include:
For more information, read Compliance for DPIAs.
If the use of the data collected is likely to result in a high risk to staff (eg denial of work opportunities), as is likely to be the case with health data, employers also need to complete a Data protection impact assessment (DPIA) before they begin processing the data. This will also be necessary if you’re processing the data on a large scale. A DPIA is a process that helps to identify and minimise data protection risks by analysing the data processing that is to be carried out. For more information on DPIAs, read Data protection impact assessments.
Employers must also be careful that collecting vaccination information doesn’t result in any staff or others being treated unfairly. For example, if it’s likely that collecting vaccination information will lead to consequences like fewer job advancement opportunities, an employer must be able to justify this. For more information, read the Information Commissioner’s Office’s (ICO’s) guidance on fairness in data protection.
If you have any questions about processing sensitive personal data, Ask a lawyer. For more information, read Processing personal data and the ICO’s guidance on data protection during Coronavirus (COVID-19).