Medical information relating to a staff member’s vaccination status constitutes 'special category sensitive personal data' (as it relates to personal health) and employers who decide to keep a record of this data must do so in accordance with the UK General Data Protection Regulations (GDPR) and Data Protection Act 2018 (DPA). This is especially important as sensitive personal data is awarded greater protection than other forms of personal data (eg names and contact details). For more information, read Data protection.
The processing (eg obtaining and recording) of sensitive personal data is not permitted unless the use of this data is fair, relevant and necessary for a specific purpose. For employers, this means that they can typically only process data regarding vaccinations if vaccination records are necessary and proportionate. Employers may, for example, ask staff about their vaccination status in order to comply with employment law, the employer’s health and safety duties and for reasons of the public interest in health.
An employer’s reason for checking (or recording) staff’s vaccination status must also be clear and transparent. This means that if an employer cannot specify a specific use for this information and is recording it ‘just in case’ or if they can achieve their goal without collecting this data, employers are unlikely to be able to justify collecting it. The sector the employer operates in, the kind of work staff does and the workplace health and safety risks should help employers decide if they have a justified reason for checking vaccination statuses.
If the use of the data collected is likely to result in a high risk to staff (eg denial of work opportunities), as is likely to be the case with health data, employers need to complete a Data protection impact assessment (DPIA) before they begin processing the data. A DPIA is a process that helps identify and minimise data protection risks, by analysing the processing to be carried out. For more information on DPIAs, read Data protection impact assessments.
When making a record of staff’s vaccination status this constitutes processing personal data which must be processed lawfully, fairly and transparently. When collecting these records employers should:
-
undertake a DPIA where necessary
-
identify a lawful basis for processing (eg ‘legitimate interest’ for health and safety reasons)
-
consider and document why other methods of protection are insufficient (eg social distancing, face coverings, and determine why it is necessary to collect data on staff’s vaccination)
-
inform staff about:
-
what personal data is required
-
what this data will be used for
-
who the data will be shared with
-
how long the data will be stored for
-
what decisions we will make based on the data held
If you have any questions about processing sensitive personal data, Ask a lawyer. For more information, read Processing personal data and the ICO guidance.