Profile information Account settings
Help Contact us
Sign up Log in
Help Contact us

How to record the Coronavirus (COVID-19) vaccination status of staff

Employers need to ensure the health and safety of staff returning to work during the Coronavirus (COVID-19) pandemic and this may include encouraging all staff to be vaccinated. Employers need to make sure to comply with data protection requirements when recording the vaccination status of staff.

How to make an Employee vaccination policy
Get started
Answer a few questions. We'll take care of the rest

Provided they have a good reason for needing to know, employers can ask if staff have or have not been vaccinated. An example of a good reason for needing to know is to ensure the health and safety of the wider workforce.

While asking potential candidates if they have been vaccinated during recruitment may be justified in certain sectors or job roles (eg where there is a particular health and safety exposure), asking about health-related questions in interviews is likely inappropriate. Instead, medical information should be dealt with as a condition of an offer.

Medical information relating to a staff member’s vaccination status constitutes 'special category sensitive personal data' (as it relates to personal health) and employers who decide to keep a record of this data must do so in accordance with the UK General Data Protection Regulations (GDPR) and Data Protection Act 2018 (DPA). This is especially important as sensitive personal data is awarded greater protection than other forms of personal data (eg names and contact details). For more information, read Data protection.

The processing (eg obtaining and recording) of sensitive personal data is not permitted unless the use of this data is fair, relevant and necessary for a specific purpose. For employers, this means that they can typically only process data regarding vaccinations if vaccination records are necessary and proportionate. Employers may, for example, ask staff about their vaccination status in order to comply with employment law, the employer’s health and safety duties and for reasons of the public interest in health.

An employer’s reason for checking (or recording) staff’s vaccination status must also be clear and transparent. This means that if an employer cannot specify a specific use for this information and is recording it ‘just in case’ or if they can achieve their goal without collecting this data, employers are unlikely to be able to justify collecting it. The sector the employer operates in, the kind of work staff does and the workplace health and safety risks should help employers decide if they have a justified reason for checking vaccination statuses.

If the use of the data collected is likely to result in a high risk to staff (eg denial of work opportunities), as is likely to be the case with health data, employers need to complete a Data protection impact assessment (DPIA) before they begin processing the data. A DPIA is a process that helps identify and minimise data protection risks, by analysing the processing to be carried out. For more information on DPIAs, read Data protection impact assessments.

When making a record of staff’s vaccination status this constitutes processing personal data which must be processed lawfully, fairly and transparently. When collecting these records employers should: 

  • undertake a DPIA where necessary

  • identify a lawful basis for processing (eg ‘legitimate interest’ for health and safety reasons)

  • consider and document why other methods of protection are insufficient (eg social distancing, face coverings, and determine why it is necessary to collect data on staff’s vaccination)

  • inform staff about:

    • what personal data is required

    • what this data will be used for

    • who the data will be shared with

    • how long the data will be stored for

    • what decisions we will make based on the data held 

If you have any questions about processing sensitive personal data, Ask a lawyer. For more information, read Processing personal data and the ICO guidance.

As with staff members, businesses can check visitors’ COVID-19 status, provided they are clear about what they are trying to achieve (eg ensuring the health and safety of staff) and how asking for visitors’ COVID-19 status helps to achieve this.

English residents can show their COVID-19 status by using the NHS Covid Pass, which shows the visitor’s vaccination details or test results. 

As with members of staff and recording their vaccination status, care needs to be taken when asking visitors to show their COVID-19 status, as this private health information is special category data and therefore subject to greater levels of data protection requirements. For more information, read Data protection for Test and Trace and the ICO guidance.

How to make an Employee vaccination policy
Get started
Answer a few questions. We'll take care of the rest

We use cookies to provide the best experience