Processing COVID-19 Vaccination Data in the Workplace
13 Jul 2021
As the National COVID-19 Vaccination Strategy in Ireland gathers pace, employers are frequently asking whether they can make decisions on who returns to work and when based on an employee's vaccination status. Employers, in particular, continue to ask whether they can lawfully collect and process information about the vaccination status of their employees. In this client update, we explain the key considerations.
GDPR Legal Basis
Processing personal data relating to vaccination status is the processing of health data for the purposes of the General Data Protection Regulation ("GDPR"). This is considered special category personal data. To process this type of data, employers must identify an appropriate legal basis for the purposes of Articles 6 and 9 of the GDPR.
Many employers may seek to rely on their obligation to provide a safe working environment under the Safety, Health and Welfare at Work Act 2005. However, in order to rely on this legal basis, employers must establish that processing employees' vaccination status is necessary in order to provide a safe working environment. Public health guidance is key to this assessment.
There is currently no public health guidance which clearly validates the use of vaccination status as a factor in decision making related to the re-opening of a safe working environment. This may change if and when the Irish Government's Work Safely Protocol (the "Protocol")1 is updated in the coming months. At the moment, some employers are deploying regular rapid antigen tests and asking about vaccination status to determine return to work policies and to maximise safety but the practice is isolated and in general, employers in Ireland are not embracing these tools just yet with employees or customers due to the legal complexities with such an approach. Legislation is expected very soon to specifically facilitate a system of checking vaccination status among customers within the restaurant and hospitality sector but this legislation is not expected, at this point, to have wider application.
The Data Protection Commission ("DPC") has recently clarified that in its view, in the absence of clear public health advice, processing employees' vaccination data is likely to represent unnecessary and excessive data collection for which there is no clear legal basis2.
Unnecessary and Disproportionate Processing
The DPC outlined a number of reasons why, in the absence of public health guidance mandating such processing, the processing of employee vaccination data would amount to unnecessary and disproportionate processing of personal data:
- The Protocol suggests that there are only a limited set of circumstances in which vaccination should be offered as a workplace health and safety measure;
- The voluntary nature of the vaccination programme suggests that COVID-19 vaccination is not a necessary workplace safety measure. The Protocol acknowledges that employees are also not in control of when they will receive a vaccine, given the nature of the Irish National Vaccine Programme;
- The principle of data minimisation requires employers to implement all other measures that avoid processing of personal data. The Protocol states that irrespective of vaccinations, there are other measures that employers should implement to maintain workplace safety (e.g. physical distancing); and
- The long-term efficacy of vaccination in terms of immunity remains unclear, the public health guidance appears to reflect that and as such, it is difficult for employers to point to an evidence base for using vaccination as a decision-making tool.
Employee Consent – a Fragile Basis for Processing
The DPC has recommended that employers should not ask employees to consent to the processing of vaccine data as the imbalance inherent in the relationship of employer / employee means that consent is not likely to be freely given.
The DPC has also noted that situations may arise where employers will need to be made aware of when employees will be available for work after travelling abroad. The DPC has indicated that in such circumstances, an employee should be asked to confirm the date on which they will be available to return to work and it should therefore not be strictly necessary to record the employee's vaccination status.
Employers should also be aware that the EU Digital COVID Certificate, which is to be used by anyone travelling within the EU and EEA, may disclose the vaccination status of an employee, and employers should therefore not process such information unless it is necessary.
Duty to Offer Vaccination
Subject to the principle of data minimisation, there may be limited circumstances where the processing of employee vaccination data is necessary.
While the DPC guidance is silent in this respect, the Biological Agents Regulations (S.I. No. 572 of 2013) and associated Code of Practice adds the COVID-19 virus as a risk group III biological agent, and lays down the minimum requirements for protection of workers from risks related to exposure to this biological agent at work.
Where there is a risk of occupational exposure as a result of working with the COVID-19 virus, the employer should complete an occupational health and safety biological agent risk assessment ("BARA").
Where BARA shows there is risk to the health and safety of employees due to working with the COVID-19 virus, employers should offer a vaccination and inform employees of the benefits and drawbacks of both vaccination and non-vaccination. Based on the manner in which the COVID-19 vaccination is currently being rolled out in Ireland, employers are not in a position to offer vaccinations and therefore at most, employers can provide access to reliable public health information regarding the benefits and drawbacks to the COVID-19 vaccination.
How will this impact employers in Ireland?
It is clear from the DPC guidance that establishing a clear GDPR legal basis for the processing of employee vaccine data is challenging and the refinement and updating of public health guidance as the evidence base regarding vaccination efficacy will drive developments.
Employers can still provide employees with advice and information on the vaccination programme, and must do so if their risk assessment requires it.
What about the Employment Law consequences of using vaccination status data?
The National Vaccination Strategy does not provide for mandatory vaccination. As matters stand at the date of writing, an employee can:
- refuse to be vaccinated;
- refuse to disclose their vaccination status to their employer; and
- refuse to comply with a policy that excludes non-vaccinated employees.
The avenues of redress under Irish employment law for employees who claim that they are at a disadvantage by reason of such questions / policies, include:
- A claim related to unlawful discrimination on the grounds of age (if they are ineligible for the vaccine based on the National Vaccination Strategy which prioritises individuals based on age) and disability; and
- An employee who claims they have been penalised through dismissal, demotion or a reduction in pay directly or indirectly as a result of a refusal to comply with an employer's vaccination policies could successfully claim breach of contract (for example, relating to pay or job status) or statutory unfair / constructive dismissal.
It is recommended that employers take advice before using the vaccination status of employees and workers as a factor influencing return to work plans.
How the Maples Group Can Help
We can assist by providing up-to-date guidance in respect of GDPR compliance, updating workplace risk assessments, remote working and return to work preparations.
For further information, please liaise your usual Maples Group contact or the persons below.
T: +353 1 619 2113
T: +353 1 619 2037