Data privacy obligations and the Coronavirus vaccine
The roll out of the Coronavirus vaccine has been eagerly awaited by many as lots of people hope it is a ticket back to some form of normality.
There has been discussion in the press after education unions have been lobbying the government to ensure teachers and other frontline workers are moved up the priority vaccine list.
Whatever the government vaccine priority list ends up looking like, there are some important data privacy considerations that must be considered by employers when their staff are vaccinated.
In summary, data privacy law does not stop you asking staff to get vaccinated but does not give you the right to make jabs obligatory. The law also gives organisations a wide degree of flexibility to keep records of who has been vaccinated and when. The main requirement is that there must be a genuine and valid reason for maintaining the records: relevant examples would include preventing the spread of the virus, ensuring workplace health and safety and ensuring appropriate levels of personnel resourcing.
We believe keeping vaccination records in a school, college or university would therefore be an entirely reasonable step for an employer to take.
However, there are a few compliance requirements to consider along with this:
- Whenever an organisation uses personal data (vaccination records will count as personal data), they must have a “lawful basis” under the GDPR to do so. In brief, a “lawful basis” is a legally recognised justification.
- We recommend that lawful basis is “legitimate interests” – an employer needs to use employees’ personal data because it is necessary to achieve the legitimate interest of preventing/controlling the spread of Coronavirus.
- In order to rely on this lawful basis, an organisation must carry out a “legitimate interests assessment” before it starts keeping employee vaccination records.
- By recording information about vaccinations, an organisation will also be collecting “special category” (i.e. sensitive) personal data because it relates to employees’ health status and, depending on the type information stored and vaccination used, possibly genetic records.
- Whenever an organisation uses special category personal data, they need to satisfy an additional condition under the GDPR. This is because data privacy regulators apply tighter control and scrutiny to the use of special category data, as they take the view that misuse is more likely to be damaging to people.
- We suggest that the most appropriate condition under the GDPR is that use of the special category personal data is necessary for public health reasons The pandemic is a textbook example of a public health emergency.
- Organisations must keep a written record that this is the applicable additional condition.
- Organisations should also amend their relevant privacy policies to ensure that employees are told in advance that personal data relating to vaccinations will be collected and stored, and why.
As a general data privacy point, organisations should always have in place appropriate measures for the secure storage and handling of the data collected, ensuring that it is only accessible to those who absolutely need it and that it is not used for any other purpose.
If you require data privacy advice, or help preparing a legitimate interests assessment, please get in touch.
This update is for general purposes and guidance only and does not constitute legal or professional advice. You should seek legal advice before relying on its content. This update relates to the prevailing circumstances at the date of its original publication and may not have been updated to reflect subsequent developments. If you have general queries about our updates, please email: firstname.lastname@example.org