Disclaimer: The advice given here was accurate at the time of publication based on UK government guidance. It is recommended that you regularly check and stay up to date with your country’s laws and regulations.
Over the course of the last 12 months, we have had a number of our clients ask a similar question: “Can I keep a record of vaccinated employees or customers?” This is a valid question, given the changeable nature of the guidance meaning that the goalposts keep getting moved for organisations. Currently, in some settings, there is now a requirement to check people’s Covid test results or vaccination status prior to allowing entry and vaccinations are mandated for those fulfilling some job roles (such as healthcare staff). This all adds to the confusion around whether organisations should be checking individuals’ Covid status and what to do, or not do, with the information.
Key considerations:
First things first, you must have a lawful basis to processA series of actions or steps taken in order to achieve a particular end. Covid-related health data. Where there is not a legal requirement to do so, checking individuals’ test results/vaccination status is at the discretion of the business. If this is the case, you must be clear as to why you are doing this and what it will achieve. As such, you must identify a lawful basis for processing the personal dataInformation which relates to an identified or identifiable natural person.. The sector that you operate in will likely determine which lawful bases are open for you to use to process this information.
For example, from the 11th of November 2021, staff working within a Care Quality Commission-registered care home for adults in England have had to be fully vaccinated, unless medically exempt. Organisations for which this applies can therefore rely on the lawful basis of Legal Obligation as they will be collecting vaccination status information in order to monitor their employees’ compliance with this regulation.
Organisations can rely on ConsentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed. for the collection of Covid-related health data, but only if they are able to give real choice to individuals about providing this information. It cannot, therefore, be used as a condition of entry into a venue as the consent would not be deemed “freely given.” It is also important to note that Consent should not really be used when collecting employee data, so this is likely to be more appropriate in the context of consumers/customers.
In most cases, organisations are going to have to rely on Legitimate Interest as their lawful basis for this data processing, meaning that a Legitimate Interests AssessmentAn assessment that used to demonstrate whether not processing is necessary in the legitimate interests and does not prejudice the data subject’s interests, rights and freedoms. (LIA) will need to be completed prior to going ahead with the data collection.
Another thing to remember is that as this information relates to a person’s health, it comes under the banner of special category dataTypes of personal data listed in Article 9(1) GDPR that are considered sensitive and thus require extra protection. Article 9(1) lists data relating to: • racial or ethnic origin • political opinions • religious or philosophical beliefs • trade union membership • genetic data • biometric data • health • sex life • sexual orientation Where these types of personal.... You therefore must identify not only a lawful basis but also an Article 9 condition for processing. This is likely to be condition 9(2)(i) regarding processing in the interests of public health.
Before you record any Covid-related health data, it needs to be remembered that collecting this could lead to the unjust treatment of data subjects. The pro- vs anti-vaxxer debate is a highly contentious one, so it is important that if you are collecting information about whether people are vaccinated, this information is kept confidential and is not used to disadvantage individuals. If the collection or use of this information is likely to have negative consequences for an individual, such as in the case of non-vaccinated care workers, you must be able to justify it.
In addition, you need to be transparent with data subjects about the collection of this data and your purposes for collecting it. This should be made clear in your privacy noticeA clear, open and honest explanation of how an organisation processes personal data. and at the point of collection.
It is important to stress that you cannot collect this personal data on a “just in case” basis or if you can achieve your intended purpose without having vaccine status / Covid test result records on file. The use of this data must be fair, relevant, and necessary for a specific purpose.
You must be justified in the collection of this data, so it is vital that you carefully consider the value of collecting the information vs the impact it will have on individuals’ privacy. Simply saying “I need my employees vaccination records to keep the workplace safe” is unlikely to be a compelling reason. Organisations will need to demonstrate how they are planning on using individuals’ Covid-related health data and what clear benefits it will provide. It is unlikely to be proportionate to require people to disclose their statuses merely for reporting purposes.
If you do choose to collect data about people’s Covid test results or vaccination status, you will need to conduct a DPIA. DPIAs are required whenever you are processing data that is likely to result in a high risk to the rights and freedoms of the individuals; as Covid test results and vaccination status are special category data that is likely to be used to make decisions about that individual (e.g. entry to a venue, job role adjustments) it would trigger the need for a DPIA.
The DPIA should clearly outline the justified need for the processing of this personal data, the risks associated with the processing, and the controls that will be put in place to protect individuals from said risks. Specific attention should be paid to the storage and retentionIn data protection terms, a defined period of time for which information assets are to be kept. of the data, the control of access, and preventing use of the data for any other purpose beyond what was originally stated.
Other considerations:
It is also important to remember that there are other factors, aside from data protection lawAny law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) that relates to the protection of individuals with regards to the Processing of personal data., to consider when processing this type of information about your employees or customers/clients:
Conclusion
It is always recommended that you check the current government guidelines and your sector-specific regulations before you consider processing health data related to COVID-19.
If no clear guidance or legal obligations apply, processing information about individuals’ Covid test results or vaccination status may be seen as an excessive risk. Since it is mandated in very few situations under the current government guidelines, it is up to organisations to justify their purpose for collecting this information which can be challenging.
As such, we recommend that organisations do not keep a record of their customers’ (or visitors’) data unless there is a legal requirement to do so, as doing so will create extra burdens on the business.
However, if your organisation is set on asking people to supply proof of a negative Covid test or having been double vaccinated, you may want to consider conducting visual checks of documentation only. This is because if you are conducting a visual check on someone’s vaccination status or test result (whether that be looking at a paper copy or the digital copy on the appAn application, downloaded by a user to a mobile or other device.) and are not retaining any personal data, this would not be considered ‘processing personal data.’ As such, this would not fall under the remit of the UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU. and many of the aforementioned challenges can be avoided. The crucial point to note here, however, is that you must not retain any personal data, therefore, if you decide to keep a record of this data, irrespective of whether it was gathered by visual checks only, then you would be processing the data and UK GDPR would apply.
For more information on how our Data Protection Services can help your organisation comply with its data protection obligations, including conducting DPIAs for collecting Covid-related personal data, visit our services page.
In addition, you can find the ICO’s guidance on this topic here.
Fill in your details below and we’ll get back to you as soon as possible