Ireland - Collecting employee vaccine data – latest guidance
24 June 2021
With many employers planning the return to the workplace the question arises as to what vaccination data (if any) can be collected from returning staff. The Irish Data Protection Commission (DPC) has [finally] issued guidance clarifying its position on whether it is permissible for employers to collect and process this information.
What are the headlines?
Unless public health guidance changes to make vaccination a necessary workplace measure for the prevention of Covid-19, the DPC has confirmed that it sees no legal basis for collecting and processing employee vaccine data except in exceptional sector specific circumstances.
The DPC’s guidance relates specifically to whether employers can legally collect and process information about the vaccination status of employees and states that “in the absence of clear advice from public health authorities in Ireland that it is necessary for all employers and managers of workplaces to establish vaccination status of employees and workers, the processing of vaccine data is likely to represent unnecessary and excessive data collection for which no clear legal basis exists”. [Emphasis added]
The DPC specifically refers to the fact that there is currently no public health advice setting out what this information would be used for by employers and no guidance on whether employers would be expected to send non-vaccinated employees home or segregate them in the workplace.
The DPC also points to the fact that younger employees won’t be fully vaccinated for a number of months and the uncertainty about the long term efficacy of vaccines as being indicative that ‘there does not appear to be a sufficiently evidence based justification to consider that knowledge and processing of vaccination status can be considered necessary in employment at this time’.
What is the issue with collecting information in relation to an employee's vaccination status?
While many of us may be forthcoming and share with others the fact we are vaccinated, information regarding your vaccination status constitutes special category data and it needs to be processed strictly in accordance with the General Data Protection Regulation (GDPR). Therefore, any employer seeking to collect and process the vaccine status of its workers will need a legal basis for processing this data under the GDPR.
Prior to this guidance it was difficult to assess whether there was any legal basis for the collection and processing of an employee’s vaccination status by an employer. Employers were tentatively considering using their obligations under health and safety law and in some cases consent as the legal basis on which processing could be justified. Consent was always unlikely to be a valid legal basis in the workplace context. In its guidance the DPC clarifies that employee consent is unlikely to constitute a valid legal basis for collecting information relating to vaccination participation, as in practice employees may not have any real choice in the matter given the general imbalance in power in the employer/employee relationship. The DPC’s guidance states that “employees should not be asked to consent to the processing of vaccine data as this consent is not likely to be freely given.” Based on this guidance if an employer sought to rely on consent for its legal basis, employees would likely successfully challenge the legality or justification for processing their vaccine data.
The recently updated Government issued Work Safely Protocol, which sets out how employers should manage a return to the workplace, specifically sets out that an employee’s decision to get a Covid-19 vaccine is made voluntarily and other infection prevention and control measures should still be in place in workplaces regardless of whether employees are vaccinated. The DPC took the Work Safely Protocol into account and formed the view that this suggests that vaccination status, and the processing of such data, is unlikely to be considered a necessary workplace safety measure. In summary if the current government and public health advice is that it’s not an essential workplace safety measure that reduces the need for other measures then there is no basis for an employer to collect and process employee vaccination data.
Is it possible at all to seek the vaccination status of employees?
The DPC’s guidance acknowledges that there may be some specific employment contexts where an employee’s vaccination status could be considered necessary to collect and process, such as those providing frontline healthcare services. In our view these workplace exceptions will be limited.
The DPC again refers to the vaccination section of the Work Safety Protocol which suggests that there are a limited set of circumstances in which vaccination should actually be offered to employees as a workplace health and safety measure (as provided for under the Safety, Health and Welfare at Work (Biological Agents) Regulations 2013 and 2020). The DPC guidance also states that “there may be further situations, such as in the provision of frontline healthcare services, where vaccination can be considered a necessary safety measure, based on relevant sector specific guidance”. The DPC gives an example from the Medical Council’s Guide to Professional Conduct and Ethics for Registered Medical Practitioners which states that practitioners “should be vaccinated against common communicable diseases”. The DPC’s view is that in these situations, it is likely that the employer will be in a position to lawfully process vaccine status data on ‘the basis of necessity’.
What does an employer need to consider to decide whether it can legally collect and process an employee's vaccination status?
In those limited specific employment contexts where it may still be possible to collect this data because knowledge of vaccination status has been determined as a necessary workplace measure, employers will need a legal basis for processing. Given this data concerns health information, the legal basis needs to cover general data processing, and the processing of special category data.
Employers could seek to rely on the legal basis that the “processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment” as set out in Article 9.2(b) of the GDPR. The Safety, Health and Welfare at Work Act 2005 requires employers and those who control workplaces to carry out a risk assessment to identify hazards in the workplace and to assess the risks to safety and health at work presented by those hazards. Following this assessment, employers are required to take such steps as are reasonably practicable to remove or minimise any risks identified in their risk assessments. Therefore, an employer’s requirement to collect and process vaccination data would need to be identified in its health and safety risk assessment. Any such assessment should be carried out by a qualified health and safety professional. As outlined above, this is likely to only be assessed as necessary in limited workplace settings such as healthcare which are likely to have additional legal obligations that will be relevant to whether they need to know the vaccine status of their employees.
However, even in those limited circumstances if an identified risk can be mitigated without collecting this special category data, such as those mitigation measures identified in the Work Safely Protocol, it is less likely that an employer will be able to justify why this data needs to be collected and processed. The DPC guidance makes it clear that the data minimisation principle of the GDPR means that such processing should be a last resort and employers should ‘implement all such measures that avoid processing the personal data of employees in the first place’.
If an employer sought to rely on the Article 9.2(b) ground as its legal basis for processing this data, its employee privacy notices would need to be reviewed and updated as employees will need to be informed about why data around vaccination is being collected, to whom it may be disclosed and how long it will be retained for.
Alternatively, employers could prepare a supplementary privacy notice in respect of the processing of vaccine data. This would be linked to the overall employee privacy notice and may be administratively easier to prepare and to update.
It is also recommended that a Data Protection Impact Assessment (DPIA) be carried out before any privacy notice is updated or processing takes place (a DPIA is mandatory if large scale processing is going to be carried out). A DPIA will set out the personal data that the employer is processing, why it is processing it, the ways in which it is ensuring that such processing is proportionate, and how it is mitigating the risks to employees. It is also beneficial as it ensures:
(a) that the employer has considered the ways in which it is processing personal data,
(b) that the employer has considered other less intrusive ways of achieving the same purpose, and
(c) that the GDPR principles have been properly considered by the employer.
Furthermore, should an employee complain to the DPC about the ways in which data is being processed, the DPIA will assist in demonstrating that the employer sought to follow the GDPR’s fair processing principles at all times and sought to mitigate any risks to the employees of the processing.
I have already collected information in relation to the vaccination status of our workers, what should I do now?
Unless there is a legal basis for processing it which you can justify, this data should be securely deleted. You should stop collecting and processing it.
If you have used this information to feed into your risk assessments, you should only consider using any information you have gathered from a high level perspective and on a completely anonymised basis e.g. feeding into a risk assessment that a certain percentage of the workforce are vaccinated. This processing is still risky as arguably there was no basis for collecting and processing the underlying personal data. The employer should document the basis on which they have determined that it is necessary and proportionate to continue to use this aggregated data and take all steps to ensure it is anonymised and the underlying personal data has been deleted.
If any privacy notice or supplementary privacy notice has been updated or drafted, they may need to be updated once more to clarify that this information is no longer being collected based on the guidance issued by the DPC.
What if an employee has volunteered vaccine information to us?
It is likely that an employee may volunteer information to their employer regarding whether they have received a vaccine or not. If they do, employers owe a duty of confidentiality to those employees to not to disclose this information further. Employers should not record or process this personal data unless they fall into one of the exceptional specific employment contexts envisaged by the DPC and have a legal basis for this processing.
What about employees’ travel?
The DPC guidance does acknowledge that there are situations where employers need to be aware of employee travel arrangements so they can ensure appropriate Covid-19 safety measures are in place.
However, the personal data that it may be necessary for employers to collect in this regard does not extend to vaccine status but is limited to being made aware of any self isolation period the employee is required to observe. The DPC guidance states “it should not be strictly necessary for employees’ vaccination status to be recorded in such instances, rather the employee can be asked to indicate the date on which they will be in a position to return to work”.
Employers should continue to monitor the public health and government guidance on returning to the workplace. If the public health advice and government guidance changes in respect of vaccinations, then the DPC position on processing this employee personal data may also change. The potential for a change in the position is acknowledged in the DPC guidance. For the time being at least the position for employers has now been clarified even if that position is unlikely to be welcomed by employers.