The Covid-19 pandemic has resulted in many employers facing difficult and untested employment law issues. You will already be aware that all employers have a legal duty to ensure the health, welfare, and safety of their employees, so far as is reasonably practicable. As part of their return to the workplace strategy, many employers are now considering asking employees if they have had a Covid-19 vaccination. This raises some important data protection issues which we explore here.
Can we ask our employees to disclose their vaccination status?
Yes, you can ask employees if they have received a Covid-19 vaccination, but you must be clear about your reasons for doing so. This kind of information is classed as ‘special category data’ under the UK GDPR so you must also comply with specific conditions for processing it. Your use of this data must be fair, necessary, and relevant for a specific purpose. You need to meet one of the conditions for processing under Article 9 of the UK GDPR such as explicit consent; or employment (such as ensuring the health, safety, and welfare of employees); and so on.
The Information Commissioners Office (ICO) states that you should be clear about what you are trying to achieve by collecting data on vaccination status and how recording staff vaccination status will help you to achieve this. In particular, the collection of this information must not result in any unfair or unjustified treatment of employees and should only be used for purposes they would reasonably expect.
What lawful basis should I use to record my employees’ vaccination status?
If there is a good reason for collecting information about vaccination status, then there is likely to be a lawful basis for processing it. Most employers operating workplaces will have a legitimate reason to collect such data because of the requirements upon them to undertake Covid-19 risk assessments and protect their employees’ health and safety.
Do we need to carry out a data protection impact assessment (DPIA)?
You must do a DPIA for any type of processing which is likely to be ‘high risk’ to the individual. For example, if they will be denied employment opportunities if they are not vaccinated. If in doubt, we recommend that you carry out a DPIA.
What should be in the DPIA?
There are a number of areas that you will need to consider, including:
identifying the need for the DPIA and describe what the information will be used for
assessing necessity and proportionality - i.e. do you really need to have the information?
identifying and assessing the risks and any measures to mitigate risk
recording your decision and the reasons
keeping the system under review.
What if someone refuses to tell us if they have been vaccinated?
You should not immediately discipline someone for not telling you if they have been vaccinated. The best approach will be one of open, transparent communications focussed on trying to understand the reasons why they do not want to give you this information. For example, perhaps they are concerned about how their data will be used or stored, or that it will be shared with other employees. You can give them reassurances about this and refer them to your data protection policies, which should all be GDPR compliant. You can also explain that you have duties to protect the health and safety of employees and that this information will help you to assess any potential risks and put mitigation measures in place to protect staff as far as is reasonably practicable. In some circumstances however, a failure to disclose vaccination status can be treated as a disciplinary matter.
Can we require all employees to be vaccinated?
No; you will not be able to apply a blanket policy that requires staff to be vaccinated before they can return to the workplace. Remember that some individuals who have a serious allergic reaction to any of the vaccine ingredients are advised to avoid vaccination, while others have been advised to avoid specific vaccines in favour of another. For example, those with a history of blood clotting are advised to avoid the AstraZeneca vaccine and so may face delays in obtaining specific vaccine appointments. It is therefore essential to understand the reasons why someone may be refusing to be vaccinated or is delaying vaccination.
But there are also risks associated with treating vaccinated and non-vaccinated employees differently. Indirect discrimination occurs when a provision, criterion, or practice (or PCP) puts a group with a protected characteristic (e.g., disability, sex, age) at a significant disadvantage in comparison to those who do not share the protected characteristic. The employer would need to show that the PCP is a proportionate means of achieving a legitimate aim. You would need to show that mandating the vaccine was a proportionate means of achieving this. Each situation will need to be approached on a case-by-case basis to assess whether there is potentially a risk of discrimination from your approach or your company’s policies. Make sure that any policies you have do not fall into this trap.
What kind of discrimination claims could employees bring?
If, for example, you introduce a policy stating that vaccinated employees may return to the office and the non-vaccinated employees must continue to work from home, this might discriminate indirectly against certain groups. For instance, this could be disability discrimination because there may be some individuals who are advised not to have the vaccine due to an underlying medical condition. Or it could be age discrimination because the government has not reached the under 30s age group yet.
Can we dismiss someone who refuses to have the vaccine?
There would be very significant risks of unfair dismissal claims and discrimination claims associated with dismissing employees who refuse to have the vaccine. This is an untested area of law, but it is likely that most employers would struggle to establish a fair dismissal in these circumstances. It has been suggested that this could even be discrimination on the grounds of philosophical belief (a protected characteristic), but that would imply that the beliefs of the anti-vaccination movement were coherent and worthy of respect in a democratic society, and this is doubtful.
What else do we need to do if we collect information about whether staff are vaccinated?
Make sure your staff understand why you need to collect this information and what you are using it for. Tell people that you are treating their vaccination status as confidential. Limit what you collect, (for example, you do not need to know which brand of vaccine someone has had). Accurately record the information you collect and make sure it is securely stored with access limited solely to those who need to have it. When you no longer have grounds for collecting and retaining this data, for instance, when everyone has been vaccinated, the data should be destroyed.
Bear in mind this is a new and untested area, and all employers are having to make difficult decisions against a backdrop of considerable uncertainty. If you would like us to review and update your data protection policies and privacy notices or would like advice on implementing a return to the workplace strategy, please get in touch with your usual 3CS contact.