Collecting information about employees’ vaccination status

With Covid-19 restrictions expected to be lifted on 19 July and employers planning to reopen their workplaces, many will be engaged in planning for a safe return for staff, customers and visitors. One aspect of this will be considering measures required for vaccinated staff and therefore collecting information about the vaccination status of employees.

Where employers are considering collecting information about vaccination status and possibly also requesting proof of vaccination, they need to be clear on the purpose of collecting that information, ensure that it can be justified and that it is being done in accordance with their privacy notice and data protection policy.

An individual's vaccination status is health information and therefore 'special category' or sensitive data, so employers will need to identify both a lawful basis and condition for processing. Whilst, in many cases, there will be an appropriate basis and condition that employers can rely on, as with the collection of any information, careful thought should be given to the use of the information to ensure that it complies with the data protection principles, as follows:

• Any information collected should be necessary and proportionate to achieve the stated purpose. For example, it might not be necessary to retain a copy of an individual's vaccine card, but it might be enough to record that they've been vaccinated and that a member of the HR team has seen their vaccination card.
• Information should be stored securely and only shared with those who have a need to know it.
• Information should only be retained for as long as it is necessary to do so. This is quite difficult to quantify at this stage but if, in a year's time, everyone needs to be re-vaccinated, it might be appropriate to delete information about the previous vaccinations.
• Keep a recording the processing of special category information (which is a specific requirement under the GDPR).

We recommend that employers record their decision-making process in relation to vaccination status in a Data Protection Impact Assessment (DPIA) which acts as a useful 'sense-check' on the points above. A template DPIA is available on the ICO website here.

As steps are taken to reduce restrictions for fully vaccinated individuals, employers should review and revaluate whether these changes mean that they should collect additional information on vaccination status or whether collection is no longer necessary. As an example, it is expected that from 16 August, those who are fully vaccinated will no longer need to self-isolate if they are identified as a close contact of a positive Covid-19 case. From that date, employers may wish to collect vaccination information for staff to ensure that they are correctly identifying those who should be self-isolating if there is a positive case in the workplace.  

Please get in touch with our employment team if you need assistance with carrying out your DPIA or if you have any queries about the data protection implications of recording vaccination status.