As the Government announces a general lifting of Covid-related restrictions, Barry Reynolds and Jenny Wakely, specialists in employment law with DAC Beachcroft, advise employers on whether they can ask workers to divulge their vaccination status.
The rapid progress made in the Government’s vaccination programme over recent months means that all employees will now either have been vaccinated or will have had the option of being vaccinated. As of August 31, 2021, over 88% of the adult population have been fully vaccinated. Employers seeking to safely manage their workplaces may understandably wish to know if their staff have been vaccinated and more importantly who in their employment is among the increasingly small percentage of workers who have not been vaccinated.
At the same time, Ireland (at the time of writing) is moving away from the regulation of workplace interaction in the Covid-19 context towards a general lifting of restrictions. Retailers, as of late October 2021, are set to be one of the few categories of workplaces where maskwearing will remain mandatory. Almost all other restrictions, such as social distancing requirements, will no longer be in place. However, one can expect evolving health guidance to continue to encourage caution.
Against this background, it is likely that the current guidance on the collection and use of staff vaccinationdata will remain in place. That guidance could be said to discourage such processing of vaccination data. There may possibly be a number of changes to the rationale for the position adopted as public health guidance changes, as well as updates to work safety protocols which are eagerly awaited.
The guidance in Ireland is that General Data Protection Regulation (GDPR), Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, prevents, in most employment contexts, lawfully eliciting and using workforce vaccination status. The Irish Data Protection Commissioner (DPC) quite recently made it clear that their approach is that such processing is permissible under the GDPR
in only “a limited set of circumstances”.
This is a complex and novel area which is ever evolving. Approaches vary slightly from country to country, as we briefly explore below. The purpose of this article is primarily to outline how matters stand at the present time. A word of caution for any employer is that the position must be reviewed in detail and regularly, and certainly prior to a business adopting any change in its approach.
Why could it be helpful for employers to have data relating to their employees’ vaccination status?
There are a number of ways in which information relating to vaccination status could be seen as assisting employers in the safe and effective operation of the workplace. For example, vaccinated employees who are identified as “close contacts” are not currently required in Ireland to restrict their movements, provided that they do not have symptoms of Covid-19. There are also implications relating to travel, with more relaxed rules applying to those with proof of vaccination.
Special category data
Why then is it considered that employers cannot lawfully process this information? Vaccination status is personal data relating to employees and by its nature it enjoys enhanced protections as special category (health) data. As such, it can be processed only where there is firstly a legal basis for doing so, and secondly, where it benefits from a specific exemption.
Is processing vaccination status potentially lawful?
In short the answer is yes, in theory; for example, relying on such concepts as the processing being necessary in order for the mutual obligations of the employment relationship to function or that it has a legitimate interest in processing the data, provided that this interest is not overridden by the
employee’s rights or interests. It seems at least arguable that processing data on vaccination status is necessary for the employer to comply with the
obligations imposed by the Safety, Health and Welfare at Work Act 2005 and/or to ensure compliance with public health guidance.
However, a key basis for the DPC’s stance to date has been that published guidance on safety at work has not included vaccination status as a key safeguard and in the absence of any such requirement or guidance, the DPC’s position is that employers cannot process this kind of employee information. Employers are unlikely to be able to rely on necessity or legitimate interests or on health and safety guidance. The processing of data relating to the vaccination status of employees “is likely to represent unnecessary and excessive data collection for which no clear legal basis exists.”
The DPC also refers to the absence of public health guidance regarding what employers would be expected to do with information on vaccination status. For example, would businesses be required to send non-vaccinated workers home or segregate vaccinated and non-vaccinated workers in workplaces? These kinds of actions by employers could lead to employment related claims - in addition to complaints arising from breaches of the GDPR - in light of the risk that the collection of the data could result in unfair and unjustified treatment of employees.
But what next following the announcement of August 31 regarding the gradual lifting of restrictions? As of October 22, 2021, most workplace restrictions will no longer be in place. This may impact on data protection guidance applicable to retail. It may be a significant development that indoor retail will be one of the few places where continued mask-wearing will be required. This looks set to be the case only in “healthcare
settings, indoor retail and on public transport”. Restrictions such as physical distancing and mask-wearing will no longer be in place and the requirement for “certification of vaccination” will also be lifted to attend events.
The position should be monitored but at the time of writing we do not expect there to be a radical change to the cautious approach adopted by the DPC. This is partly due to the voluntary nature of Ireland’s vaccination programme, which seems to some extent incompatible with vaccination being viewed as a necessary workplace safety measure.
It is notable that the Irish position to date differs from that of the UK. Its Information Commissioner’s guidelines arguably lean more in favour of processing vaccination status in employment. They indicate that it is likely to be permissible for employers to record data relating to their employees’ vaccination status, provided that the reason for recording the data is clear and necessary and the objective cannot be achieved in another way.
Their guidelines lay out various factors for employers to consider in seeking to determine whether or not they have legitimate reasons to record their employees’ vaccination status. Employers will be more likely to be in a position to justify processing such data if staff:
• are more likely to encounter in the workplace persons infected with Covid-19; or
• they could pose a risk to clinically vulnerable individuals.
Employers would, of course, have to ensure that they clearly set out the reasons for vaccination status being sought and also how that information will be used, among other safeguarding measures and restrictions on the use of the data.
Takeaway for employers
It is anticipated that the DPC will keep its guidelines under review as public health advice and workplace safety guidance change over the coming months. However, the current official guidelines in Ireland signal that there would be a legal risk for the majority of employers should they require staff to provide information on their vaccination status.
One would expect vaccination to be increasingly recognised over time as demonstrably beneficial for maintaining workplace safety for both staff and customers and particularly as other safeguarding measures fall away. Employers must keep a close eye for
updates to the relevant guidelines. If and when the position is clarified, employers should ensure that they also update their risk assessments, privacy notices and data protection impact assessments.
If the guidance changes, employers seeking to then process vaccination related information would have to ensure that appropriate safeguards are put in place to protect employee rights, such as ensuring that access to the data is limited, as well as adherence to strict time limits in relation to erasure and conducting relevant staff training.
If you have any queries or require any assistance in relation to any of the above, please contact Barry Reynolds or Jenny Wakely.
About the authors
BARRY Reynolds (firstname.lastname@example.org) and Jenny Wakely (jwakely@ dacbeachcroft.com) of DAC Beachcroft are specialists in employment law. This article is for general information purposes only and does not comprise legal or professional advice. You should not rely on any of the material in this article without seeking appropriate legal advice.
Enjoyed this story? Subscribe to our newsletter and receive stories of interest straight to your inbox. Just click on the Sign Up button at the top your screen to stay in the loop.