With quarantine – for the most part – no longer required for the double jabbed, and with more and more employees returning to offices, client visits and work-associated trips – what rights do you have to confirm vaccine status?
The moment the government began discussing the idea of vaccine passports, questions around privacy and data exposure began to emerge.
Given it was only a few short years ago that the business world was anxiously updating policies, procedures and responsibilities in line with the 2018 GDPR start date, it’s perhaps no wonder that many employers are now left fearing they might inadvertently breach such regulations by recording a vaccine status.
“Reassuring to know that there is up-to-date HR advice readily available and that bespoke advice is also available if required.” Read the full review
So, where do you stand?
The Information Commissioner’s Office has set out a very clear position on this, which first and foremost urges you to consider ‘why’ you are requiring the COVID status of your employee.
Someone’s vaccination status falls under the very special and specific category of being ‘private health information, and as such, your entitlement to this data rests very much on whether you are seeking to use it fairly, in a relevant way, and whether it is deemed ultimately necessary that you have knowledge of this status.
It is no line of defence to say that you are seeking to have sight of covid status ‘just because’, or ‘just in case’.
You might want to consider whether the following could be said to apply:
- Knowing the covid status of this employee will certainly enable me to keep that person safer within their role.
- Knowing the covid status of this employee ensures they are less likely to pose a risk to someone who is clinically vulnerable (with whom they may come into contact through their role).
- Knowing the covid status of this employee will allow me to determine whether they need to isolate upon return from a trip overseas.
Another delicate consideration is whether you are in fact ‘processing’ the information about an individual’s status, or whether you are simply having knowledge of it.
For example, looking at a hard copy document or a covid pass on someone’s phone, does not constitute processing.
However, scanning a QR code or conducting checks digitally DOES mean processing, and therefore falls within GDPR rules, as does storing this information.
You would be seen to be legitimately storing and processing such data if your purpose is transparent and appropriate (see above), and that you keep the record for no longer than wholly necessary, and that you ensure your employee receives no compromised treatment as a result of disclosure.
It’s worth remembering also, that even an employee’s consent to allow the processing of their Covid status is not in and of itself enough to say that the activity falls outside of GDPR.
Remember that someone having given consent could be seen as someone having felt obliged to do so, given the balance of power between employer and employee.
For more information, do feel free to contact our team and we can discuss this issue in more depth.