The Data Protection Commission (DPC) has published guidelines addressing the issue of what information employers can process in relation to their employees’ return to the workplace. In particular, the DPC considers the question as to whether employers can lawfully collect and process information about the Covid-19 vaccination status of their employees.
Information about a person’s vaccination status is special category personal data for the purposes of GDPR. It represents part of their personal health record, and is afforded additional protections under data protection law. The guidelines make it clear that the DPC does not consider there is any general legal basis for employers to request the vaccination status of their employees at this time.
Absence of public health authorities’ advice on processing of employee vaccination data
The DPC’s general position is that “in the absence of clear advice from public health authorities in Ireland that it is necessary for all employers and managers of workplaces to establish vaccination status of employees and workers, the processing of vaccine data is likely to represent unnecessary and excessive data collection for which no clear legal basis exists”. The DPC states that this is particularly the case in circumstances where there is no public health advice pertaining to what the purpose of such data collection would be. For example, advice as to what employers would be expected do with knowledge of vaccination status of workers (i.e. to send non-vaccinated workers home or segregate vaccinated and non-vaccinated workers in workplaces).
Exceptions in certain situations based on sector specific guidance
The DPC acknowledges that there may be certain situations, such as in regard to frontline healthcare services, where vaccination can
be considered a necessary safety measure, based on relevant sector specific guidance. In these situations, the DPC states that an employer will likely be in a position to lawfully process vaccine data on the basis of necessity. For example, the Medical Council’s Guide to Professional Conduct and Ethics for Registered Medical Practitioners states that practitioners “should be vaccinated against common communicable diseases”.
Processing of health data should be guided by government public health policies
The guidelines emphasise that the processing of health data in response to the Covid-19 pandemic should be guided by the Government’s public health policies. The current version of the Work Safely Protocol: Covid-19 National Protocol for Employers and Workers highlights that the decision to get a vaccine is voluntary, and that individuals will make their own decisions in this regard. In the DPC’s view, this further suggests that Covid-19 vaccination data should not in general be considered a necessary workplace safety measure, and consequently, the processing of vaccine data is unlikely to be necessary or proportionate in an employment context.
The guidelines will be subject to review if the public health advice and laws relating to the nature of the virus, the pandemic and the interplay with vaccination change. As such, employers should closely monitor evolving public health guidance and laws.