Employers in all sectors are working hard to ensure their workplace is safe for everyone, customers and employees alike.
One way they’re trying to protect their entire workforce is by asking employees if they’ve had their COVID-19 vaccine.
In response to this, the Data Protection Commission (DPC) has published guidance on processing COVID-19 vaccination data in the context of employment.
Stick to public health advice
In their guidance, the DPC has reminded businesses to follow the government’s public health policies and advice when processing health data. This is due to the absence of public health advice requiring employers to monitor COVID-19 vaccination status.
The DPC advises that “the processing of vaccine data is likely to represent unnecessary and excessive data collection for which no clear legal basis exists.”
Purpose of vaccination data collection
The Work Safely Protocol outlines certain circumstances regarding the lawful collection of employee vaccination data on the legal basis of necessity. This may apply to businesses that require vaccination as a necessary safety measure. Areas include frontline healthcare service providers.
Data minimisation
The DPC guidance specifically refers to the principle of data minimisation under Article 5(1)(c) of the General Data Protection Regulation (GDPR).
This guidance document recommends that businesses adhere to the public health infection and control measures set out in the Work Safely Protocol. However, no measures refer to asking staff about their vaccination status.
And so, adhering to the existing public health advice remains paramount. Doing so ensures you comply with the principle of data minimisation and avoid any unnecessary processing of employees’ personal data.
Employee vaccination: Special category data
Employee vaccination status is special category data under Article 9 of the GDPR. As vaccination is considered health-related information, it receives extra protection under data protection legislation.
The guidance reinforces the fact that taking a vaccine is a voluntary decision. In turn, it shouldn’t be a mandatory workplace safety measure unless specific circumstances demand vaccination.
There’s also the added issue of younger employees being ineligible for a vaccine under the public health programme. Some of your employees may also have medical reasons for not taking the vaccine. On these issues, the DPC advises that processing vaccination data in an employment context is likely to be unnecessary under data protection principles.
Article: Should Irish employers require staff to take a COVID-19 vaccine?
Imbalance of power between business and staff
Another issue raised in the DPC guidance is the power imbalance that exists between a business and its staff.
This is cited as another reason why employers should refrain from asking employees to provide their consent when undertaking vaccination data collection. In the context of an employment relationship, there could be a question as to whether this consent is given willingly.
What next for employers?
Employers have a lot of questions about the processing of employee COVID-19 vaccination data. Thankfully, and the DPC guidance clarifies many of these.
At present, employers find themselves in a tricky position when it comes to their data protection obligations. If nothing else, it makes it harder to manage health and safety in the workplace. As the situation remains fluid, it’s best to continue to monitor public health advice until further notice.
Need our help handling staff vaccination?
Having read our article, you may have questions on handling staff vaccination. If so, speak to an expert Graphite employment law consultant now on 01 886 0350 or request a callback here.