Data protection can be a complex subject, so we have partnered with the Jersey Office of the Information Commissioner (JOIC) to help make it more understandable and answer your questions.
Today, we look at the vaccine passport landscape and the impact of data protection.
At this time, a ‘vaccine passport’ is a general term used to describe a form of proof of vaccination received by the individual once they’ve received their Covid-19 vaccine. Proof of vaccination is medical information and would therefore be categorised as ‘Special category data’ and requires a higher level of protection than standard, non-sensitive personal data.
From a data protection and privacy perspective, the vaccine passport gives rise to a number of considerations. Data protection is a fundamental human right, founded on fairness and transparency, and is not a barrier to sharing information where it is necessary and proportionate to do so.
Can I collect data of my employees vaccinated status?
You must have a clear and compelling reason to record an employee’s vaccination status
An employer must be very clear about what they are trying to achieve and how recording staff vaccination status will help achieve this. Whether an individual has been vaccinated is their private health information and is therefore special category data. The use of this data must be fair, necessary and relevant for the specific purpose it is being processed.
You must have a clear and compelling reason for recording an employee’s vaccination status. If you have no specified use or real need for this information and are recording it on a ‘just in case’ basis, or if you can achieve your goal without collecting this data, you are unlikely to be able to justify collecting it. You should also bear in mind that accepting the offer of a vaccine is a personal decision, which could be influenced by a number of factors.
Data protection is only one of many factors to consider when asking employees whether they have received the Covid-19 vaccine. You should take into account:
- Employment law and your contracts with employees.
- Health and safety requirements.
- Equality, discrimination and human rights issues.
Consideration should also be given to other regulations in your industry and the latest government guidance for your sector.
The sector you work in, the kind of work your staff do and the health and safety risks in your workplace should help you to decide if you have compelling reasons to ask and/or record whether your staff have had the Covid-19 vaccine. For example, if your employees:
- Work in a health and social care setting or somewhere they are likely to encounter those infected with Covid-19: or
- Could pose a risk to clinically vulnerable individuals.
This may form part of your justification for collecting employee vaccination status. However, if you only keep on record who is vaccinated for monitoring purposes, it is more difficult to justify holding this information.
The collection of this type of information must not result in any unfair or unjustified treatment of employees and should only be used for purposes they would reasonably expect. You should treat staff fairly and if the collection of this information may have a negative consequence for an employee, you must be able to justify its collection and how you use it. When considering fairness, you should also remember that the vaccine is being offered to people at different times (e.g. elderly or those with pre-existing conditions first) and some people may not yet have been offered a vaccination/it may be some time before they receive it.
If the use of this personal information is likely to result in a high risk to individuals (e.g. denial of employment opportunities) then you need to complete a data protection impact assessment. You may also need to take specific employment advice.
What lawful basis should I use to record my employees’ vaccination status?
Vaccination status is health data, which has the protected status of ‘special category data’ under Data Protection (Jersey) Law 2018, meaning it requires extra protection. You must therefore identify one of the conditions for processing as set out in Schedule 2 Part 2 of the Law before you start any processing.
For public authorities carrying out their function, public function may be an appropriate legal basis for processing. Consent is rarely appropriate in an employment setting given the imbalance of power between the employer and employee, and maybe withdrawn by the data subject. You can find more information about consent under DPJL here.
What else do I need to do if I collect vaccination data?
If you decide that you can justify recording whether your staff have had the vaccine, you must be transparent, for example, this includes it being noted in the staff privacy policy, clear and concise communication to the staff etc. You must make sure that your employees understand why you need to collect this information, and what you’re using it for.
You should accurately record the information that you collect and ensure that the collection and storage is secure. You should respect any duty of confidentiality you owe to employees and should not routinely disclose vaccine status among colleagues unless you have a legitimate and compelling reason to do so.
You should regularly review whether you still have grounds for the collection and retention of this information as the vaccination roll-out progresses, more people receive the vaccine and more information becomes available about its effectiveness. This should include monitoring the latest government and scientific advice on the vaccine roll-out and coronavirus restrictions.
Can I ask if visitors, suppliers and contractors are vaccinated?
You will need to assess this in the same manner as the employee question. What is the purpose and why. Is it proportionate? Are there other means of achieving the same objective?
What privacy and confidentiality concerns should employers bear in mind?
Data protection law approaches any initiative that processes (uses) high volumes of personal information, and especially high-risk medical information, with these questions;
- Is the vaccine passport necessary? Are there differing arguments of necessity for access to Government services compared to entry into a nightclub, for example?
- Does the vaccine passport address the issue/ risk? Equally has the risk of not having a vaccine passport been properly assessed and addressed?
- Is it proportionate? Are there other means of achieving the same objective?
- Is there full transparency over its use? In other words, have you communicated why it is necessary to the individual from whom you are collecting the information?
- How invasive are they into personal privacy? Has this been adequately assessed? Have you completed a Data Protection Impact Assessment?
- Is there appropriate protection for the health information? (special category data – which under the Data Protection (Jersey) Law 2018 (DPJL) requires enhanced protection)
- Is the secondary use of the data preventable? What measures will be adopted to prevent the possibility of ‘function creep’?
This content is provided by the Jersey Office of the Information Commissioner.
Contacting the Jersey Office of the Information Commissioner (JOIC)
Explore the resources and guidance available on the JOIC’s website or call the office on 01534 716530 to speak to a member of the team.
Do you have a question about Data Protection that you would like answered? Drop us an email to [email protected]