The vaccine rollout continues to dominate the news at present, with issues relating to vaccine supply, vaccinations of employees and the proposed vaccine passport. Managing these issues and the pandemic in general requires data controllers to process data in ways which very few have considered in detail and raises some interesting and complex data protection and data ethics questions.
Employees and Vaccination Status
Whilst the guidance from Public Health England recommends that all those working in the health and social care sector should be vaccinated, it is not mandatory and there will be times where it is not recommended that staff members have the vaccine and other scenarios where staff are not able, or willing to have it. Employers will therefore potentially need to gather and process the vaccination status of their employees in order to conduct risk assessments of individuals continuing to work in front line care or who work closely with individuals in care or social care settings.
The Information Commissioner’s Office has provided some helpful guidance to assist employers in ensuring that they have a lawful basis under UKGDPR upon which to process details of the vaccination status of employees. Details of vaccination status would be classed as special category data and employers must ensure that the information is treated in confidence and in accordance with the data protection legislation.
Employers may receive questions from other staff members or members of public seeking confirmation that all staff, or particular members of staff, have been fully vaccinated. This can throw up some very complex data protection, employment law, regulatory and ethics questions. For those in the health and social care sector, understanding whether staff have been vaccinated could impact on whether an individual would accept care, but equally the vaccination status of an employee is confidential information and should only be disclosed in very limited circumstances. Employers would rarely consider sharing information about an employee’s health status with a member of the public and striking a balance between a desire to provide individuals with sufficient information as to risks and the need to protect medical information relating to staff is incredibly complex.
As a minimum, all employers should make it clear to their employees how and why data relating to vaccination status will be processed to ensure that they are fully transparent and data subjects are fully informed. Broader legal and ethical issues will need to be considered on a case by case basis.
The proposals to issue Covid Passports also raises a number of data protection issues which have yet to be considered in full. The Information Commissioner has already voiced her concerns over the use of Covid Passports to the Commons Digital Committee and identified that processing data in relation to vaccination status of the general public for this purpose raises both GDPR and human rights issues. The ICO stated that before approving any Covid Passport scheme she would want to question “is it necessary, does it work, does it do what it says on the tin, is it proportionate and is there transparency?”
The introduction of Covid Passports would require the processing of special category data which in turn would need to be compliant with data protection laws. The Royal Society have published a paper identifying 12 criteria for the development of Covid Passports and they have identified data protection and equalities issues as relevant considerations going forward. Concerns have been voiced that Covid Passports would in effect force data subjects to share their data in return for services and that for those who have not had the vaccine or cannot have the vaccine, this raises real concerns about their privacy and inequality.
According to the Government, vaccine passports are likely to become a “feature of our lives” and they are being trialled at a number of events until early May. It remains to be seen how these Passports would work in practice and whether the privacy issues can be resolved, but the pandemic continues to raise new and interesting data protection questions with no seemingly easy answers.
Bevan Brittan are working with a number of clients in relation to these issues. If you would like advice from either our Information Law & Privacy Team or our Employment Team please contact us.