An employer that intends to ask employees if they have been vaccinated against coronavirus (COVID-19) must be clear about its reasons for doing so. To comply with its data protection obligations, the company must ensure that it has a legal basis for processing such information and that it complies with the conditions for processing special category data (which means information relating to employees’ health) under the UK GDPR.
The Information Commissioner’s Office has published guidance for organisations on when collecting vaccination data can be justified. https://bit.ly/vaccinationguidance, so make sure you have a read of this first. Depending on its reasons for asking about vaccination status, an employer may be able to rely on its legitimate interests and compliance with employment rights and obligations as the basis for processing such data.
It is likely to be easier to justify collecting such information in certain workplaces, for example in a health or care setting where coronavirus presents a specific risk. Employers should consider carrying out a data protection impact assessment before collecting vaccination data.
If you decide to collect this personal data, then you must ensure that it is kept securely and that it is shared only with the specific people who need to access it. It must be kept for no longer than necessary. An employer could consider keeping anonymised records, if its aim is to monitor levels of vaccination across the workforce, rather than recording whether specified individuals have been vaccinated.
The employer must provide employees with information about how and why their vaccination data is being processed. This could be an update to your existing privacy notice or could be provided as a separate document.
Employers should be aware that an attempt to impose a mandatory vaccination policy would risk a number of legal claims and employee relations issues.