3 min read

Writen by Zlatko Delev

Posted on: March 29, 2021

Can I collect data about whether my employees are vaccinated against COVID-19?

Before you decide to collect your employees vaccination status, you should be clear about what you are trying to achieve and how recording staff vaccination status will help you to achieve this. Whether your employee has been vaccinated is their private health information and is therefore special category data. Your use of this data must be fair, necessary and relevant for a specific purpose.

Data protection is only one of many factors to consider when asking employees whether they have received the COVID-19 vaccine. You should take into account:

  • employment law and your contracts with employees;
  • health and safety requirements; and
  • equalities and human rights issues.

You should also consider other regulations in your industry and the latest government guidance for your sector.

Your reason for recording your employees’ vaccination status must be clear and compelling. If you have no specified use for this information and are recording it on a ‘just in case’ basis, or if you can achieve your goal without collecting this data, you are unlikely to be able to justify collecting it. You should also take into account that accepting the offer of a vaccine is a personal decision which could be influenced by a number of factors. When deciding whether to record this data, you should also consider current public health advice about the vaccine and government guidelines.

The sector you work in, the kind of work your staff do and the health and safety risks in your workplace should help you to decide if you have compelling reasons to record whether your staff have had the COVID-19 vaccine. For example, if your employees:

  • work in a health and social care setting or somewhere they are likely to encounter those infected with COVID-19; or
  • could pose a risk to clinically vulnerable individuals,

this may form part of your justification for collecting employee vaccination status. However, if you only keep on record who is vaccinated for monitoring purposes, it is more difficult to justify holding this information.

The collection of this information must not result in any unfair or unjustified treatment of employees and should only be used for purposes they would reasonably expect. You should treat staff fairly and if the collection of this information is likely to have a negative consequence for an employee, you must be able to justify it. When considering fairness, you should remember that different people are offered the vaccine at different times and some people may not yet have been offered a vaccination.

If the use of this data is likely to result in a high risk to individuals (eg denial of employment opportunities) then you need to complete a data protection impact assessment.

Contact Us

Hope you find this useful. If you need an EU Rep, have any GDPR questions, or have received a SAR or Regulator request and need help then please contact us anytime. We are always happy to help...
GDPR Local team.

Contact Us

Recent blogs

ISO 27001 Controls: A Comprehensive Step-by-Step Guide

Organisations in today's world filled with technology require a good information security setup and

Comparing Information Security Frameworks and Data Protection Frameworks

With cyber threats evolving at an unprecedented rate and regulations tightening globally, understan

EU AI Act Summary: Key Compliance Insights for Businesses

The EU AI Act is a pioneering attempt to regulate AI systems, striving for a balance between foster

Get Your Account Now

Setup in just a few minutes. Enter your company details and choose the services you need.

Create Account

Get In Touch

Not sure which option to choose? Call, email, chat to us

Contact Us

Stay Up-To-Date

Leave your details here and we’ll send you updates and information on all aspects of GDPR and EU Representative. We won’t bombard you with emails and you will be able to tell us to stop anytime.

Full Name is required!

Business Email is required!

Company is required!

Please accept the Terms and Conditions and Privacy Policy