Can I collect data about whether my employees are vaccinated against COVID-19?
Before you decide to collect your employees vaccination status, you should be clear about what you are trying to achieve and how recording staff vaccination status will help you to achieve this. Whether your employee has been vaccinated is their private health information and is therefore special category data. Your use of this data must be fair, necessary and relevant for a specific purpose.
Data protection is only one of many factors to consider when asking employees whether they have received the COVID-19 vaccine. You should take into account:
- employment law and your contracts with employees;
- health and safety requirements; and
- equalities and human rights issues.
You should also consider other regulations in your industry and the latest government guidance for your sector.
Your reason for recording your employees’ vaccination status must be clear and compelling. If you have no specified use for this information and are recording it on a ‘just in case’ basis, or if you can achieve your goal without collecting this data, you are unlikely to be able to justify collecting it. You should also take into account that accepting the offer of a vaccine is a personal decision which could be influenced by a number of factors. When deciding whether to record this data, you should also consider current public health advice about the vaccine and government guidelines.
The sector you work in, the kind of work your staff do and the health and safety risks in your workplace should help you to decide if you have compelling reasons to record whether your staff have had the COVID-19 vaccine. For example, if your employees:
- work in a health and social care setting or somewhere they are likely to encounter those infected with COVID-19; or
- could pose a risk to clinically vulnerable individuals,
this may form part of your justification for collecting employee vaccination status. However, if you only keep on record who is vaccinated for monitoring purposes, it is more difficult to justify holding this information.
The collection of this information must not result in any unfair or unjustified treatment of employees and should only be used for purposes they would reasonably expect. You should treat staff fairly and if the collection of this information is likely to have a negative consequence for an employee, you must be able to justify it. When considering fairness, you should remember that different people are offered the vaccine at different times and some people may not yet have been offered a vaccination.
If the use of this data is likely to result in a high risk to individuals (eg denial of employment opportunities) then you need to complete a data protection impact assessment.
Hope you find this useful. If you need an EU Rep, have any GDPR questions, or have received a SAR or Regulator request and need help then please contact us anytime. We are always happy to help...
Zlatko, Adam, Hristina, Marin.
As your Article 27 Representative we will always help if you receive a SAR, RTE, or other data prot
We have said this previously but we are still seeing a huge number of Subject Access Requests [
Summary: The Right to Be Forgotten is one of the fundamental rights defined in GDPR. Also