Employers intending to gather evidence of the COVID-19 vaccination status of their staff need to be aware of the data protection implications of doing so, as highlighted in the Information Commissioner's Office (ICO) guidance.

Can we keep a record of who has had a COVID-19 vaccine?

Potentially yes, however, as employees' health information is special category personal data in terms of data protection law there is a narrower range of conditions that are available to employers to justify the processing.

The ICO advises that either of the following conditions could potentially be relied on to process vaccination data:

  • 'Performance of rights and obligations in connection with employment' (e.g. processing to ensure a safe working environment); or
  • 'Health purposes' (e.g. it's necessary to assess the working capacity of the employee). Note that, if relying on this health condition, the guidance states that employers must ensure that a health professional carries out the processing, or that they advise employees that their vaccination status will be treated as confidential and will only be disclosed in defined circumstances.

In practical terms the reasons for recording employees' vaccination status must be clear and compelling. You should not record the data on a 'just in case' basis. Relevant factors could include the sector the business operates in; the type of work undertaken by staff; and the particular health and safety risks in the workplace.

For example, if employees work in a health and social care setting or somewhere they are likely to encounter those infected with COVID-19, or could pose a risk to clinically vulnerable individuals, this could help justify collecting data on employee vaccination status.

On the other hand, if other staff have been vaccinated, then an unvaccinated member of staff is less likely to expose those other individuals to additional risk, and so collecting vaccine status may be harder to justify on the basis that it ensures a safe working environment. This is particularly so given there is no legal requirement in the UK for people to be vaccinated. 

If you are aware of a member of staff who is unable to be vaccinated (for example, for medical reasons), then you'll need to think about how you manage that risk. What is more effective – making arrangements for that employee to continue working remotely or with additional protection, or tracking the vaccination status of co-workers?

Where the use of vaccination data is likely to result in a high risk to individuals, such as denying them employment opportunities, the ICO advises that employers should complete a data protection impact assessment. In practice, and as with any new processing activity, this will require a preliminary assessment of the risks, before deciding whether a full DPIA is required.

What information should we give to staff about the retention of vaccination data?

The ICO makes it clear that an employer must be transparent if it decides to record vaccination data. Therefore, you must ensure that employees understand why you need to collect the information; what it will be used for; how it will be kept secure; who will have access to it; and how long it will be kept for. This could be by way of an updated privacy notice or separate communication.

How long should we keep vaccination data for?

Workers' personal data should not be kept for longer than is necessary. The difficulty with assessing this obligation in relation to Covid-19 vaccination data is that because it's still a developing area, the reasons for storing the data just now for a specified period may not subsequently be justifiable.

The ICO's advice is that employers should regularly review whether they still have grounds for the collection and retention of vaccination data, particularly as the vaccination roll-out progresses.

Can we tell employees if a colleague has not been vaccinated?

The ICO guidance states that employers should respect the duty of confidentiality owed to employees and should not routinely disclose vaccine status among colleagues unless there is a legitimate and compelling reason to do so. Therefore, you could potentially tell staff that not everyone has been vaccinated but it will generally be difficult to justify identifying which employees are unvaccinated. 

If you have a member of staff who is potentially vulnerable to Covid-19, then consider overall how best to provide them with a safe and secure working environment.

What other factors do we need to consider before deciding to keep COVID-19 vaccination data?

In addition to the data protection issues outlined above, consider your employment law and health and safety obligations, including current public health and government guidance on the vaccine and for your sector, and bear in mind that:

  • The collection of vaccination data must not result in any unfair treatment of employees. Our earlier blog looked at whether employers can require employees to be vaccinated, and highlighted the fact that any dismissal or less favourable treatment for failing to be vaccinated can, depending on the circumstances, risk both unfair dismissal and discrimination claims.
  • There is no 'one size fits all' approach. Whether there is justification for processing vaccination data in a particular situation will depend on various factors including the sector, the type of work carried out, and the degree of health and safety risk.

The implications of the COVID-19 vaccine for employers are still evolving, and we would recommend taking advice on your organisation's particular circumstances.

For more information on any of the above, or for assistance with drafting staff communications or carrying out an impact assessment, please contact a member of the employment and immigration team, or Martin Sloan (IP, Technology and Data).


Julie Keir

Practice Development Lawyer

Martin Sloan