Employee Vaccination and the Data Protection Conundrum

April 12, 2021

For employers, data protection relating to employee health is crucial to get right, and with mass vaccination sweeping across the country, now is the time for employers to consider their data collection strategy.

It’s been a long year for all of us, and now we have the roadmap out of lockdown, we are all crossing fingers that we’ll soon be able to get back to some sort of normality. We’ll have to relearn some social skills for a start, and the things that annoyed us pre-lockdown may well delight us when they return!

But employers will have to consider their return to normality carefully, with many thinking about the extent to which employees will return to the office, work remotely or a combination of the two.

Vaccinations are a vital part of helping us get back to near normal and many employers will be thinking about how they can create a safe working environment for employees who want or need to return to offices. But, without entering into a discussion about the various views available on vaccinations, not everyone will feel comfortable with taking the vaccine and some may not be able to do so for medical reasons. People are also being offered vaccinations at different rates, so it may be later in the year until some have received even a first dose through no fault of their own.

So, from a data protection perspective, employers who are considering collecting information relating to the vaccination status of their staff should ensure they have gone through a documented process about how they intend to meet data protection requirements. This is not going into detail with regard to any direct employment law issues that might be relevant.

Collecting vaccination data of staff will involve gathering information relating to an individual’s health (or special category data), so extra thought is needed to ensure that the data is handled appropriately and that it does not create undue risks to a person’s rights. The Information Commissioner’s Office has been producing a good amount of advice during the pandemic in relation to the collection and use of personal data, and below is a summary of the key points to think about:

Purpose / Risk

As with all uses of personal data, employers should ask themselves a number of questions before they start to collect such data:

  • What are we trying to achieve?
  • What is the actual level of risk in our working environment?
  • Are there alternative measures that avoid the collection of personal data (e.g. limiting desk space for a time, improved ventilation, increased cleaning)?
  • What would we need to collect from our staff?
  • How do we intend to use the data?
  • How would we handle any objections to providing the information?
  • How will we manage people who cannot receive a vaccination?
  • Will employees be prevented from working or attending a workplace without providing proof of vaccination?
  • Do we need to consider any other sector or industry-specific regulations or guidance?

In terms of environment, as the ICO guidance points out, there is a world of difference between those who work in a health and social care setting or could pose a risk to clinically vulnerable individuals, and those who may simply be working in a standard office with younger colleagues.

These questions can help focus the mind and make sure that any data collected and used is proportionate to the aim being pursued.  You may go through these steps and decide that it is not necessary to collect such data given the nature of the risk. Consulting with staff may also be a useful exercise to determine how many people wish to work onsite, at least some of the time, and how they might feel about the safety implications of doing so.

Data Protection Impact Assessment (DPIA)

A DPIA is required where the use of personal data is “likely to result in a high risk to the rights and freedoms” of individuals. It is specifically required where an activity involves the use of a “large scale of special categories of data” (including health-related data), so depending on the size of a workforce and how the data will be used, this may be relevant.

But what exactly are the risks? It’s not just in terms of the obvious data protection risks such as the sensitivity of the data and the potential for it to be lost or hacked, but a person’s wider rights in terms of access to employment, to have a safe working environment and to not be discriminated against. There is a balance to be struck between these various risks that must always be assessed on the particular circumstances of an employer and how the staff operate.

A DPIA helps to formulate and document this thinking and the various risk mitigations that will be in place and may be requested by the ICO in the event that they investigate a complaint.

Lawful basis

A prerequisite for all uses of personal data is identifying a lawful basis in relation to the specific purpose.  And as we are talking about information relating to a person’s health, there needs to be an additional lawful basis in place to allow the use of special category data.

Depending on your sector and risk factors, one of these bases may apply initially:

  • A task performed in the public interest (mostly applicable to public authorities)
  • Legal obligation
  • Legitimate interests (subject to a legitimate interest assessment)

Consent is unlikely to be relevant here as it must always be “freely given” and is difficult to apply in an employment context. It is always possible for employees to feel pressured into providing their consent and therefore not giving it “freely”.

More thought is needed for the second lawful basis for health data. Data protection legislation does allow its use where it is necessary:

  • To meet an employer’s obligations under employment law (which could include health and safety at work)
  • To protect public health (but processing must be by a healthcare professional)

Both could be relevant but neither provide an automatic basis on which to collect the data – it will be dependent on the level of risk and the extent to which collecting this information genuinely fits in with the purpose intended by the relevant lawful basis. And the lawful basis should be documented both in your privacy information and your Record of Processing Activities (where you are required to have one).


Another of the data protection basics is making sure you tell people what you are going to use their data for.  Data protection legislation says nothing about the format by which “privacy information” should be provided (other than in writing) and to meet the wider transparency principle you should do more than publish a minor update in a privacy policy hidden on your website. So, to make sure you comply with the transparency principle, make sure you have clearly informed staff about this data collection and its purpose.

Data minimisation

A point that often gets missed or left to the last minute in many processes is building in thinking around data minimisation, one of the primary data protection principles:

  • What is the minimum amount of information we need for what we are trying to achieve?
  • Do we even need to retain a copy of a vaccination record or simply record that it has been seen?
  • If we do collect personal data, how long do we actually need it for?

This last question may be difficult to answer confidently at the moment (until risk levels decrease further) so even if you cannot define a precise retention period, you should only retain it as long as is strictly necessary. Building in a review period would be wise to assess whether it is still required after a set period of time.

There are no black and white answers here and it will always be dependent on the various risk factors that may be relevant. The main takeaways are to ensure you have fully thought through your purpose for collecting any data, make sure your decision making is justifiable and you have documented it in some way.

And, whatever the outcome, hopefully we can all have a better summer in 2021!

We’re the experts in getting data on your good side. Find out more about our data protection offering here.

Receive our insights directly to your inbox by signing up to our newsletter

Recommended content