The inception of vaccinations in the fight against COVID-19 has meant a sigh of relief for many. However, they have also led to many lingering questions including:
- What data protection considerations does the vaccine roll-out unearth?
- How are employers intended to know when or if their employees have been vaccinated, and are they entitled to access this information?
- Can employers introduce a mandatory vaccination initiative in the workplace, and what can be done where employees refuse to get vaccinated?
What information is surrendered when an individual is vaccinated?
From the outset, it must be noted that vaccination data is health data and falls under the scope of special category data requiring an Article 9 GDPR justification for its processing. Due to the higher risks associated with processing special category data, those who control and process this data need extra measures to ensure its protection. Member State public health entities are responsible for administering vaccinations across the European Union. In Ireland, this responsibility falls on the HSE. In December 2020, the HSE launched an IT system for the vaccine roll-out, including the facility for self-registration, appointment allocation, and track who has received what vaccine and when. Registration requires the provision of personal data, including PPSN, date of birth, gender, home and work contact details, and details of your primary healthcare provider. To date, the system has been used for the vaccination of healthcare workers. It is due to be expanded from April to the various cohorts as they become eligible for vaccination.
How do employers know if employees are vaccinated?
There are important considerations regarding how employers will manage the data surrounding employees’ vaccination statuses. This is a novel area for most employers as previously, information on what vaccinations employees had received, such as flu jabs, was unnecessary. Employers must ensure that any mechanisms for processing data on employees’ vaccination statuses are limited to that which is necessary. Data relating to an employee’s receipt of a COVID-19 vaccine constitutes special category data under GDPR as it is health data. Employers need to identify a legal basis for processing this data under Article and Article 9 GDPR. Under Article 6(1)(f), the legitimate interest ground is likely to be met by employers, as it is in their legitimate interest to provide a safe workplace for employees and the public. Such processing is also expected to be satisfied under Article 9(1)(i), which permits processing on the grounds of the public interest in public health to protect against serious cross-border threats to health. As the COVID-19 outbreak constitutes a highly infectious global pandemic, employers can easily meet this ground. Employers must update their employee fair processing notices to include this processing, stating why this data is being collected, who will have access to it, and how it will be used. Employers will need to update their record of processing activities to reflect this processing also. Any data processed by employers must be protected with strict confidentiality, and any staff accessing this data must be trained on ensuring that data’s integrity and protection.
The short answer is that employers cannot force employees to get the COVID-19 vaccine. However, there is nothing illegal about employers taking a pro-vaccine stance in the workplace and encouraging employees to get the vaccine. Yet, at present, there is no legal basis upon which an employer can rely to compel employees to be vaccinated against COVID-19. Under the Employment Equality Acts 1998-2011, employees cannot be discriminated against on any grounds prescribed, including religion and disability. If an employee decides not to receive the vaccine on religious or medical grounds, that is their choice. Employers cannot force employees to be vaccinated or find themselves subject to a discrimination claim under the Employment Equality Acts.
There is a lack of Government guidance on mandating vaccines, but that does not mean such guidance will not appear in the future. Under the Infectious Diseases (Amendment) Regulations 2020, COVID-19 was added to the list of infectious diseases covered by the Health Acts 1947-2020. Under the Acts, the Minister for Health is empowered to introduce mandatory vaccination for the public against a disease categorised as an infectious disease. However, it is unlikely that the Irish Government will implement such an approach. Since the 1950s, every immunisation initiative in Ireland has operated voluntarily, and the Government likely does not want to open a pandora’s box in this regard. The Infectious Diseases Regulation 1981 provides that consent is not required to send personal data to the HSE for vaccination roll-out. It is an offence not to provide such data to the HSE when requested. Any information provided to the HSE in this manner must be in a secure format and deleted after its successful upload onto the HSE vaccination management system. The Safety Health and Welfare at Work Acts 2005-2014 provide under Section 8 that employers can introduce “procedures to be followed and measures to be taken in the case of an emergency”. Therefore, employers could potentially introduce a COVID-19 vaccination requirement under their company policy even though there is no legal basis per se for insisting that employees be vaccinated.
The Health and Safety Authority published an updated Code of Practice 2020, known as the 2020 COP, to address employers’ concerns about whether vaccinations could be enforced against their employees. The 2020 COP contains a list of biological agents, including SARS-CoV-2, the causative agent of COVID-19. The 2020 COP does not compel the vaccination of employees, but it does provide minimum requirements for the protection of workers where a biological agent is identified in the workplace. The 2020 COP provides that where a risk assessment demonstrates that employee’s health and safety are at risk due to being exposed to a biological agent for which an effective vaccine is available, the employer must offer the vaccine, free of charge, to employees. In doing so, employers must advise employees of the advantages and disadvantages of vaccination.
What about employees who refuse to be vaccinated?
There could be various reasons why an employee would decide not to get vaccinated, and employers need to consider these decisions individually. Redeployment or remote working may be considered for employees who refuse vaccination. This may not be easy where redeployment or remote working is not possible, for example, if the employee has a role that requires public interaction. If neither option is viable, an employer might consider terminating the employee on redundancy or capacity grounds in accordance with fair procedures. However, this could give rise to employment law implications and unfair dismissal claims. Therefore termination should be an extreme last resort. In any case, employers should engage and consult with trade unions in the workplace, employee representative groups, or employees themselves before introducing a mandatory obligation for employees to be vaccinated.
The “vaccination passport” initiative supported by the EU aims to incentivise vaccination by enabling a return to pre-pandemic activities, for example, international travel, subject to proof of vaccination. In the employment context, vaccination passports could allow employers to verify the vaccination status of employees. The HSE DPIA for their COVID-19 Vaccine Information System provides that vaccine certificates will be introduced at a future date in the vaccine roll-out plan. These certificates would be a paper or smart digital vaccination certification. Such certificates would constitute evidence of COVID-19 vaccination in Ireland. This raises a question, whether employees can request a copy of this certificate to prove an employee’s vaccination status. If an employee refuses to provide a copy, can an employer merely rely on the word of their employee, or can they compel an employee to issue a copy of the certificate? Suppose vaccine passports are rolled out on a pan-European level, and an employer requires employees to travel for work. Will employers then need to enforce vaccination and issuance of a vaccine passport for their employees to continue their role? This again uproots discrimination and equality considerations. In any event, the security of any personal data processed for a COVID-19 vaccine passport or certification scheme needs to be stringently safeguarded given the special category status of health-related data. There needs to be a further DPIA conducted by the HSE on this scheme to prevent any data incidents which could leak sensitive health information.
So, what happens if the vaccine is a failure?
Currently, there is uncertainty whether the leading vaccines are completely effective against COVID-19. If a vaccine passport scheme is implemented and the global vaccine roll-outs are a colossal failure, what will happen to those who surrendered their sensitive data? What will employers who collected employee vaccination data do with this information after it is no longer needed? Whatever data is collected in the advent of COVID-19 vaccinations, data protection needs to be at the forefront - from when that data is collected right up to its destruction.
If the vaccines prove ineffective, we are perhaps back to square one with the COVID-19 pandemic, but that does not mean we can neglect the obligation to protect the personal information collected in the process.