The Irish Government vaccination programme is now well under way. As a result of supply limits and in line with the government’s COVID-19 Vaccine Allocation Strategy, it will still be some time before the vaccine will be available to the majority of the workforce. Employers should use this time to get their houses in order. Many employees will willingly get themselves vaccinated, but there are likely to be employees who refuse. Some employees may refuse the vaccine for reasons relating to underlying health issues or religious beliefs, while others may simply be nervous about the safety and potential side effects of vaccination. Employers will understandably wish to know which employees have been vaccinated and which have not.
Special category data
Information regarding whether or not an employee has been vaccinated constitutes health data which is a type of special category data. Such data can only be processed where there is a legal basis for the processing of the data under Article 6 of the General Data Protection Regulation1 (the “GDPR”) and where there is an applicable exemption to the general prohibition on processing special category data under Article 9.
Legal basis for processing under Article 6
As many employers will be aware, consent (under Article 6(1)(a)) is generally not regarded as a valid basis for processing an employee’s personal data because of the inequality in bargaining power between an employer and an employee. A data subject is also free to withdraw his or her consent at any time without negative repercussions.
Employers are more likely to seek to rely on Article 6(1)(c) (where the processing is necessary in order to comply with a legal obligation); 6(1)(e) (where it is necessary for the performance of a task carried out in the public interest); or 6(1)(f) (where it is necessary for the purpose of a legitimate interest of the employer and those interests are not overridden by the rights or interests of the data subject).
Article 9 exemptions
In practice employers will seek to rely on the Article 9(2)(b) exemption on the basis that the processing of data confirming whether or not an employee has been vaccinated is necessary for them to comply with their obligations under the Safety, Health and Welfare at Work Act 2005 (as amended). Appropriate safeguards must be in place to protect employees’ data protection rights.
The exemption in Article 9(2)(i) may also be applicable in the event that public health or other authorities issue guidance or directions that require the processing of health data by employers acting in accordance with such guidance or directions. Again it is important that appropriate safeguards are put in place to protect the rights of data subjects. Examples provided by the Data Protection Commission include limits on access to the data, strict time limits for erasure, and staff training.
Data Protection Commission
In March 2020, the Data Protection Commission issued guidance in relation to data protection and COVID-19. As is the case with all processing of personal data, processing of personal data in response to COVID-19 should be “necessary and proportionate”. The guidance refers specifically to the possibility that organisations may in certain circumstances be able to rely on Article 9(2)(b) or 9(2)(i) in seeking to process health data during the pandemic.
Steps to take
This area is certainly one to watch. Employees may challenge the legality of an employer’s justification for processing information regarding vaccination status and it remains to be seen what approach will be taken by the Data Protection Commission.
Employers should use this time to prepare a plan for addressing the vaccination landscape and should review and update their privacy notices. In addition, the large-scale processing of special category data requires a Data Protection Impact Assessment (DPIA) which employers should carry out before introducing a policy relating to processing the vaccination status of its employees.
1Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016