More than 130,000 people received the first tranche of Pfizer/BioNTech vaccines against coronavirus this week, according to government reports, with 200 local vaccination centres due to be up and running before Christmas.
Moving into next year, the delivery of vaccines will be prioritised across a number of groups, starting with care home residents and workers, then those over the age of 80, eventually moving to those between the ages of 50 and 54.
This particular vaccine is given in two doses, three weeks apart, but it is likely to be months before it covers all nine groups in the priority list, let alone the rest of the population.
The roll-out of the vaccine has nonetheless got employers thinking about whether they will collect, and how they might manage data around workers’ vaccination status. And, as a greater proportion start to receive it, how this information might influence how they return to the office.
Why are you collecting it?
The key consideration when collecting sensitive data of any sort – as was demonstrated with concerns around test result data at the start of the pandemic – is that there is a legitimate reason for collecting it and processing it at all.
“The Information Commissioner’s Office (ICO) published guidance in June, emphasising that ‘data protection does not stop you asking employees whether they are experiencing any Covid-19 symptoms or introducing appropriate testing, as long as the principles of the law – transparency, fairness and proportionality – are applied’,” explains Katherine Zangana, senior associate at Lawrence Stephens.
“It also set out six key data protection steps which cover only collecting and using what is necessary, data minimisation, transparency to staff, treating people fairly, keeping data secure and ensuring staff can exercise their information rights.
“The ICO notes that it ‘will continue to help organisations and businesses through the current recovery phase by supporting innovation and economic growth, while ensuring that people’s information rights are not set aside’.”
Too soon to know
While some organisations could argue that collecting data on who has been vaccinated comes under similar scope as testing, the truth is it simply too early to know, according to Ian de Freitas, partner and data protection expert at law firm Farrer & Co.
“At the moment I don’t think anyone knows if there’s a good reason to collect this data,” he says. “We don’t know for sure that the vaccine will stop transmission. Data could be relevant if it meant you could let some people back to work without the need for social distancing, but this is all subject to further government guidance.”
Until the vaccine has been rolled out effectively and enough data is reported on its effectiveness, we should not change our procedures and policies” – Tania de Bruler, Specialised HR Solutions
Under both GDPR and the Data Protection Act, processing of personal data concerning health constitutes a special category so is prohibited, unless “necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment” and “providing for appropriate safeguards for the fundamental rights and the interests of the data subject”.
This is not likely to change after 1 January 2021 when the UK withdraws from the European Union. “From 1 January GDPR simply transfers over to become UK law,” explains de Freitas. While this does not prevent further changes to law in the longer term, the principles that have been in place since 2018 will still stand.
Part of the challenge is the unprecedented nature of mass vaccination. “To date, employers have not been collecting medical data on employees relating to vaccinations as standard. It has not been seen as a benefit to the employer or the employee,” argues Tania de Bruler, owner of consultancy Specialised HR Solutions, which supports vegan, ethical and charitable organisations with HR support.
“If someone had a vaccination for meningitis or influenza when they were younger, what benefit would this information be to the employer during the course of employment?” De Bruler agrees that it is too early to tell if it will be a “foolproof preventive measure”.
“We are explaining to clients that although we understand the concern as to whether one of their employees is ‘safe’ to work with others (that they have had the vaccination for Covid-19), we don’t know as yet whether the vaccine will completely prevent someone from catching the virus.
“Until the vaccine has been rolled out effectively and enough data is reported on its effectiveness, we should not change our procedures and policies. Employers should continue to exercise caution and ensure that social distancing and keeping safe guidelines are adhered to in the workplace.”
Helen Barge, managing director of Risk Evolves, a GDPR and risk consultancy, says that while employers will want to take steps to reduce the risk of infection, there needs to be a “very clear reason” why any specific vaccination data is needed.
“Currently the virus offers around 90% immunity but is not 100% and as an employer you don’t know if your employee falls into the 90% or the 10%,” she says. “Equally, there is still a risk to all other employees so until the government says otherwise all the other precautionary measures should continue.”
Data impact assessment
Part of the consideration of whether there is a legitimate reason to collect the data is what the benefit of this information will be. “Carry out a data impact assessment to weigh up the impact of processing versus benefit, and ensure you’re collecting only the limited amount of data you need to get that benefit,” says Esther Langdon, senior associate at Vedder Price.
You can’t compel employees to tell you, but you can explain why you’re asking them, where it will be stored, and what you’ll do with it” – Ian de Freitas, Farrer & Co
Be mindful, too, that the situation around vaccination is likely to remain fluid for months to come, and this will impact the justifications around collecting and storing data. De Freitas adds: “It’s important to keep reviewing to see whether you can keep the data for as long as intended. We don’t know yet how long the vaccination will be effective for. If it became an annual thing, for example, why would you keep the data longer than a year?”
Whatever degree of data collected around vaccination, there needs to be transparency around why it is being collected, who will see it and how it will be used. Encouraging employees to share this information is fine, but their consent is not grounds in itself for collecting it, he says: “You can’t compel employees to tell you, but you can explain why you’re asking them, where it will be stored, and what you’ll do with it.”
With a further furlough extension announced yesterday and a strong possibility of further lockdowns in early 2021, return to work plans may well be postponed. “If most people remain at home, it begs the question whether it matters to even think about collecting this information,” says Langdon. “It will become a national conversation though, so think about where the data you collect fits into that.”