Can I ask my employees’ if they have been vaccinated?
Please note this blog does not apply to anyone who works indoors in a Care Quality Commission (CQC) registered care home who must be fully vaccinated unless they are exempt. This comes into force on 11 November 2021.
There is nothing stopping an employer asking an employee if they have had the Covid-19 vaccination. Many employees will be more than happy to volunteer this information and if they don’t want to, that is their choice. However, if you are asking and you want to collect that information then you are into a different territory as it can have a number of GDPR issues.
Why do you need to know and collect this information?
This is where it all begins, asking yourself why you need this information? Vaccination data is classed as special category data under GDPR as it relates to an employee’s health. Therefore, an employer will need to have a lawful basis and a condition for processing this information under GDPR. The information Commissioner’s Office provide guidance here.
Do you actually need to know and record this information? If you want to know how many staff have had the vaccine to provide information in terms of safety, you could do this another way by running an anonymous survey and not holding the data. You are unlikely to be able to justify collecting the information if it is ‘just in case’ or you can achieve the goal of needing to know in another way.
You are more likely to have a lawful basis for collecting the information if your employees are more likely to encounter those infected or if your employees could pose a risk to clinically vulnerable individuals. Therefore, where coronavirus presents a specific risk. Many businesses will therefore find it hard to have a legitimate interest for the data.
What if you decide you do need to collect it and have a lawful basis?
You should carry out a data protection impact assessment, guidance can be found on the ICO website here
You must ensure the data is kept securely and that it is only shared with specific people who need to access it. It must be kept for no longer than necessary (perhaps keep this under review for now). You must also provide employees with information about why and why their vaccination data is being processed either as part of your existing privacy notice or a separate document. Communication will be key as always.