With COVID-19 restrictions continuing to lift, and Ireland’s society and economy re-opening, we know that many employers are now considering how they re-open workplaces and support employees in returning. A key part of doing this is understanding what information they can process in relation to their employee’s return to the workplace, particularly about vaccinations and whether they can lawfully collect and process information about the COVID-19 vaccination status of their employees.

In July 2021, the Data Protection Commissioner (DPC) provided guidance on this question for employers examining the following areas:

  • Specific employment contexts
  • Data minimisation
  • Voluntary nature of vaccination
  • Employees and travel

Currently there is no clear advice from public health authorities in Ireland on the necessity for all employers and managers of workplaces to establish the vaccination status of employees and workers. In the absence of this advice, the DPC’s general position is that is considers the processing of vaccine data is likely to represent unnecessary and excessive data collection, for which no clear legal basis exists.

You can find further information on the DPC advice for employers below or download the full guidance.

We would also encourage you to visit our advice on returning to the workplace.

Specific employment contexts

The processing of health data in response to the COVID-19 pandemic, in all contexts, should be guided by the Government’s public health policies. The current version of the Work Safely Protocol: COVID-19 National Protocol for Employers and Workers suggests that there are a limited set of circumstances in which vaccination should be offered as a workplace health and safety measure (as provided for under the Safety, Health and Welfare at Work (Biological Agents) Regulations 2013 and 2020). 

There may be further situations, such as in the provision of frontline healthcare services, where vaccination can be considered a necessary safety measure, based on relevant sector specific guidance. For example, the Medical Council’s Guide to Professional Conduct and Ethics for Registered Medical Practitioners states that practitioners 'should be vaccinated against common communicable diseases'. In these situations, it is likely that an employer will be in a position to lawfully process vaccine data on the basis of necessity.

Data minimisation

The Work Safely Protocol also states that, 'Irrespective of the vaccination roll-out, public health infection prevention and control measures (such as physical distancing, hand hygiene, face coverings, adequate ventilation), and working from home unless an employee’s physical presence in the workplace is necessary, will all need to remain in place.' This makes it clear that there remains a full suite of measures that employers should employ to maintain workplace safety before considering whether knowledge of vaccination status is a necessary measure.

In accordance with the principle of data minimisation, employers should implement all such measures that avoid processing the personal data of employees in the first place.

Voluntary nature of vaccination

Information about a person’s vaccination status is special category personal data for the purposes of the GDPR. It represents part of their personal health record, and is afforded additional protections under data protection law. The Work Safely Protocol states that the decision to get a vaccine is voluntary and that individuals will make their own decisions in this regard. This further suggests that COVID-19 vaccination should not in general be considered a necessary workplace safety measure, and consequently, the processing of vaccine data is unlikely to be necessary or proportionate in the employment context.

Due to the nature of the National Vaccine Programme, individual workers are not in control of when they will receive a vaccine, and due to its age-based nature many younger workers will not be fully vaccinated for several months. For these reasons, it is not clear that processing vaccination status can be considered a necessary or proportionate measure in most employment situations. In addition, the long-term efficacy of vaccination in terms of immunity is not yet clear, that is, where new COVID variants may arise, or vaccine top-ups may be required. For these reasons, there does not appear to be a sufficiently evidence based justification to consider that knowledge and processing of vaccination status can be considered necessary in employment at this time.

The processing of personal data in the context of employment takes place in a situation where there is an imbalance between the data subject (employee) and data controller (employer). Therefore, employees should not be asked to consent to the processing of vaccine data as this consent is not likely to be freely given.

Medical Officer of Health

In the course of carrying out their public health duties under the Infectious Diseases Regulations 1981, as amended, a Medical Officer of Health may require access to the vaccination status of employees. This limited type of processing is specifically permissible under data protection law, where carried out on a case-by-case basis, subject to the determination of necessity and at the request of the Medical Officer of Heath.

Employees and travel

Situations may arise where employers need to be made aware of when an employee will be available for work after travelling to Ireland from abroad and undergoing any required periods of self-isolation. It should not be strictly necessary for employee’s vaccination status to be recorded in such instances, rather the employee can be asked to indicate the date on which they will be in a position to return to work.

The guidance above will be subject to review if the public health advice and laws relating to the nature of the virus, the pandemic and the interplay with vaccination change. Employers with questions about the collection of vaccine information in their specific sector or in a particular context should have recourse to the most up-to-date public health guidance in the first place.

Explore our related content

Factsheets

GDPR in the workplace

Explains how the legal position on data protection will change and what organisations need to do to defend employee privacy

Read more

Responding to the coronavirus

As we continue to deal with the ongoing fallout from the coronavirus pandemic, the CIPD continues to collate and publish updated resources to support the people profession

Read more
Top