New DPC Guidance States “No clear legal basis” for gathering Employee Vaccination Data

By
Eversheds Sutherland
-

by Joanne Hyde, Partner and Head of Employment and Marie McGinley, Partner and Head of IP, Technology & DP at Eversheds Sutherland

As the rollout of Ireland’s National Covid-19 Vaccination Strategy continues and businesses begin planning for a return to the office later this year, a key question on the minds of many employers is whether employees may be asked to disclose their vaccination status before returning to the workplace.

Recent guidance published by the Data Protection Commission (the “DPC”) provides some clarity on the matter. The guidance outlines that without clear advice from Irish public health authorities that it is necessary for all employers and managers to establish the vaccination status of employees, the processing of vaccination data is likely to represent unnecessary and excessive data collection for which no clear legal basis exists.

Issues identified by the DPC in respect of the processing of vaccination data include:

  • Classification as special category data: Vaccination data constitutes information in relation to health records which is considered to be “special category data”. The circumstances in which special category data can be processed are very limited.
  • Principles of necessity and proportionality: The DPC has noted that the decision to get a vaccine is entirely voluntary, it is not within the control of employees as to when they will receive a vaccine and the long-term efficacy of Covid-19 vaccination in terms of immunity is far from clear.

The DPC outlines that this suggests that vaccination should not, in general, be considered a necessary workplace safety measure. The guidance further states that at this time there does not appear to be a sufficiently evidence-based justification to consider knowledge and processing of vaccination status necessary in an employment context.

  • Reliance on consent: Given the imbalance of power in an employment relationship, the DPC states that employees should not be asked to consent to the processing of vaccination data as this consent is unlikely to meet the requirement of being “freely given”.

The DPC has acknowledged that exceptions to the general guidance will arise. For example, it states that there may be situations, such as in the provision of frontline healthcare services, where vaccination can be considered a necessary safety measure based on sector-specific guidance. In such circumstances, it is likely the employer will be in a position to process vaccination data on the basis of necessity.

In addition, the guidance makes reference to the Safety, Health and Welfare at Work (Biological Agents) Regulations 2013 and 2020 (the “Regulations”) which imposes certain obligations on employers to ensure employees in COVID-19 risk environments are kept safe.

The Regulations provide that where an employee “is, or is likely to be”, exposed to biological agents (to include Covid-19) as a result of their work, creating a risk to the health and safety of employees and for which an effective vaccine is available, the vaccine should be offered. The Protocol refers to the exploration of other protective measures where an employee does not avail of the vaccine. The Regulations apply to a limited range of circumstances, for example, employees working directly with infected patients/service users, laboratories and testing facilities handling the virus and waste companies handling SARs-CoV-2 contaminated waste.

Based on the current DPC and public health guidance employers can only lawfully request vaccination status from employees in very limited and specific circumstances. Employers may appreciate, however, that the Covid-19 pandemic is an evolving situation where public health advice continues to be reassessed and updated. Over the past year this has resulted in new Covid-19 legislation, regulations and sector-specific guidance. We will continue to monitor the developments in this area and will provide updates as and when new guidance becomes available

RELATED ARTICLESMORE FROM AUTHOR