Rules for employers wanting to check employees’ vaccination status

With many employees starting to return to the office, employers must consider how to manage this effectively and in accordance with the law. The Information Commissioner’s Office (ICO) has published helpful guidance on whether and in what ways employers can check and record their employees’ vaccination status. We summarise it here.

Can vaccination status be checked?
Yes, but only if your reason for checking and recording your employees’ vaccination status is clear and necessary and you have a legal basis for doing so. You should not be collecting this information “just in case”. This should always be considered by the employer before collecting the information.

The type of work your staff undertake and the industry they work in will play an important part in the decision of whether you have a legitimate reason for checking vaccination status. The examples the ICO provide are where your staff work in an environment where they have an increased chance of encountering those infected with the virus, or in a setting that poses a risk to clinically vulnerable individuals.

Health data is known as special category (or sensitive) data under UK data protection laws and must be used only if it is fair to do so, relevant and necessary for a specific purpose.

What can you do?
The ICO’s guidance states that UK data protection laws apply to the “processing” of personal data. Therefore, where you are only conducting a visual check of vaccination status (whether it be in hard copy form or a pass held on a digital device) and do not retain any personal data in your records, this would not be classed as “processing” and can be carried out more simply. As soon as you make a record of the information though, you are “processing”.

Note also that digital checks will count as “processing”, for example scanning a QR code, even if the data is not kept.

What legal basis can you rely on?
Depending on your business, you may need to process this information in the public interest, or alternatively because it is in your legitimate interests. However, if relying on the legitimate interest basis you must always ensure the individual’s interests, rights and freedoms are not undermined. In addition, you must ensure a condition for processing applies, as per applicable laws. Most relevant here is likely to be ensuring the health, safety and welfare of your employees (for example where employees are going to be sharing an office space) and substantial public interest (prevention of the virus).

Consent is rarely appropriate in employee-employer relationships as it cannot be freely given and should therefore not be relied on. However, it may be sensible to ask your employees to volunteer the information before insisting on it to reduce the risk of complaints.

Checking risk of transmission
The “Covid status” of English residents will also be available from 19 July through the use of the ‘NHS Covid Pass’. This shows a person’s risk of transmitting the virus, based on whether they have had the vaccine and testing data. It may also show whether someone is exempt from vaccination. A pass can be obtained through the NHS App, 119 service or online where transmission risk is low.

The same rules set out above apply to this information too as it constitutes special category personal data.

Other points to note

Crucially, any information collected and/or recorded must not result in any unfair treatment of staff members compared to others. If collecting the information is likely to result in a negative consequence to the individual (for example denying them employment opportunities), you must be able to justify this. Carrying out a Data Protection Impact Assessment may help to achieve this.

As with all personal data, you must accurately record the information, store it securely and keep it confidential. You must only retain the information for as long as is necessary and ensure you dispose of it safely. It is likely that you may only require a quick check and not need to retain the information on file.

You should also always bear in mind other regulations applicable to your industry, as well as current public health advice and government guidance.

For any assistance or further advice in relation to these topics or data protection generally, please get in touch.

Madeleine Rhodes          email: