Skip to main content

Vaccine Data Privacy Concerns in the Workplace

Covid Vaccine in front of an abstract blue background

With over a million people in Scotland having received the first dose of the Covid-19 vaccination, the rollout is most certainly underway.

The vaccination programme might seem like a light at the end of the tunnel for many employers keen to get their teams back in the workplace. However, there is much debate about whether employers have the right to require employees to be vaccinated or to ask employees to disclose their vaccine status as part of their employee safety measures.

Vaccination policies

The current position in the UK is that it is not mandatory to have the COVID-19 vaccine. This is unlikely to change. Attempting to enforce a blanket policy that requires staff to receive the coronavirus vaccine may open your organisation up to discrimination claims on grounds including religion, health, disability and age. However, regardless of this, some employers are openly taking the decision to make vaccination a condition of employment for new and existing members of staff, unless they have legitimate health reasons.

The controversial term “no jab – no job” has been circulating in the media and there is much criticism about the discriminatory nature of this approach. This policy decision could be particularly detrimental to the younger workforce, who are less likely to be vaccinated until the end of the rollout and unfairly denied access to employment opportunities in the meantime. Without Government backing, employers run the risk that these actions and decisions could be successfully challenged through a legal claim.  Yet with the enormous pressure employers are under to provide a COVID-safe place to work, will employers continue to consider collecting vaccine data from staff or prospective staff?

Are employers legally allowed to collect vaccination data under data protection laws?

Strictly speaking, yes, if necessary; but employers should exercise caution and consider whether they need to process information about an employee’s vaccine status. The ICO has confirmed that data protection law isn’t a barrier to processing personal data, including health data about employees, but the ICO emphasises that employers must do this in a fair and reasonable way, only process data that is necessary, have a lawful basis for processing the information and, as ever, comply with the principles of data protection law at all times.

Data protection considerations

Depending on the size of your organisation, this process could involve collecting a vast amount of special category data. If considering collecting this data, the first step towards compliance is to complete a Data Protection Impact Assessment. This will help to assess the potential risks of processing prior to collecting the personal data, map out the best procedure to put in place, and put controls in place to mitigate any risks.

Organisations must identify a lawful basis for processing and, because information about vaccination status is special category data, organisations must select an appropriate condition from both Articles 6 and Article 9 of the UK GDPR.

Practical considerations need to be made about how the information will be stored and for how long? How will it be kept up to date and who will have access to it? Will employee privacy notices need to be updated? How will this be communicated to staff?

Processing employee personal data fairly

Before collecting vaccination data, employers should consider whether there is a significant benefit to collecting this personal data. Is it absolutely necessary and will processing be carried out in a fair and proportionate manner? This applies even if the information is disclosed on a voluntary basis.

It might appear more acceptable for an employer to determine that it has a legitimate interest to process vaccination information for health and safety reasons, to put in place appropriate social distancing and hygiene measures or to identify vulnerable employees who may need to continue to work at home. However, it could be argued that, organisations could, and have already successfully put in place measures to reduce the risk of the transmission and spread of the virus without relying on the processing of sensitive health information about employees.  Indeed, reports suggest that the vaccine doesn’t stop transmission in any event, but merely prevents serious reactions to COVID-19.  Therefore, the argument that employers can make employment or return to workplace subject to vaccine with a view to preventing transmission in the workplace is untenable.

With the UK Government deferring to employers to consider how they approach the collection of and use of vaccination data, and no official UK policy decision, the onus is on organisations to take the decision as to whether they will benefit from going down this path. Employers must be transparent about how the personal data will be used and treat employees fairly, irrespective of their vaccination status. It’s crucial to carefully weigh up the benefits to your organisation of processing this personal data against real risks of falling foul of data protection and employment laws.

Thorntons Data Protection Team is available to support employers to mitigate the risks of collecting Covid-19 vaccination data on employees. To find out more about how our Data Protection Services can assist, click here to view our service brochure, or alternatively please contact Morgan O’Neill, Director of Data Protection Services at

Related services

About the author

Morgan O'Neill
Morgan O'Neill

Morgan O'Neill

Director, Data Protection Services

Data Protection & GDPR

For more information, contact Morgan O'Neill or any member of the Data Protection & GDPR team on +44 131 624 6854.