GDPR And The Self-Isolation Rules For Those Who Are Fully Vaccinated – 16 August 2021
From today, persons who are fully vaccinated and identified as a close contact of a Covid case will no longer have to self-isolate for 10 days. Those persons who had already started isolating before 16 August 2021 can also stop today, provided they are fully vaccinated.
Those identified as a close contact who are fully vaccinated are still advised to take a PCR Covid Test on Day 2 and Day 8. If they test positive, they must self-isolate, even if they do not have symptoms of the disease. As those aged under 18 will not have had the opportunity to be fully vaccinated; if they are identified as a close contact, they must self-isolate and book a PCR test. However, if the PCR test is negative, they can end self-isolation.
Questions for businesses
The changes are certainly welcomed by businesses, many of whom have been struggling with staffing levels due to self-isolation.
However, the changes have also raised questions about what steps employers can take to understand the vaccination status of employees. As Members will be aware, vaccination status is health information and therefore falls under the definition of ‘special category’ data under the GDPR UK and Data Protection Act. Your use of this data must be fair, relevant and necessary for a specific purpose.
Data Protection considerations
The Information Commissioner’s Office (ICO) has published guidance “Vaccination and COVID status checks” that can be found HERE
Whilst the guidance has not been drafted or updated with the self-isolation rules specifically in mind, it is a very useful resource. As Members will be aware, any complaints about the handling of personal data are made to the ICO and it will be important that you are able to justify the reasonableness of any steps you take in the context of the ICO guidance.
Members should note that data protection legislation applies to the ‘processing’ of personal data. If you are only conducting a visual check of a Covid pass (either a hard-copy document or a pass held on a digital device) and do not retain any personal data from it, this would not constitute ‘processing’ and the GDPR does not apply. However, businesses are likely to take the view it is best practice to make some note or record an individual’s Covid vaccine status to evidence why the employee was not required to isolate. Once any record is made of an individual’s status, the GDPR applies.
Can employers record information about employees’ vaccine status?
Employers can keep a record of vaccine status provided they meet the requirements of the GDPR.
Consider the purpose of the collection
The ICO guidance confirms that data collection is permitted where the data is necessary and relevant for a specific purpose. You should therefore be clear about what you are trying to achieve and how recording employees’ vaccination status will help you to achieve this.
The ICO states:
“Your reason for recording your employees’ vaccination status must be clear and necessary. If you cannot specify your use for this information and are recording it on a ‘just in case’ basis, or if you can achieve your goal without collecting this data, you are unlikely to be able to justify collecting it. You should also take into account that accepting the offer of a vaccine is a personal decision, which could be influenced by a number of factors.”
The purpose of the collection must be clear and transparent at the point the data is collected. In other words, it would not be justifiable to collect vaccine status data on the basis it would be good to know or may be relevant in the future.
Similarly, we are of the view that it would be disproportionate and unnecessary to collect the vaccine status of all employees. The purpose of collecting the vaccine status data is to understand whether an employee is genuinely exempt from mandatory self-isolation. However not all employees will be identified as close contacts of a positive Covid case; to require everyone to disclose their vaccine status would in our view be gathering an excessive amount of special category data.
What is the lawful basis for processing?
The ICO has also confirmed that, if you have good reason for collecting the data, there are potential lawful bases for doing so. The guidance states that for private employers, legitimate interests is most likely to be appropriate, but you need to make your own assessment for your organisation. We are of the view employers should be able to establish that it is in your legitimate interests to know whether an employee is vaccinated in order that the rules on self-isolation can be complied with, and you can ensure safety in the workplace.
As set out above, Covid vaccine status is health data and so you must also identify an Article 9 condition for processing. The ICO states the two you could consider are:
- the employment condition; or
- the public health condition.
If you intend to rely on the public health condition, you must ensure that either a health professional carries out the processing, or that you tell people you are treating their Covid status as confidential and would only disclose it in clearly defined circumstances.
The ICO guidance contains a clear reminder that consent is rarely appropriate in an employment setting given the imbalance of power between the employer and employee. Similarly, consent is unlikely to be appropriate where checking Covid vaccine status is a condition of entry to your premises/to work. This is because you cannot consider consent to be ‘freely given’ in these circumstances.
Carry out a Data Privacy Impact Assessment (DPIA)
The ICO also recommends “if the use of this data is likely to result in a high risk to individuals (eg denial of employment opportunities) then you need to complete a data protection impact assessment before you start processing the data.”
As the collection of vaccine status data is likely to be a new type of data collection in many organisations, the ICO advice is that you conduct a DPIA. The benefit of this is that it will also help your organisation to ensure appropriate steps have been taken before the data is collected including:
- Identifying the legal basis for processing;
- Considering whether the processing is covered by the existing privacy notice or whether a new or revised privacy notice will be required;
- Setting the retention period for the vaccine data;
- Identifying who will the data be shared with;
- Putting appropriate security measures in place; and
- Identifying whether the data will be transferred outside the EEA.
How long should the data be retained and who should have access to it?
With regard to retention periods and the requirement not to keep personal data for longer than necessary, once there is ‘herd immunity’, or if the rules on self-isolation are removed or cease to differentiate between those who are and are not fully vaccinated, you may no longer have a reason to retain the information.
As part of the DPIA you must consider who will have access to the vaccine data. Our advice is that access should be limited as tightly as possible to those who really need it. The ICO states: “You should respect any duty of confidentiality you owe, and you should not routinely disclose a person’s vaccine status unless you have a legitimate and necessary reason to do so.”
What can you do with the vaccine data you collect?
The ICO guidance confirms “the collection of this information must not result in any unfair or unjustified treatment of employees, and you should only use it for purposes they would reasonably expect.”
In other words, you must be clear from the outset why you are collecting this personal data and you must be clear about what you intend to do with it. This helps employees understand how you will use the data in order that they can made an informed decision about whether they are happy to share their details.
If employees are informed that the gathering of their vaccine data is for the sole purpose of understanding whether they are exempt from self-isolation, it would be a breach if data is later used, for example, to decide to place only vaccinated people in one area of the production floor.
Next steps
We recommend Members update their workforce on the new rules on self-isolation. You should clearly communicate the steps staff must take if they have been identified as a close contact and the evidence you require if they believe they do not need to isolate. We recommend this communication also contains a “just in time” privacy statement that will supplement your existing employee privacy notice.
Where vaccine data is to be gathered, you should carry out a DPIA.