Can employers ask employees whether they have had COVID-19 and/or been vaccinated against it?
For the purposes of Data Protection, information on whether an employee has had COVID-19 and/or has been vaccinated against it, is classified as ‘Special Category Data’.
Special Category Data requires additional protection because it's personal data that reveals certain highly sensitive information about the person disclosing it. Due to this sensitive nature, the United Kingdom’s General Data Protection Regulation (“UK GDPR”) protects it even further than personal data, and requires that the controller has a strong reasoning for wishing to process it.
An employer wishing to find out information as to whether an employee has had COVID-19 and/or has been vaccinated against it from its employees would have to have good reason for doing so. Such good reasons for processing this information take form of exemptions to the general rule against the processing of Special Category Data.
Legitimate Reasons for Processing Health Data
An employer seeking to find out whether an employee has had COVID-19 and/or has been vaccinated against COVID-19 would firstly have to be sure that they satisfy the first hurdle of protection of all personal data as found in Article 6(1) of the UK GDPR. It appears that Article 6(1)(f) would be met by most employers, in that they wish to process the data as it is necessary for the legitimate interest that they are pursuing. Article 9(2) of the UK GDPR provides that in order to process Special Category Data, a further and higher threshold must be satisfied.
Processing necessary for the Compliance with Employment Law Obligations
An employer seeking to process health data of employees may wish to explore the avenue of Article 9(2)(b) which provides that a legitimate reason for processing health data is that it is necessary to comply with employment law obligations. This avenue would be appropriate for the processing of other employee health data, such as data on disability. A request for employee disability data, however, has legal grounding in the Equality Act 2010 which places duties on employers to accommodate disability in the workplace.
At this point in time, there is no legislation that requires employers to determine whether their employees have had COVID-19 or have been vaccinated against it. As such, this avenue is short lived and processing health data for this reason would be illegitimate.
Processing necessary for Reasons of Public Health Interest
Another avenue that an employer may wish to explore is Article 9(2)(i) which provides that processing of health data would be legitimate if it is necessary for reasons of public health. This would further require that the processing would have to be carried out under supervision of a health professional or someone else with a legal duty of confidentiality. This further requirement would eliminate a vast majority of employers from exploring this avenue.
The UK GDPR provides that an example of necessity for reason of public health interest may be for the protection against serious cross-border threats to health. It is undeniable that COVID-19 certainly qualifies as a serious cross-border threat to health, however given that the employer is seeking to find out its employee’s historical health data in relation to COVID-19 (past illness, vaccination that has already taken place) it is far-fetched to suggest that this avenue is appropriate.
If an employer was seeking to know whether its employee is currently suffering from COVID-19 and therefore has real potential to infect other employees with it, this avenue may perhaps be explored further.
An employer may wish to consider whether it can request the data with the employee’s consent under Article 9(2)(a). For the purposes of UK GDPR, consent is to be freely given, specific, informed, and an unambiguous indication of the employee’s wishes by which they signify agreement to the processing of the data. This avenue carries concerns of its own, and one may question whether consent given from an employee to an employer is truly freely given, due to the relationship between them. An employer seeking to pursue this avenue ought to seek further legal advice to ensure that their request for consent effectively complies with the Data Protection regime.
On consideration of the above, it is doubtful that an employer can request information on whether an employee has had COVID-19 and/or been vaccinated against it, nonetheless, given the discussions surrounding vaccination passports following the outbreak of COVID-19, it is likely that a change in law may arise.
Get in touch
If your business needs legal support with any issues arising from COVID-19, please get in touch with Amelia Collins.
All information in this update is accurate at the time of writing. It is meant for general information only and is not legal advice.