While the substantive advice on processing vaccination status data has not changed (it is not necessary and legitimate to process vaccination status in order to manage COVID-19 in the workplace), the Guidance now specifically states that if the public health advice was to change in this regard, then that could potentially provide a legitimate basis for such processing by employers. Helpfully, it also notes that the primary source of public health advice in this context is the Work Safely Protocol here. It also states that the Guidance will be further updated should public health advice change.
The Guidance refers to the concept of data minimisation and points out that: the full suite of the infection prevention and control measures set out in the Protocol should be considered before making any assessment as to whether knowledge of vaccination status is necessary. Employers should implement all such measures that avoid processing the personal data of employees in the first place.
It reiterates that the Protocol makes it clear that the decision to get a vaccine is voluntary, which “suggests that COVID-19 vaccination should not in general be considered a necessary workplace safety measure and consequently, the processing of vaccine data is unlikely to be necessary or proportionate in the most employment contexts”. It then considers certain specific employment contexts within which the processing of vaccination status data may be deemed necessary, subject to a risk assessment and with reference to sector-specific public health guidance (for example, as provided for under the Safety, Health and Welfare at Work (Biological Agents) Regulations 2013 and 2020 or in the provision of healthcare services, where vaccination can be considered a necessary safety measure, based on relevant sector specific guidance).
It also reminds that employees should not be asked to consent to the processing of vaccine data, as this consent is not likely to be freely given due to the imbalance of power between parties.
Finally, the Guidance makes it clear that, in the course of carrying out their public health duties, a Medical Officer of Health may require access to the vaccination status of employees, which may occur where an outbreak has been identified in a workplace, and is specifically permissible under data protection law where carried out on a case-by-case basis, subject to the determination of necessity and at the request of the Medical Officer of Heath.