Can an employer request staffs' coronavirus vaccination status?

Advice from the Information Commissioner’s Office’s (ICO) is that under the UK GDPR, employers collecting vaccination status information from employees must be doing so because it is necessary and relevant for a specific purpose.Where this is the case, the ICO confirms that there is a lawful basis for processing it. That said, before collecting vaccination status data, where the use of it is likely to result in a high risk to individuals (such as denial of employment opportunities), employers must first carry out a data protection impact assessment. This would need to consider why such data is needed, and the reason here must be clear and compelling. Whilst an employer may be able to justify collecting it in relation to making the workplace safe, particularly where there’s a health and safety risk to clinically vulnerable individuals, keeping it for monitoring purposes only would be much more difficult to justify.

Where an employer does decide to collect vaccination status data, they should only collect the information required for the purpose for which they’re collecting it and hold it for no longer than necessary. They must also be open and transparent and so should tell employees exactly what data is being collected, why they need it, what they’re using it for, how they will securely store it, for how long it will be retained and who will be able to access it (an employer can’t just share an employee’s vaccination status with other staff as that would breach the UK GDPR and duties of confidentiality). The collection of this data must also not result in any unfair or unjustified treatment of employees. Then, the position must be kept under continuous review.