Source: Information Commissioners Office
- Can I check my employees, customers or visitors’ COVID status?
- Does the UK GDPR apply if I decide to check people’s COVID status?
- What lawful basis should I use for checking people’s COVID status?
- What else do we need to do if we process the COVID status of staff, customers or visitors?
- Can I record information about my employees’ vaccine status?
Before you decide to check people’s COVID status, you should be clear about what you are trying to achieve, and how asking people for their COVID status helps to achieve this.
Residents of England can now show their COVID status through use of the NHS COVID Pass. COVID status shows a person’s risk of transmitting COVID-19 and is based on vaccine and test data. People in England with a low risk of transmission can get a COVID Pass through the NHS App, 119 service or online. Residents of Scotland, Wales and Northern Ireland can use other means of indicating their COVID status, should they need to while visiting premises in England.
A person’s COVID status is special category data, as it is their private health information. Your use of this data must be fair, relevant and necessary for a specific purpose.
Data protection is only one of many factors to consider when thinking about implementing COVID-status checks. You should take into account:
- employment law and your contracts with employees (if you are considering checking employees’ COVID status);
- health and safety requirements; and
- equalities and human rights, including privacy rights.
You should also consider other regulations in your industry, as well as current public health advice and the latest government guidance in your part of the UK.
Your reason for checking or recording people’s COVID status must be clear, necessary and transparent. If you cannot specify a use for this information and are recording it on a ‘just in case’ basis, or if you can achieve your goal without collecting this data, you are unlikely to be able to justify collecting it.
The sector you operate in, the kind of work your staff do and the health and safety risks in your setting should help you to decide if you have compelling reasons to check people’s COVID status.
The use of this information must not result in any unfair or unjustified treatment of employees, customers or visitors. You should only use it for purposes they would reasonably expect. You should treat people fairly and if the collection or use of COVID status information is likely to have a negative consequence for someone, you must be able to justify it.
If the use of this data is likely to result in a high risk to individuals (eg denial of employment opportunities or services) then you need to complete a data protection impact assessment.
UK GDPR applies to certain ‘processing’ of personal data. If you are only conducting a visual check of COVID Passes (either a hard-copy document or a pass held on a digital device) and do not retain any personal data from it, this would not constitute ‘processing’. The activity would therefore fall outside of the UK GDPR’s scope.
However, if you are conducting checks digitally (for example, by scanning the QR code displayed on the pass), this would constitute processing of personal data – even if you do not keep a record of it. The UK GDPR would therefore apply.
If you make a record of any personal data, whether you conduct visual or digital checks, then you would be processing personal data and the UK GDPR would apply.
If there is a good reason for checking people’s COVID status, it is highly likely there would be an appropriate lawful basis for processing it. For public authorities carrying out their function, public task may be applicable. For other public or private employers, legitimate interests is most likely to be appropriate, but you need to make your own assessment for your organisation.
A person’s COVID status is health data, which has the protected status of ‘special category data’ under data protection law. This means it requires extra protection. You must also identify an Article 9 condition for processing. The two you could consider are:
- the employment condition; or
- the public health condition.
If you intend to rely on the public health condition, you must ensure that either a health professional carries out the processing, or that you tell people you are treating their COVID status as confidential and would only disclose it in clearly defined circumstances.
Consent is rarely appropriate in an employment setting given the imbalance of power between the employer and employee. Similarly, consent is unlikely to be appropriate where checking a COVID pass is a condition of entry to your premises. This is because you cannot consider consent to be ‘freely given’ in these circumstances. You can find more information about consent under the UK GDPR here.
If you decide that you can justify implementing COVID-status certification, you must be open and transparent. You must make sure that people understand why you need to collect this information, and what you’re using it for.
You should ensure that the collection of this data is secure. You should respect any duty of confidentiality you owe, and you should not routinely disclose a person’s COVID status unless you have a legitimate and justifiable reason to do so.
You must also ensure that you do not hold the information for longer than is necessary, and do not use the data in ways people would not reasonably expect. In most circumstances, you probably only need to make a check of someone’s COVID status certificate or pass and would not need to retain any information. You would need to clearly justify any records you keep or retention of information.
You should regularly review whether you still need to process COVID status data.
The advice set out above in relation to COVID status also applies to checking and recording your employees’ vaccine status. However, there are some additional factors to consider.
Your reason for recording your employees’ vaccination status must be clear and necessary. If you cannot specify your use for this information and are recording it on a ‘just in case’ basis, or if you can achieve your goal without collecting this data, you are unlikely to be able to justify collecting it. You should also take into account that accepting the offer of a vaccine is a personal decision, which could be influenced by a number of factors.
The sector you work in, the kind of work your staff do and the health and safety risks in your workplace should help you to decide if you have legitimate reasons to record whether your staff have had the COVID-19 vaccine. For example, if your employees:
- work somewhere where they are more likely to encounter those infected with COVID-19; or
- could pose a risk to clinically vulnerable individuals,
this may form part of your justification for collecting employee vaccination status. However, if you only keep on record who is vaccinated for monitoring purposes, it is more difficult to justify holding this information.
The collection of this information must not result in any unfair or unjustified treatment of employees and you should only use it for purposes they would reasonably expect. You should treat staff fairly and if the collection of this information is likely to have a negative consequence for an employee, you must be able to justify it.
If the use of this data is likely to result in a high risk to individuals (eg denial of employment opportunities) then you need to complete a data protection impact assessment before you start processing the data.
You should accurately record the information that you collect and ensure that the collection and storage is secure. You should respect any duty of confidentiality you owe, and you should not routinely disclose a person’s vaccine status unless you have a legitimate and necessary reason to do so.
If you are recording vaccination information, you must ensure that you do not hold the information for longer than is necessary, and do not use the data in ways people would not reasonably expect.