The Covid-19 pandemic has resulted in many employers facing difficult and untested employment law issues. You will already be aware that all employers have a legal duty to ensure the health, welfare, and safety of their employees, so far as is reasonably practicable. As part of their return to the workplace strategy, many employers are now considering asking employees if they have had a Covid-19 vaccination. This raises some important data protection issues which we explore here.
Can we ask our employees to disclose their vaccination status?
Yes, you can ask employees if they have received a Covid-19 vaccination, but you must be clear about your reasons for doing so. This kind of information is classed as ‘special category data’ under the UK GDPR so you must also comply with specific conditions for processing it. Your use of this data must be fair, necessary, and relevant for a specific purpose. You need to meet one of the conditions for processing under Article 9 of the UK GDPR such as explicit consent; or employment (such as ensuring the health, safety, and welfare of employees); and so on.
The Information Commissioners Office (ICO) states that you should be clear about what you are trying to achieve by collecting data on vaccination status and how recording staff vaccination status will help you to achieve this. In particular, the collection of this information must not result in any unfair or unjustified treatment of employees and should only be used for purposes they would reasonably expect.
What lawful basis should I use to record my employees’ vaccination status?
If there is a good reason for collecting information about vaccination status, then there is likely to be a lawful basis for processing it. Most employers operating workplaces will have a legitimate reason to collect such data because of the requirements upon them to undertake Covid- 19 risk assessments and protect their employees’ health and safety.
Do we need to carry out a data protection impact assessment (DPIA)?
You must do a DPIA for any type of processing which is likely to be ‘high risk’ to the individual. For example, if they will be denied employment opportunities if they are not vaccinated. If in doubt, we recommend that you carry out a DPIA.
What should be in the DPIA?
There are a number of areas that you will need to consider, including:
What if someone refuses to tell us if they have been vaccinated?
You should not immediately discipline someone for not telling you if they have been vaccinated. The best approach will be one of open, transparent communications focussed on trying to understand the reasons why they do not want to give you this information. For example, perhaps they are concerned about how their data will be used or stored, or that it will be shared with other employees. You can give them reassurances about this and refer them to your data protection policies, which should all be GDPR compliant. You can also explain that you have duties to protect the health and safety of employees and that this information will help you to assess any potential risks and put mitigation measures in place to protect staff as far as is reasonably practicable. In some circumstances however, a failure to disclose vaccination status can be treated as a disciplinary matter.
Can we require all employees to be vaccinated?
No; you will not be able to apply a blanket policy that requires staff to be vaccinated before they can return to the workplace. Remember that some individuals who have a serious allergic reaction to any of the vaccine ingredients are advised to avoid vaccination, while others have been advised to avoid specific vaccines in favour of another. For example, those with a history of blood clotting are advised to avoid the AstraZeneca vaccine and so may face delays in obtaining specific vaccine appointments. It is therefore essential to understand the reasons why someone may be refusing to be vaccinated or is delaying vaccination.
But there are also risks associated with treating vaccinated and non-vaccinated employees differently. Indirect discrimination occurs when a provision, criterion, or practice (or PCP) puts a group with a protected characteristic (e.g., disability, sex, age) at a significant disadvantage in comparison to those who do not share the protected characteristic. The employer would need to show that the PCP is a proportionate means of achieving a legitimate aim. You would need to show that mandating the vaccine was a proportionate means of achieving this. Each situation will need to be approached on a case-by-case basis to assess whether there is potentially a risk of discrimination from your approach or your company’s policies. Make sure that any policies you have do not fall into this trap.
What kind of discrimination claims could employees bring?
If, for example, you introduce a policy stating that vaccinated employees may return to the office and the non-vaccinated employees must continue to work from home, this might discriminate indirectly against certain groups. For instance, this could be disability discrimination because there may be some individuals who are advised not to have the vaccine due to an underlying medical condition. Or it could be age discrimination because the government has not reached the under 30s age group yet.
Can we dismiss someone who refuses to have the vaccine?
There would be very significant risks of unfair dismissal claims and discrimination claims associated with dismissing employees who refuse to have the vaccine. This is an untested area of law, but it is likely that most employers would struggle to establish a fair dismissal in these circumstances. It has been suggested that this could even be discrimination on the grounds of philosophical belief (a protected characteristic), but that would imply that the beliefs of the anti-vaccination movement were coherent and worthy of respect in a democratic society, and this is doubtful.
What else do we need to do if we collect information about whether staff are vaccinated?
Make sure your staff understand why you need to collect this information and what you are using it for. Tell people that you are treating their vaccination status as confidential. Limit what you collect, (for example, you do not need to know which brand of vaccine someone has had). Accurately record the information you collect and make sure it is securely stored with access limited solely to those who need to have it. When you no longer have grounds for collecting and retaining this data, for instance, when everyone has been vaccinated, the data should be destroyed.
(Source: 3CS Corporate Solicitors)
新冠肺炎大流行导致许多雇主面临困难和未经考验的劳动法律问题。您应已知悉，所有雇主均有法律责任在合理可行范围内确保员 工的健康、福利及安全。作为重返工作场所策略的一部分，许多雇主现在正在考虑询问员工是否接种了Covid-19疫苗。这提出了一些 重要的数据保护问题，我们将在这里探讨这些问题。
可以，您可以询问员工是否接种了Covid-19疫苗，但您必须清楚这样做的原因。根据英国GDPR，此类信息被归类为“特殊类别数 据”，因此您在处理此类信息时也必须遵守特定条件。您对这些数据的使用必须是公平的、必要的，并且与特定目的相关。您需要 满足英国GDPR第9条规定的处理条件之一，如明确同意;或雇佣(如确保雇员的健康、安全和福利);等等。
如果有人没有告诉公司，他们是否接种了疫苗，您不应该立即惩罚他。最好的方法是公开、透明的沟通，集中于试图理解他们不 愿向您提供这些信息的原因。例如，他们可能关心他们的数据将如何被使用或存储，或者这些数据将如何与其他员工共享。您可 以向他们保证这一点，并让他们参考您的数据保护政策，这些政策都应该符合GDPR。您还可以解释，您有责任保护员工的健康和 安全，该信息将帮助您评估任何潜在风险，并在合理可行的情况下采取缓解措施保护员工。然而，在某些情况下，未披露疫苗接 种状况可被视为纪律问题。
不行;您将不能实施要求员工在返回工作场所之前接种疫苗的一揽子政策。请记住，一些对任何疫苗成分有严重过敏反应的人建 议避免接种疫苗，而另一些人则建议避免接种特定疫苗而选择另一种疫苗。例如，有血液凝血史的人建议避免使用阿斯利康疫 苗，因此可能会延迟获得特定的疫苗预约。因此，必须了解员工可能拒绝接种疫苗或推迟接种疫苗的原因。
但是，对接种疫苗和未接种疫苗的员工的处理也存在不同的风险。当某一条款、标准或实践(或PCP)将具有某一受保护特征(如残 疾、性别、年龄)的群体与不具有该受保护特征的群体相比处于显著劣势时，就出现了间接歧视。雇主需要证明PCP是实现合法目 标的适当手段。您需要证明，授权生产疫苗是实现这一目标的适当手段。每一种情况都需要根据具体情况进行处理，以评估您的 方法或公司的政策是否存在潜在的歧视风险。确保您的任何政策都不会落入这个陷阱。
例如，如果您引入一项政策，规定接种了疫苗的员工可以返回办公室，而未接种疫苗的 员工必须继续在家工作，这可能间接歧视某些群体。例如，这可能是残疾歧视，因为可 能有些人由于潜在的医疗状况而被建议不接种疫苗。或者可能是年龄歧视，因为政府还 没有达到30岁以下的年龄组。
由于拒绝接种疫苗而被解雇的员工，将面临非常严重的不公平解雇索赔和歧视索赔风险，这是一个未经法律检验的领域。但在这 种情况下，可能大多数雇主都难以确立公平解雇。有人提出，这甚至可能是基于哲学信念的歧视(受保护的特性)，但这将意味 着，在民主社会，反疫苗运动的信念是前后一致的，值得尊重的。这也是值得怀疑的。
确保您的员工理解您为什么需要收集这些信息，以及您使用这些信息的目的。告诉员工您正在对他们的疫苗接种状况保密。限制 您收集疫苗的信息(例如，您不需要知道某人使用的是什么牌子的疫苗)。准确地记录您收集的信息，并确保它被安全地存储，只 有那些需要它的人才能访问。当您不再有理由收集和保存这些数据时，例如，当每个人都接种了疫苗时，这些数据就应该被销 毁。