If you are responsible for GDPR matters in your workplace then you should take heed of recent guidance from the Information Commissioner’s Office (ICO) regarding the storage of COVID vaccination data.
The ICO, which is the UK’s information body set up to uphold information rights, has published guidance called ‘Data protection and Coronavirus-19 – relaxation of government measures‘. This is to help organisations and employers to comply with their data protection obligations following the Government’s relaxation of the rules relating to COVID-19.
Sharing Vaccination Data
Some employers may have checked people’s COVID-19 vaccination status historically. The ICO has outlined in this recent guidance some key things organisations need to consider around the use of this type of personal information.
Why Hold Vaccination information?
Employers may wish to seek voluntary proof of vaccination:
- to track staff vaccination levels within the workforce and assess the risk of transmission
- to ascertain an employee’s eligibility under any vaccination incentive scheme
If an employer has vaccination data it may help them with internal risk assessments and planning from an operational viewpoint.
What Is Your Purpose for Storing Information?
Now is the time to review your current practices in respect of collecting and storing this type of data. Employers now need to understand from a data protection viewpoint, what information they can request and record about their employees’ vaccination status.
An employer should consider carefully whether capturing this information can be justified, given the current position taken by the Government. Employees’ health information falls into the category of special personal data so employers must identify a lawful reason to request and process this data under data protection legislation.
The ICO guidance states that if employers collect vaccine information they must be clear what they are trying to achieve by doing so and demonstrate how it helps them achieve it. The use of data must be fair, relevant and necessary for a specific purpose.
There must also be a compelling reason for collecting this information and ‘just in case’ will not be good enough. The intention of using and processing this vaccination data must also be transparent from the employer and should not provide any risk to the employee or any detrimental impact to them.
How Long Should an Employer Retain Vaccination Data?
If you have vaccination data for your employees you should review it and ensure that it is still reasonable, fair and appropriate for you to retain this data going forward. You should safely dispose of this data if it is no longer relevant or required. If you need to store vaccination data you should do so for only as long as is necessary and review regularly.