Can I check my employees, customers or visitors’ COVID status?
Before you decide to check people’s COVID status, you should be clear about what you are trying to achieve, and how asking people for their COVID status helps to achieve this.
Residents of England can now show their COVID status through the use of the NHS COVID Pass. COVID status shows a person’s risk of transmitting COVID-19 and is based on vaccine and test data. People in England with a low risk of transmission can get a COVID Pass through the NHS App, 119 service or online. Residents of Scotland, Wales and Northern Ireland can use other means of indicating their COVID status, should they need to while visiting premises in England.
A person’s COVID status is special category data, as it is their private health information. Your use of this data must be fair, relevant and necessary for a specific purpose.
Data protection is only one of many factors to consider when thinking about implementing COVID-status checks. You should take into account:
- employment law and your contracts with employees (if you are considering checking employees’ COVID status);
- health and safety requirements; and
- equalities and human rights, including privacy rights.
- You should also consider other regulations in your industry, as well as current public health advice and the latest government guidance in your part of the UK.
Your reason for checking or recording people’s COVID status must be clear, necessary and transparent. If you cannot specify a use for this information and are recording it on a ‘just in case’ basis, or if you can achieve your goal without collecting this data, you are unlikely to be able to justify collecting it.
The sector you operate in, the kind of work your staff do and the health and safety risks in your setting should help you to decide if you have compelling reasons to check people’s COVID status.
The use of this information must not result in any unfair or unjustified treatment of employees, customers or visitors. You should only use it for purposes they would reasonably expect. You should treat people fairly and if the collection or use of COVID status information is likely to have a negative consequence for someone, you must be able to justify it.
If the use of this data is likely to result in a high risk to individuals (eg denial of employment opportunities or services) then you need to complete a data protection impact assessment > https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-impact-assessments/
Does the UK GDPR apply if I decide to check people’s COVID status?
UK GDPR applies to certain ‘processing’ of personal data. If you are only conducting a visual check of COVID Passes (either a hard-copy document or a pass held on a digital device) and do not retain any personal data from it, this would not constitute ‘processing’. The activity would therefore fall outside of the UK GDPR’s scope.
However, if you are conducting checks digitally (for example, by scanning the QR code displayed on the pass), this would constitute processing of personal data – even if you do not keep a record of it. The UK GDPR would therefore apply.
If you make a record of any personal data, whether you conduct visual or digital checks, then you would be processing personal data and the UK GDPR would apply.
Can I record information about my employees’ vaccine status?
The advice set out above in relation to COVID status also applies to checking and recording your employees’ vaccine status. However, there are some additional factors to consider.
Your reason for recording your employees’ vaccination status must be clear and necessary. If you cannot specify your use for this information and are recording it on a ‘just in case’ basis, or if you can achieve your goal without collecting this data, you are unlikely to be able to justify collecting it. You should also take into account that accepting the offer of a vaccine is a personal decision, which could be influenced by a number of factors.
The sector you work in, the kind of work your staff do and the health and safety risks in your workplace should help you to decide if you have legitimate reasons to record whether your staff have had the COVID-19 vaccine. For example, if your employees:
- work somewhere where they are more likely to encounter those infected with COVID-19; or
- could pose a risk to clinically vulnerable individuals,
- this may form part of your justification for collecting employee vaccination status. However, if you only keep on record who is vaccinated for monitoring purposes, it is more difficult to justify holding this information.
The collection of this information must not result in any unfair or unjustified treatment of employees and you should only use it for purposes they would reasonably expect. You should treat staff fairly and if the collection of this information is likely to have a negative consequence for an employee, you must be able to justify it.
If the use of this data is likely to result in a high risk to individuals (eg denial of employment opportunities) then you need to complete a data protection impact assessment before you start processing the data.
You should accurately record the information that you collect and ensure that the collection and storage is secure. You should respect any duty of confidentiality you owe, and you should not routinely disclose a person’s vaccine status unless you have a legitimate and necessary reason to do so.
If you are recording vaccination information, you must ensure that you do not hold the information for longer than is necessary and do not use the data in ways people would not reasonably expect.