“Strongly encouraging” staff to reveal vaccination status – an employment and data protection minefield?

On 11 June 2021, it was reported that Goldman Sachs’ UK staff are being “strongly encouraged” to reveal if they have received a COVID-19 vaccination. The headline is likely to have drawn some sharp breaths from many employment and data protection lawyers, particularly as the article states that Goldman Sachs require their US staff to reveal their vaccination status which gives the strong impression that UK staff may feel pressurised into providing their medical information.

However, UK lawyers can relax somewhat as it transpires that staff responses will be recorded anonymously.

If Goldman Sachs are unable to trace the identity of the staff member (e.g. because they have engaged a third-party survey provider which is under strict obligations to only provide details of numbers of staff who have been vaccinated), staff may be reassured that this medical information will not be able to be used against them in terms of their employment status or opportunities. In that circumstance, the data will not constitute personal data for data protection purposes (as it will not be referrable to a living individual).

However, before an employer chooses to require their staff to reveal their vaccination status on a named basis, they will need to consider employment law issues, human rights issues and their data protection obligations.

Employment law and human rights issues

On 16 June, the Government announced that, subject to Parliamentary approval, from October 2021 those working in CQC registered care homes will have to be fully vaccinated unless they have a medical exemption, and there will be further consultation as to whether to extend this requirement to other health and social care settings.

Therefore, employers would be wise not to implement a mandatory vaccination policy as it is likely to give rise to a number of legal issues and complaints, the most significant of which is that vaccinating someone against their wishes other than in compliance with the law will be a criminal offence of battery.

In terms of employment law, imposing a policy which prevents non-vaccinated staff from entering the workplace or restricting their duties could result in claims for:

1. disability discrimination – as some people are medically advised not to have the vaccine due to underlying medical conditions (such as severe allergies and certain blood disorders), while those with immune system disorders may not respond well to the vaccine and people with long Covid are currently advised that they may need to defer having the vaccine;
2. pregnancy discrimination – current Government guidance is that the Pfizer and Moderna vaccines can be offered to pregnant women, although the clinical trials did not involve pregnant women and previous Government advice was to avoid having the vaccine during pregnancy, so some pregnant workers may be concerned about having a vaccine;
3. age discrimination – as the vaccine programme is being rolled out on a risk basis which is linked to age, the youngest workers have yet to be invited for vaccination and many workers will have only received one dose so far;
4. religion or belief discrimination if the individual rejects the vaccination on the basis of their religious or other philosophical belief;
5. constructive dismissal – as some may argue that disadvantaging an employee who has not received a vaccination against the individual’s wishes is a fundamental breach of contract, particularly as current Government advice is clear that the vaccination status of a workforce has no impact on the COVID-secure guidelines employers must follow and so preventing an unvaccinated staff member from entering the workplace will be hard to justify;
6. breach of human rights – Article 9 (freedom of thought, conscience and religion) and/or the right to private life protected by Article 8 (although previous Czech and Ukrainian cases about mandatory vaccinations have not found these articles to be breached on the circumstances of those cases);
7. personal injury if the individual suffers a long-term or serious adverse effects from the vaccination; and
8. breach of contract and unlawful deduction from wages if the employer refuses to pay an unvaccinated member of staff who was therefore prevented from attending the workplace by their employer.

Current ACAS guidance is for employers to encourage staff to have the vaccine by offering paid time off to attend vaccination appointments, but not to make vaccination compulsory. Previous ACAS guidance that vaccination could be made mandatory where required for the job (e.g. international travel to countries which require visitors to be vaccinated) has been removed.

Data protection issues

If an employer wishes to retain details of which of its staff members have been vaccinated, it is well advised to consider the ICO guidance specifically issued in respect of vaccination records. Such records are, of course, health records and so are special category data, meaning that they need both a standard lawful basis and a special category lawful basis for processing. The ICO guidance repeats that consent is unlikely to be a valid lawful basis in an employment relationship, so employers will need to be able to show that the processing is:

1. necessary for the purpose of complying with its obligations under employment law e.g. providing a safe working environment (although this is the ground which is most likely to apply, it may nonetheless be hard given the current Government guidance mentioned above which is clear that the vaccination status of a workforce has no impact on the COVID-secure guidelines employers must follow); or
2. some have suggested that an employer may be able to argue that the processing is necessary to assess the working capacity of the employee, however, as whether an employee has been vaccinated does not affect their ability to undertake their job (other than in care homes once Parliament approves the Government’s proposal) this is a weak legal argument;
3. necessary on public health grounds; however, this argument is only available where the processing is carried out by a health professional.

If employers do satisfy themselves that they have a special category lawful basis to record the data, they will need to be transparent with their staff about:

1. exactly what data is being stored;
2. why the data is being held;
3. for how long it will be retained (which in this fast-moving context may not be long at all, particularly as the vaccine rollout progresses across the country); and
4. with whom the data will be shared.

As with all health data, employers will need to ensure that it is kept confidential and, generally speaking, not shared with colleagues. The ICO points out that where the use of vaccination data is likely to result in a high risk to individuals, such as a denial of employment opportunities, the employers should complete a Data Protection Impact Assessment (DPIA).

Given the vast number of employment law and data protection issues involved in holding vaccination records, which are linked to particular individuals, it’s easy to understand why Goldman Sachs has taken the decision to merely ask for such information to be provided on an anonymous basis.