21st Jul 2021

Coronavirus Vaccinations and Status – What are your data protection obligations?

Following on from our recent article on what employers need to know when it comes to coronavirus vaccinations, here we focus on some recently asked questions from clients we’ve been answering on your data protection obligations when checking someone’s vaccination and COVID-19 status:

Can we check our employees’, customers’ and visitors’ COVID-19 status?

Yes you can, but before doing so, you should be clear about what are you trying to achieve, and how asking people for their COVID-19 status helps to achieve this.

A person’s COVID-19 and vaccination status is “special category data”, as it’s private health information for the purposes of “processing” under data protection law.

Those living in England (https://www.nhs.uk/conditions/coronavirus-covid-19/covid-pass/) can now show their COVID-19 status through the use of the NHS COVID Pass.  This is available to individuals who are fully vaccinated, have tested negative in the previous 48 hours (using either a PCR test or lateral flow test) or can be taken to have natural immunity because they had a positive PCR test in the previous 6 months.

This NHS COVID Pass is available to all adults (over the age of 18) as of 19 July and can be used as proof of COVID -19 status when travelling abroad.

People can get it through the NHS App, 119 service or online.  There are different ways of showing COVID-19 status for people living elsewhere in the UK (including Northern Ireland).

In carrying out these status checks or recording this information, your reasons must be clear, compelling and transparent.  

If you have no specified use for this information and are recording it on a “just in case” basis, or you can achieve your goal without collecting this data, you are unlikely to be able to justify collecting it.

The sector you work in, the kind of work your staff do and the health and safety risks in your workplace should help you to decide if you have compelling reasons to record whether your staff have had the vaccine. For example, if your employees:

  • Work in a health and social care setting or somewhere they are likely to encounter those infected with COVID-19; or
  • Could pose a risk to clinically vulnerable individuals.

This may form part of your justification for checking and recording any COVID-19 status or vaccination information.

The use of this information must not result in any unfair or unjustified treatment of employees, customers or visitors. You should only use it for purposes they would reasonably expect.

Do data protection laws apply if we decide to check people’s COVID-19 status?

The UK’s data protection laws apply to certain “processing” of personal data. 

If you are only carrying out a visual check of a person’s NHS COVID Pass (either a hard copy document or pass held on a smart phone, for example), and you don’t retain or record any personal data from it, then this would not amount to “processing”.

However, if you are conducting checks digitally – for example, by scanning the QR code on the Pass, this will constitute the processing of personal data, even if you do not keep a record of it.  Therefore, the UK data protection laws will apply.

It’s worth emphasising that it’s the recording of any personal data from these status checks, whether visual or digital, that will amount to processing and the data protection obligations will apply.

What else do we need to do if we process the COVID-19 status of our employees, customers or visitors?

As well as having clear, compelling and transparent reasons – you must make sure that people understand why you need to collect this information, and what you’re using it for.

You should respect any duty of confidentiality you owe, and you should not routinely disclose a person’s COVID status unless you have a legitimate and justifiable reason to do so.

If you do collect this information, you must ensure that it’s kept securely and shared only with specific people who need to access it. Also, it must be kept for no longer than necessary, and don’t use the data in ways people would not reasonably expect.

In most circumstances, you probably only need to make a check of someone’s COVID-19 status or Pass and would not need to retain any information.

That said, if you are collecting this information, we recommend you keep this under regular review as to whether it’s needed moving forward and ensure you are complying with your data protection obligations to minimise any risk of being in breach.


Please note that the above does not constitute advice from the Berwins Employment Team and is for information only. If you require any specific advice or support on this area or any other COVID-19-related employment issues, please call Mike Patterson on 01423 542778, or email mikepatterson@berwins.co.uk.


Be sociable. Share!

Get Social

Connect with us on LinkedIn

  • L500 60 Px
  • Chambers 60
  • Lexcel Accredited
  • Investors In People Silver 2
  • Conveyancing Quality
  • Ce Badge 60 Px
  • Carers Charter Logo 60 Px