Employers in the Cayman Islands are faced with a new challenge: how do we keep our doors open and our staff safe? In an effort to achieve this, some employers have been asking staff to disclose whether or not they have taken the COVID-19 vaccine.

HSM Paralegal Cory Martinson explores if employers are legally able to record this data and areas that should be considered:

Q: Does the Data Protection Act (2021 Revision) (DPA) apply if I want to record the vaccination status of my employees?

A: Absolutely the DPA applies. Any information about your employees is personal data under the DPA. Vaccination information is medical data which falls under the definition of sensitive personal data in the DPA which means an employer must meet stricter legal requirements before processing. Processing is broadly defined as recording, holding, obtaining or carrying out any operations on the personal data.

Q: What is meant by "stricter legal requirements" when it comes to processing sensitive personal data?

A: Under the DPA, to legally process sensitive personal data the data controller (i.e. the employer) must identify a legal basis for processing from both Schedule 2 and Schedule 3 of the DPA.

Additionally, the more sensitive the personal data the more security is required to ensure against unlawful processing. Security measures can include policies, access controls, technical and physical measures.

Q: What are the appropriate legal bases for processing sensitive personal data under Schedule 2 and 3 in this context?

A: The appropriate legal basis for processing will vary depending on the specific employer, the employee's position within the organization and any legal framework to which the employer must adhere. For example, there will be a stronger legal basis for knowing the vaccination status of an ICU nurse than a dump truck driver. Legal frameworks will be employment sector specific but the Labour Act (2021 Revision) has a general requirement under section 58 that "Every employer shall ensure so far as is reasonably practicable the health, safety and welfare at work of that person's employees." This may provide a legal basis for processing, however, an argument exists that the interpretation of the words "necessary" and "reasonably practicable" are open to distinction.

Q: Is the collection of vaccination data a reasonably practicable measure and, if so, is the collection of the vaccination data then necessary as required by the DPA?

A: The answer to this question will vary from employer to employer as well as between occupations. However, before asking this question the organization should first consider less privacy intrusive means of achieving the same goal. For example, can the risk to employees be sufficiently reduced through mandatory mask requirements, social distancing and hand hygiene? Can employees work from home or alternate between home and the workplace so not all employees are in the workplace at once? Is a blanket policy necessary or is a more strategic approach just as effective but less privacy intrusive? There is no "one size fits all" solution. If in doubt, you should seek legal advice.

Q: What are the possible repercussions to my organization if I collect vaccination data in contravention of the DPA?

If the Ombudsman receives a complaint, or initiates their own investigation, and finds that the business is not in compliance with the DPA, they can issue an Enforcement Order which may require the cessation of processing and that the data be destroyed. Non-compliance with an Enforcement Order is an offence and the business and/or director(s) could face a fine of up to $100,000KYD or imprisonment for up to five years, or both, as a result of court proceedings. Enforcement Orders are routinely published on the Ombudsman's website so this type of enforcement action also has a high likelihood of becoming public knowledge.

Additionally, if there has been a "serious contravention" of the DPA and "the contravention was of a kind likely to cause substantial damage or substantial distress" the Ombudsman may levy a monetary penalty of up to $250,000KYD.

Under section 13 of the DPA an individual who has suffered damage as a result of a contravention of the law also has a cause of action for compensation against the organization. It should be noted that courts in the European Union have now recognized that damages include mental distress.

Conclusion

Vaccination status and data protection laws worldwide are a rapidly evolving area of jurisprudence. Some governments are taking legislative measures to mandate vaccinations in an attempt to provide a degree of certainty and it is only in the event of a judicial challenge will more "comprehensive" legal guidance be available.

As we navigate through this COVID-19 era, HSM strongly encourages people to reach out to their legal advisors to assess whether or not they are within their legal rights.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.