In the midst of a third wave of the COVID-19 pandemic, with vaccines being hailed as the only way to control the rising number of positive cases, a common question that we are often being asked is whether employers can request their staff's personal data in relation to their vaccination status, and whether/how the employer can store such personal data.

The Office for the Information and Data Protection Commissioner (the 'IDPC') has published guidelines on the data protection aspects related to the collection of employees' COVID-19 vaccination status (the 'Guidelines'). This article will briefly explain the Guidelines, and shall attempt to answer certain questions which should be on every employer's mind.

Why are these Guidelines Important?

It is important to note that pursuant to Article 9 the General Data Protection Regulation (the 'GDPR') information related to the vaccination status is considered health-related personal data, and as a result, falls within the remit of special categories of personal data, which merit enhanced protection and safeguards.

The Guidelines

The Guidelines, published on the 29th of April 2021, target employers established in Malta which act as controllers and intend to collect information about the COVID-19 vaccination status of their employees.

Employers who are interested in collecting such personal data must, prior to collection, conduct an assessment on the impact of the proposed processing activities. Employers need to make sure they satisfy the principles established in Article 5 of the GDPR, namely lawfulness, fairness, transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity, confidentiality, and accountability. The Guidelines provide an explanation of the manner in which the latter principles are to be assessed and applied to the matter of the processing of vaccine status of employees. Notably, if this assessment proves that the processing of the data collected will likely be of high risk to the rights and freedoms of the employees, the employer is obliged to hold a complete data protection impact assessment.

In essence, the Guidelines explain how employers intending to collect and process such information should act on the basis of a risk-based approach.

What are the Employer's obligations?

It is vital that employers act lawfully, fairly and in a transparent manner. Thus, an employer must make sure to take into account all the necessary considerations on a case-by-case basis while being wholly transparent with the employees throughout the entire process. An employer must first establish that it can justify the collection of such data without relying on the employee's consent, prior to proceeding with processing of the data. The data can be processed for the declared purpose and not for any secondary purpose. The Guidelines specify that: "In essence, employers can collect this information only in case they cannot achieve the same purpose without collecting the same information, or in a less intrusive manner. Hence, employers shall clarify and duly document what they intend to achieve by collecting information about the vaccination status before any concrete processing operation is discharged."

The employer also needs to make sure that the data collected is limited to that which is relevant, adequate, and necessary and that the data collected is not only accurate but also kept up to date. It is essential for the employer to determine the necessary period of time for which the information needs to be kept and the data such be securely erased once this time lapses.

Are other Precautions Required?

Integrity and confidentiality are of utmost importance. The employer must ensure that appropriate technical and organisational measures are in place to prevent access to vaccine data unless strictly necessary.

Furthermore, information about the vaccination status from employees should be collected without collecting copies of actual medical certificates, unless strictly necessary.

Employers must also ensure that no unfair, discriminatory or otherwise unjustified treatment of employees results from the processing of information about the vaccination status of the employees, otherwise such processing operation would breach the principle of fairness and should not be carried out.

Drawing up a Policy

One final but fundamental point is that employers should document the processing of any vaccine data by drawing up a policy in this regard. This is also an important transparency tool to explain to employees how their vaccine data is to be processed. The policy should as a minimum identify:

  • the reasons, justifications and purposes for processing;
  • whether and why employees will be asked to show a vaccination certificate;
  • possible actions to be taken based on whether the employee has the vaccination or not (as mentioned it is important not to act in a discriminatory manner in this respect);
  • where information will be stored, who it will be shared with and who has access to it; and
  • how long the information is to be stored.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.