ARTICLE
8 December 2021

Data Protection Commission Issues Updated Guidance On Processing COVID-19 Vaccination Data

AC
Arthur Cox

Contributor

Arthur Cox is one of Ireland’s leading law firms. For almost 100 years, we have been at the forefront of developments in the legal profession in Ireland. Our practice encompasses all aspects of corporate and business law. The firm has offices in Dublin, Belfast, London, New York and Silicon Valley.
The Data Protection Commission has issued updated Guidance on Processing COVID-19 Vaccination Data in the context of Employment and the Work Safely Protocol here.
Ireland Employment and HR

The Data Protection Commission has issued updated Guidance on Processing COVID-19 Vaccination Data in the context of Employment and the Work Safely Protocol here.

While the substantive advice on processing vaccination status data has not changed (it is not necessary and legitimate to process vaccination status in order to manage COVID-19 in the workplace), the Guidance now specifically states that if the public health advice was to change in this regard, then that could potentially provide a legitimate basis for such processing by employers. Helpfully, it also notes that the primary source of public health advice in this context is the Work Safely Protocol here. It also states that the Guidance will be further updated should public health advice change.

The Guidance refers to the concept of data minimisation and points out that: the full suite of the infection prevention and control measures set out in the Protocol should be considered before making any assessment as to whether knowledge of vaccination status is necessary. Employers should implement all such measures that avoid processing the personal data of employees in the first place.

It reiterates that the Protocol makes it clear that the decision to get a vaccine is voluntary, which "suggests that COVID-19 vaccination should not in general be considered a necessary workplace safety measure and consequently, the processing of vaccine data is unlikely to be necessary or proportionate in the most employment contexts". It then considers certain specific employment contexts within which the processing of vaccination status data may be deemed necessary, subject to a risk assessment and with reference to sector-specific public health guidance (for example, as provided for under the Safety, Health and Welfare at Work (Biological Agents) Regulations 2013 and 2020 or in the provision of healthcare services, where vaccination can be considered a necessary safety measure, based on relevant sector specific guidance).

It also reminds that employees should not be asked to consent to the processing of vaccine data, as this consent is not likely to be freely given due to the imbalance of power between parties.

Finally, the Guidance makes it clear that, in the course of carrying out their public health duties, a Medical Officer of Health may require access to the vaccination status of employees, which may occur where an outbreak has been identified in a workplace, and is specifically permissible under data protection law where carried out on a case-by-case basis, subject to the determination of necessity and at the request of the Medical Officer of Heath.

This article contains a general summary of developments and is not a complete or definitive statement of the law. Specific legal advice should be obtained where appropriate.

Find out more and explore further thought leadership around Employment Law and Labour Law

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More