As employers consider whether and how to implement a COVID-19 vaccination policy in the workplace, their employees' privacy is also an important consideration that should be front of mind.

In this article of our COVID-19 vaccination series, we explore the impact of South Africa's main data protection law, the Protection of Personal Information Act, 2013 ("POPIA") on the implementation of a vaccination policy in the workplace.

At its core, POPIA prescribes how public and private bodies may "process" personal information and special personal information as defined in POPIA. POPIA defines the "processing" of personal information broadly to include the collection, receipt, recording, organisation, collation, storage, updating or modification, retrieval, alteration, consultation or use; dissemination by means of transmission, distribution or making available in any other form; or merging, linking, as well as restriction, degradation, erasure or destruction of information.

Employees information acquired during the course of a vaccination process or programme, will usually be regarded as personal information or special personal information. As a result, employers who adopt and implement COVID-19 vaccination policies in their workplace will inevitably process personal information as contemplated by POPIA. 

Employers will therefore need to comply with POPIA when processing employees' vaccination information by, for example, requesting employees or potential employees to disclose their medical or vaccination history, storing and/or collating such information.

Limitations on processing medical information

Special personal information, which includes health information, may be processed only if the employee consents (which is considered the "safest" ground for processing) or processing is necessary for the exercise of a right or obligation in law; or it is necessary to comply with an obligation of international public law.

Where an employee has not consented to the processing of their medical information, an employer would have to prove that the processing is necessary for the establishment, exercise or defence of a right or obligation in law, or to comply with an obligation of international public law or that it is in the public interest.

An employer would likely struggle to argue that processing the employee's medical information would be in the public interest and there are currently no such rights in law or international public law obligations to this end. However, an employer may be able to rely on its statutory health and safety obligations which require the processing of information to argue that such processing constitutes the exercise of a right or obligation in law.

Storing personal information

POPIA requires employers to ensure the integrity and confidentiality of the personal information in their possession or under their control by taking appropriate and reasonable technical and organisational measures to prevent the loss of, damage to or unauthorised destruction of personal information and unlawful access to or processing of or dissemination of personal information.

If an employer intends to store any of its employees' medical information with third parties, it must ensure that the third parties process the employees' personal information only with the knowledge or authorisation of the employer and that they treat such personal information as confidential and must not disclose it.

The employer must also ensure that third parties who store the employees' personal information have the requisite security measures in place to safeguard employees' personal information.

Mandatory vaccination policies

To comply with POPIA, employers must ensure that their vaccination policies deal with:

  1. how the employees' personal information will be processed;
  2. notification to the employees of the collection of their personal information;
  3. the purpose for which their personal information is being processed;
  4. whether or not the supply of the personal information is voluntary or mandatory;
  5. the consequences of a failure to provide the information;
  6. whether the employer intends to transfer the personal information to a third party;
  7. how the personal information would be safeguarded;
  8. how the employees may gain access to their personal information being processed by the employer; and
  9. how employees may object to the processing of their personal information.

Employers only have until 1 July 2021 to ensure that they are fully compliant with POPIA. Where they have not done so already, it is vital that employers take the relevant steps and seek legal advice where necessary to ensure that their current policies are both POPIA-compliant and are applied to information acquired as a result of employees being vaccinated.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.