With the COVID-19 vaccination rollout process being well under way in Malta, a glimmer of light at the end of the tunnel is starting to become apparent and the possibility of employees returning to their workplace is becoming more realistic.

Accordingly, it would be wise for employers to look into some data protection questions which may in this regard.

This article sets out to provide guidance in relation to the collection of data in relation to their employees’ COVID-19 vaccination in line with the General Data Protection Regulation (“GDPR”).

Can employers require employees to disclose their vaccination status?

Employers should be aware that the employees’ vaccination status is classified as health data and consequently is a special category of data which means that it is sensitive data by nature and merits higher protection.

At the outset, one is to note that the Office of the Information and Data Protection Commissioner (“IDPC”) has pronounced that the collection by employers of employees’ COVID-19 vaccination status may take place so long as such collection must be made in accordance with the GDPR.

On 29th April 2021, the IDPC issued guidelines on the data protection aspects related to the collection of employee’s COVID-19 vaccination status, in order to assist employers in this regard.

The processing of health data requires the identification of an additional condition besides the lawful grounds generally required for the processing of personal data. In the case of health data such additional conditionmay, for instance, be processed for specific employment or public health purposes or for the purposes of the management of health or social care services and systems. The processing of health data is also lawful when it is intended to protect the vital interests of data subjects, including through the control of an epidemic.

On this basis, the employer may reasonably argue that the collection of the employees’ health data is required to ensure a safe workplace for the employees.

In the context of employment relationships, these conditions for processing health data would be more appropriate than merely obtaining consent from the employees to process the data due to the imbalance of power involved between the employer and the employees. In fact, in cases of a clear imbalance of power, consent given by data subjects for the processing of their personal data is deemed not to be freely given and therefore cannot be relied on.

The employer must ensure that there are justifiable, clear and compelling reasons for the collection of the employees’ vaccination status. These reasons are to be disclosed with the employees in a manner which is easily accessible and easy to understand. Personal data should be strictly collected and processed by the employer in line with such purposes. For instance, the collection of employees’ vaccination status would be unjustifiable if such information is merely used for monitoring purposes. In addition, the collection of such information must not lead to discriminatory or unjustifiable treatment of employees.

More legitimate and compelling reasons for an employer to collect employees’ vaccinations status would be, for example, if the employees’ duties involve constant travelling from one country to another, especially so if certain countries will impose travel restrictions on non-vaccinated persons. This is also true for sensitive work environments where the employees are in constant contact with extremely vulnerable people on a daily basis.

What should the employer do prior to collecting employees’ COVID-19 vaccination status?

Prior to collecting employees’ COVID-19 vaccination status, the employer must adopt a risk-based approach and must carry out an assessment on the impact which the processing of employees’ health data will have on their rights and freedoms. Through this assessment, the employer would ensure that the processing of employees’ health data will be made in accordance with the data protection principles laid down in the GDPR.

Whenever, the assessment shows that the processing of employees’ health data poses a high-risk to the employees’ rights and freedoms, the employer must proceed to carry out a fully-fledged Data Protection Impact Assessment (“DPIA”).

A DPIA requires the employer to weigh the benefits of collecting such data against the impact of processing on the employees’ rights under the GDPR in order to minimise the risks involved. The DPIA assists the employer to determine whether or not the level of risk is acceptable in the circumstances, taking into consideration the envisaged benefits of the processing of employees’ health data.

Any assessment carried out by the employer prior to the processing of employees’ health data must be duly recorded. Additionally, the employer must carry out continuous reviewing in order to ensure that data is not kept longer than is necessary.

What should an employer do once sensitive data is collected from the employees?

Once sensitive data is collected, the employer must ensure that this data is stored in a secure place and must remain confidential, unless there exist legitimate and compelling reasons to disclose it. Moreover, a particular employee’s health data should be kept separate from other information about the same individual.

Once health data is being collected by an employer, it is strongly recommended that the employer’s privacy policy is updated in order to outline details of the processing of this special category of data, being sensitive data. The privacy policy must specify the duration for which the vaccination status of employees’ will be held, and where the data is being shared with third parties, the privacy policy must state the legitimate reasons justifying such disclosure. The data processing agreements should always be entered into with such third parties.

Throughout the processing activity, employees should remain in control of their personal data. To this end, the employer must provide the employees with clear information as to how they may exercise their rights in relation to such processing.

Conclusion

In the light of the above, while the processing of employees’ health data by the employer is possible, processing of such sensitive data must be carried out in accordance with the GDPR. This can only be achieved if the right balance is struck between the employer’s need to collect such health data and the duty to safeguard the employees’ rights. To this end, a risk-based approach must be adopted by the employer.

Should you require any further guidance in this regard or assistance in the drafting and updating of your privacy policies feel free to get in touch with us on info@davidzahra.com.