Outlining the risk
The number of people in the UK that have received the Covid-19 vaccine is now over 12 million. As the number rises, employers may wish to keep track of their staff that have been vaccinated, or even encourage them to be vaccinated. However, information about individuals’ health is a special category of personal data that is tightly regulated by data protection law. This inherent sensitivity means that the UK data protection authority will treat the misuse of health data as a serious matter. Any employer that is considering monitoring staff vaccinations must be aware of the risks and ensure that they act in accordance with applicable data protection law.
Outlining the implications
Since 1st January of this year, the handling of ‘personal data’ (that is, information by which a living individual may be identified) is regulated in the UK by the ‘UK GDPR’, as supplemented by the Data Protection Act 2018. The UK GDPR treats personal data relating to health as one of the ‘special categories of personal data’, which require a high standard of care. In particular, organisations must establish a lawful basis for handling this type of information. One such lawful basis is consent, however valid consent must be freely-given and capable of withdrawal at any time. This is problematic in an employee / employer relationship as the employee may not have a genuine choice, in which case, any purported consent would be invalid. Processing without a lawful basis would be in breach of the legislation, and could result in enforcement action and in the worst instances, substantial fines. Further, affected employees could potentially bring a claim against their employer for compensation where their information has been misused. An isolated claim may be of limited concern, but a group litigation claim that includes hundreds or thousands of disgruntled employees would be a different story.
Offering practical steps companies can take to ensure their policies around vaccine data are in line with the GDPR.
Employers must recognise that details of employees’ vaccination status is sensitive information that is regulated. They must understand their obligations under the UK GDPR and the Data Protection Act 2018, and ensure that they comply with them. This area of the law is complex and evolving, however, ignorance is no defence.
Can employers force staff to have the COVID-19 vaccination?
No. The Government has not made vaccination mandatory, so forcing staff to be vaccinated without their consent would constitute criminal assault and battery and it is also likely to be deemed a repudiatory breach of any employment contract.
“No jab, no job”: can it hold?
Employers should tread carefully when considering implementing a blanket mandatory vaccination policy. A requirement to be vaccinated could potentially be a ‘reasonable instruction’ by an employer, depending on the circumstances of the business. For example, a requirement to be vaccinated may be a reasonable request in the healthcare and care home sectors. In these circumstances, an employee who unreasonably refuses to be vaccinated could, in theory, be fairly dismissed. However, the employer should consider whether there is an alternative to dismissal, such as assigning the employee to another role or permanent home-working. By contrast, in sectors such as professional services, where employees have been able to work from home effectively during the pandemic, it will be much more difficult for an employer to show that a policy requiring employees to be vaccinated is reasonable (although it may be reasonable for an employer to say that only vaccinated employees can attend the office – see below).
A blanket vaccination policy may also expose the employer to the risk of discrimination claims. It may be that any such policy unfairly impacts workers with (for example) a particular disability or religion, or those who are pregnant. A mandatory vaccination policy would need to be justified and proportionate in mitigating any health and safety risks posed by the Covid-19 virus and any defence is likely to be dependent on the nature of the business and the context for requiring any such policy.
Can employers refuse unvaccinated staff entry to their offices?
Yes, potentially. Such approach may be part of any employer’s health and safety risk assessment. An employer is more likely to be able to justify a policy refusing unvaccinated staff entry to their own offices than a mandatory vaccination policy, especially in businesses where staff can work remotely. However, the proportionality of a policy refusing unvaccinated staff entry to the office may change over the months ahead if, as hoped, vaccinations have the effect of reducing the rate of infection and the number of Covid cases in the UK. For example, if the UK reaches a state of ‘herd immunity’, a policy preventing unvaccinated staff from returning to the office may be disproportionate to any risk associated with being in the office. For businesses that operate in a multi-occupancy office, consideration should be given to the other occupiers and, indeed, the landlord may have a view/policy on allowing only those who have been vaccinated into the building as part of its health and safety policy concerning the common parts, lifts etc.
What are employee rights with regard to refusing the vaccine e.g. in their contracts?
It is unlikely that an employer will currently have the contractual right to require an employee to be vaccinated. In the absence of such a right, in order to make the Covid vaccination an express legal requirement for employees, an employer would need to set out a vaccination clause by way of a variation to the employee’s contract of employment, explaining the business reason for the variation with a view to reaching an agreement with the employee. If an employer were to unilaterally vary the employee’s contract, they would likely be in breach of contract, and the employee may be entitled to resign and claim constructive unfair dismissal.