Vaccinations

Last updated: 30 June 2021

In June 2021, the Bailiwick of Guernsey started sending islanders paper-based vaccination certificates.
Below are some issues that may arise, and advice on how to navigate them. 

Remember these two principles: 
1.    data protection does not stop you sharing information about people where it is necessary and proportionate to do so.  
2.    accepting a vaccination is a personal decision which could be influenced by several factors, and a person may legitimately want their status to remain private. 

The Q&A below is based on official guidance issued by the UK’s Information Commissioner’s Office, but has been modified where necessary to address Bailiwick law. 

Can I collect data about whether my staff are vaccinated against COVID-19?
Before you collect your employees’ vaccination status, you need to document and be clear with your staff
1.    what you are trying to achieve, and 
2.    how recording staff vaccination status will help you to achieve this. 

Whether someone has been vaccinated is their private health information and is therefore ‘special category data’ which means it must be treated with greater care than less sensitive information. Your use of this data must be fair, necessary and relevant for a specific purpose.

You will need to consider other factors besides data protection when asking employees whether they have been vaccinated, such as: 
•    local employment law and your contracts with employees;
•    health and safety requirements; and
•    equalities and human rights issues.

You should also consider other regulations in your industry and the latest government guidance for your sector.

Your reason for recording your employees’ vaccination status must be clear and compelling. If you have no specified use for this information and are recording it on a ‘just in case’ basis, or if you can achieve your goal without collecting this data, you are unlikely to be able to justify collecting it. You should also take into account that accepting the offer of a vaccine is a personal decision which could be influenced by a number of factors. When deciding whether to record this data, you should also consider current public health advice about the vaccine and government guidelines.

The sector you work in, the kind of work your staff do and the health and safety risks in your workplace should help you to decide if you have compelling reasons to record whether your staff have had the COVID-19 vaccine. For example, if your staff:
•    work in a health and social care setting or somewhere they are likely to encounter those infected with COVID-19; or
•    could pose a risk to clinically vulnerable individuals,

this may form part of your justification for collecting staff vaccination status. However, if you only keep on record who is vaccinated for monitoring purposes, it is more difficult to justify holding this information.

The collection of this information: 
•    must not result in any unfair or unjustified treatment of employees and 
•    should only be used for purposes they would reasonably expect. 

You should treat staff fairly and if the collection of this information is likely to have a negative consequence for a member of staff, you must be able to justify it. When considering fairness, you should remember that different people are offered the vaccine at different times and some people may not yet have been offered a vaccination.

If use of this data is likely to result in a high risk to individuals (for example: denial of employment opportunities) then you need to complete a ‘data protection impact assessment’ in accordance with section 44 of the local data protection law.

What 'lawful basis' should I use to record my staff’s vaccination status?
Vaccination status is health data, which has the protected status of ‘special category data’ under data protection law, meaning it requires extra protection. You must determine and document a ‘lawful processing condition’ for using special category data before you collect any information from people about their vaccine status.

Here is a list of lawful processing conditions you may be able to use (from Part II or III of our local law). 
Note: if you opt to use the ‘health / social care’ condition the processing of this data must be only carried out by qualified healthcare professionals or persons who in the circumstances owe an equivalent duty of confidentiality. If you opt to use the ‘public health’ condition appropriate safeguards for the individual’s significant interests must be put in place.

The Committee for Home Affairs approved a number of specific ‘authorised processing conditions’, one of which may be relevant in this context.
Processing of special category data in an employment context where required by law or to exercise a power conferred upon you by law, is specifically authorised. In order to rely on this you would need to document the legal obligation you are relying upon and be clear that it relates to the individual’s employment. This may be appropriate where you have an obligation under health and safety legislation to ensure a safe workplace for employees or staff. You would need to demonstrate that this is over and above the usual measures to ensure a safe workplace such as social distancing, mask wearing or good hygiene. 

Consent’ is rarely appropriate in an employment setting given the imbalance of power between the employer and the member of staff. However, ‘explicit consent’ (different to ‘consent’) can be used provided you meet all these conditions: it must be freely given, specific, affirmative (opt-in) and unambiguous, and able to be withdrawn at any time. In practice, the extra requirements for consent to be ‘explicit’ in the context of vaccination status are likely to be:
•    explicit consent must be confirmed in a clear statement (whether oral or written), rather than by any other type of affirmative action; 
•    it must specify the nature of the special category data; and 
•    it should be separate from any other consents you are seeking.

What else do we need to do if we collect information about whether staff, customers and visitors are vaccinated?
If you decide that recording whether your staff, customers or visitors have had a COVID-19 vaccine is justified and lawful, you must be open and transparent with all those involved. You must make sure that people understand why you need to collect this information, and what you’re using it for.

You should accurately record the information that you collect and ensure that the collection and storage is secure. You should respect any duty of confidentiality you owe and you should not routinely disclose a person’s vaccine status unless you have a legitimate and compelling reason to do so.

If you are recording vaccination information, you must ensure that you do not hold the information for longer than is necessary, and do not use the data in ways people would not reasonably expect.
You should regularly review whether you still have grounds for the collection and retention of this information as the vaccination roll-out progresses and more people receive the vaccine. This should include monitoring the latest government and scientific advice on the vaccine roll-out, who should be collecting or checking vaccination information and COVID-19 restrictions.

Can we collect information about whether our customers or visitors have been vaccinated against COVID-19?
First, you should consult the States of Guernsey’s most recent guidance.  

In the Bailiwick of Guernsey, starting in June 2021, anyone who is post-14 days their second vaccine dose should have received a paper-based vaccine certificate which they can use as they wish to provide proof of their vaccine status (e.g. for travel purposes).
 
Next, consult health and safety requirements as well as giving due consideration to any relevant equalities and human rights issues. This will help you identify circumstances under which you should be collecting vaccination information and inform relevant safeguards.
Under data protection law, you must demonstrate that the collection of this information is necessary, proportionate and fair. That means knowing if you really need the vaccination information or whether there are alternative, less intrusive, measures you could use instead. For example, if your aim is to reduce the risk of transmission among customers and staff, would social distancing, mask wearing and good hygiene meet the same aim?

Performing a ‘data protection impact assessment’ (DPIA) will help you identify and minimise the data protection risks. If you can’t demonstrate that your approach is necessary, proportionate and fair, then it is unlikely that collecting this information will be appropriate.
If you can meet the test, there are other things still to consider.

This includes how you intend to collect the vaccination data. Visual checks on someone’s device or a hard copy or verbal confirmation is not processing if you don’t keep a record of the information, and does not fall under data protection law.
Regardless of how you record an individual’s vaccine status, you must be particularly careful how you handle this data by keeping it secure and ensuring confidentiality. That’s because information about a person’s health is particularly sensitive and classed as ‘special category data’ under data protection law. 'Special category data’ requires extra protection. You must determine and document a ‘lawful processing condition’ for using special category data before you collect any information from people about their vaccine status. Here is a list of lawful processing conditions you may be able to use (from Part II or III of our local law). Note: if you opt to use the ‘health / social care’ condition the processing of this data must be only carried out by qualified healthcare professionals or persons who in the circumstances owe an equivalent duty of confidentiality.  If you opt to use the ‘public health’ condition appropriate safeguards for the individual’s significant interests must be put in place.