Share

3 min read

Writen by Zlatko Delev

Posted on: March 29, 2021

Can I collect data about whether my employees are vaccinated against COVID-19?

Before you decide to collect your employees vaccination status, you should be clear about what you are trying to achieve and how recording staff vaccination status will help you to achieve this. Whether your employee has been vaccinated is their private health information and is therefore special category data. Your use of this data must be fair, necessary and relevant for a specific purpose.

Data protection is only one of many factors to consider when asking employees whether they have received the COVID-19 vaccine. You should take into account:

  • employment law and your contracts with employees;
  • health and safety requirements; and
  • equalities and human rights issues.


You should also consider other regulations in your industry and the latest government guidance for your sector.

Your reason for recording your employees’ vaccination status must be clear and compelling. If you have no specified use for this information and are recording it on a ‘just in case’ basis, or if you can achieve your goal without collecting this data, you are unlikely to be able to justify collecting it. You should also take into account that accepting the offer of a vaccine is a personal decision which could be influenced by a number of factors. When deciding whether to record this data, you should also consider current public health advice about the vaccine and government guidelines.

The sector you work in, the kind of work your staff do and the health and safety risks in your workplace should help you to decide if you have compelling reasons to record whether your staff have had the COVID-19 vaccine. For example, if your employees:

  • work in a health and social care setting or somewhere they are likely to encounter those infected with COVID-19; or
  • could pose a risk to clinically vulnerable individuals,

this may form part of your justification for collecting employee vaccination status. However, if you only keep on record who is vaccinated for monitoring purposes, it is more difficult to justify holding this information.

The collection of this information must not result in any unfair or unjustified treatment of employees and should only be used for purposes they would reasonably expect. You should treat staff fairly and if the collection of this information is likely to have a negative consequence for an employee, you must be able to justify it. When considering fairness, you should remember that different people are offered the vaccine at different times and some people may not yet have been offered a vaccination.

If the use of this data is likely to result in a high risk to individuals (eg denial of employment opportunities) then you need to complete a data protection impact assessment.

Contact Us

Hope you find this useful. If you need an EU Rep, have any GDPR questions, or have received a SAR or Regulator request and need help then please contact us anytime. We are always happy to help...
GDPR Local team.

Contact Us

Recent blogs

Appointment of a DPO in Singapore: What You Need to Know Before 30th September

If your business handles personal data in Singapore, it’s important to be aware of a key deadline

Enterprise Data Protection: Securing Large-Scale Information Assets

Cyber threats and regulatory pressures have made it necessary for businesses around the world to sa

Continuous Data Protection: Ensuring Real-Time Information Security

Continuous data protection (CDP) has emerged as a crucial strategy in safeguarding data assets agai

Get Your Account Now

Setup in just a few minutes. Enter your company details and choose the services you need.

Create Account

Get In Touch

Not sure which option to choose? Call, email, chat to us
anytime.

Contact Us
06 GDPR INFO

Stay Up-To-Date

Leave your details here and we’ll send you updates and information on all aspects of GDPR and EU Representative. We won’t bombard you with emails and you will be able to tell us to stop anytime.

Full Name is required!

Business Email is required!

Company is required!

Please accept the Terms and Conditions and Privacy Policy