What Do COVID Vaccination Records Mean for Data Privacy?

By Llinos Bradley, Senior Data Protection Consultant at Gemserv (https://gemserv.com)

In November last year, the UK Government announced that the COVID-19 vaccination would become a condition of employment for all health and social care workers. Yet just three months later, they went back on their decision, for fear of losing over 80,000 unvaccinated NHS healthcare staff as a result. Losing thousands of health workers would have had a catastrophic impact on an already overstretched workforce and would seriously compromise the quality of patient care.

From the 31st January 2022, it was announced by the Secretary of State for Health and Social Care that Covid-19 vaccinations would no longer by compulsory for NHS healthcare staff. After a period of consultation, the regulations were removed from all health & social care on the 15th March. However, this decision has sparked fresh debate and worries regarding data privacy, especially if vaccination status comes to be used in the future as a condition of deployment.

Where does data privacy fit in in issuing compulsory vaccinations as a condition of deployment?
Data protection and employment legalisation is put in place to protect employees from potential discrimination on the basis of their health status. In this case, stating the COVID-19 vaccination as a condition of deployment for health care workers was a major deviation from data privacy regulations.

NHS employers are still at liberty to ask for an employee’s vaccination status, however, particularly if there is COVID-19 outbreak, as hospitals still have responsibilities to control infections as this is still in line with current health related legislation. In some cases sensitive employee data may have already been collected, analysed and included in staff records, which would have been used to assess whether a staff member was aligned with the regulations. In instances such as these, revoking the regulation raises questions about information that has already been collected and used.

What potential data privacy risks does vaccination data present to the health sector?
At present, NHS employers can still legally hold health data, including vaccination status, which falls under ‘special category’ data under UK GDPR stipulation. The catch is that processing this ‘special category’ data is viewed as an invasion of privacy, meaning that employees may ask for this information to be destroyed. In these circumstances, information collected could have already had an impact on staff, so would now form part of a formal record and therefore need to be retained.
Organisations need to have a legal basis to store personal information as a result of the revocation.

Employers need to ensure that all data privacy protection requirements have been factored in from the start of the data collection process. If staff groups are not correctly defined from the offset, for example, employers could risk accusations of discrimination. Groups that aren’t included within existing HR records, such as suppliers or student/trainee workers that aren’t on the organisations payroll, for instance, could be in contact with patients, and may need to review information on infection, prevention and control measures in order to protect both the workforce and patients to reduce the risk of transmission.

There are some circumstances, however, where healthcare employers have legitimate reasons for retaining employee data. If evidence required for the Government’s intended update to the Code of Practice on the prevention and control of infections, for example, which applies to Care Quality Commission registered health and social care providers in England, is realised, this will look at strengthening its requirements in relation to COVID-19 and could include data that has already been collected. If, in the future, full vaccination status was made compulsory for all healthcare staff, there would still need to be a choice for individuals, but also a clear legal obligation to collect, use and retain vaccination data either way.

What rights do NHS staff who resigned before the initial 3rd February deadline have?
When the government first announced that all healthcare staff would need to have had their second vaccine by the 1st April to maintain their employment status, this would mean that staff would have needed to have had their first dose no later than the 3rd February. NHS Guidance states that employers should offer workers who may have handed in their resignation before this date the option to withdraw or pause their notice period until the consultation and Parliamentary process is confirmed.

Additionally, for staff who may have left their role as a direct result of the initial regulation, NHS employers can extend an offer to re-appoint individuals to their role.

The NHS England and NHS Improvement viewpoint is that staff have a professional duty to be vaccinated, and that NHS employers should continue to encourage their staff to ‘drive vaccine confidence’ and to ‘protect themselves and everyone else’. Ultimately, vaccination as a condition of deployment is a challenging, complex call – we have to take into consideration the wellbeing of the general public, the rights of individuals and the ongoing health risk of COVID-19. Employers need to make sure that they are transparent and fair when relaying to staff how their sensitive information will be used, to ensure they are not penalised further down the line.

What organisations should do now

The Control of Patient Information Regulations 2002 (COPI) notice that allowed the processing of such data expired on 30th June 2022 and as the Vaccination as a Condition of Deployment legislation was also revoked on 15th March 2022, organisations wishing to continue to collect workforce flu and Covid-19 vaccination status data must:

• Carry out or review their own Data Protection Impact Assessments (DPIAs),
• Ensure that they have satisfied their own transparency requirements, and
• Ensure that they have the necessary consent.

Depending on Government policy from 1st July 2022, organisations (as data controllers) will need to review the basis on which they are holding the data.

Sign up for all the latest news from The Carer!

Sign up to receive the latest issues, along with highlights of the latest sector news and more from The Carer, delivered directly to your inbox twice a week!