New Ways of Working

Explore and keep track of key legal and compliance considerations for multinational employers as new ways of working become increasingly embedded as the pandemic begins to recede. Learn more about the response taken in specific countries or build your own report to compare approaches taken around the world.

Choose countries

 

Choose questions

Choose the questions you would like answering, or choose all for the full picture.

11. What are the key privacy considerations employers face in relation to ascertaining and processing employee medical and vaccination information?

11. What are the key privacy considerations employers face in relation to ascertaining and processing employee medical and vaccination information?

Flag / Icon

Argentina

  • at MBB Balado Bevilacqua
  • at MBB Balado Bevilacqua
  • at MBB Balado Bevilacqua

According to Resolution No. 4/2021, employees may present a reliable proof of vaccination, or state (as an affidavit) the reasons why they were not able to take a vaccine, as applicable. Therefore, employers are entitled to enquire about an employee’s vaccination status (even though it is considered sensitive data according to PDPL).

However, employers may not use this information to discriminate between employees, as this may expose the employer to potential claims and, eventually, constructive dismissal liability.

In addition, employers may collect and store such documentation according to the provisions established in PDPL (please see question 2 above).

As mentioned previously, it is recommended that employers request the information in Spanish to avoid unnecessary misinterpretation. If the employee does not speak Spanish, it is also recommended that a dual language is used. The Spanish version will always prevail in the event of a dispute.

Last updated on 21/09/2021

Flag / Icon

Australia

  • at People + Culture Strategies

Employee privacy is generally protected under both international privacy laws and, in most cases, national-level laws that protect against intrusion of individual privacy and regulate the collection, storage and use of personal information.

Australian employers will only be able to collect information about an employee’s vaccination status in very limited circumstances, and generally only if the employee consents and where the collection of that information is necessary to maintain a safe workplace.

Employers in certain sectors, such as health, aged and disability care, may be allowed to collect information about a worker’s vaccination status without consent, as such collection may be required or authorised by law to ensure the safety of vulnerable potential contacts within facilities in those sectors.

Last updated on 21/09/2021

Flag / Icon

Austria

  • at Littler
  • at Littler
  • at Littler

It is the opinion of the data protection authority that a targeted question about an employee’s vaccination status is not covered by the legal framework, as two other equivalent methods are currently provided to prove a low epidemiological risk at the workplace (3-G rule).

In practice, however, it will be possible for employers to leave it up to employees to disclose their vaccination status of their own accord.

Employers are currently only allowed to randomly check whether workers have been vaccinated, have recovered from COVID-19 or have been tested. The underlying regulation does not create a legal basis for maintaining data and prohibits the unilateral retention of personal data. Best practice has been to leave it up to employees to actively disclose their status to employers.

There are no specific record-keeping requirements. Due to the law, personal data may not be maintained and employees must actively disclose their status and consent to its retention. Personal data may only be stored for as long as it is necessary. Furthermore, the processing of personal data must always be limited to the necessary extent (data minimisation). The general obligations of the GDPR must also be complied with.

Last updated on 31/01/2022

Flag / Icon

Belgium

  • at Van Olmen & Wynant

Employers are not entitled to ask their employees about their medical or vaccination status. If employers were to require employees to share this information, they would violate the right to privacy of the employees and the rules of the GDPR.

Last updated on 21/09/2021

Flag / Icon

Brazil

  • at Pinheiro Neto
  • at Pinheiro Neto Advogados

There are two main concerns when dealing with the processing of employees’ medical and vaccination information. The first one relates to the processing itself: under the Brazilian General Data Protection Law, the legal basis for processing that information would be either “protection of life” (eg, a safe and healthy workplace) or “compliance with the law or regulatory rules” to the extent that employers have the legal duty to promote a safe and healthy workplace. Moreover, companies are advised to keep access to information concerning one’s health as limited as possible and for as long as that information is useful (ie, for a determined period). Companies should also collect that sort of information in an anonymous form to mitigate risks in connection with violation of privacy (eg, an unauthorised person who has access to that information). The second one concerns employers’ ability to enquire on an employee’s vaccination status: there is still no consensus as to the legality of such a practice; however, taking into account employers’ general obligation to ensure a safe and healthy workplace and that labour courts and the Labour Public Prosecutor have considered termination of employees who refused to get vaccinated valid, we understand that there would be grounds to support the legality of ascertaining employees’ medical and vaccination information.

Last updated on 21/09/2021

Flag / Icon

France

  • at Proskauer Rose
  • at Proskauer Rose
  • at Proskauer Rose

Moreover, regarding the processing of data relating to an employee’s vaccination, the CNIL has not yet issued a directive on the specific subject of the processing of employee vaccination data by employers. Because of their sensitive nature, data relating to employee health are subject to special legal protection: they are in principle prohibited from being processed. Employers, therefore, may not keep a list of vaccinated employees, or disclose the names of those who do not wish to be vaccinated.

In fact, according to the CNIL, "because of their sensitive nature, data relating to a person's health are subject to special legal protection: they are in principle prohibited from being processed. In order to be processed, its use must necessarily fall within one of the exceptions provided for by the GDPR, thus guaranteeing a balance between the desire to ensure the security of individuals and respect for their rights and fundamental freedoms. Moreover, their sensitivity justifies that they be processed under very strong conditions of security and confidentiality and only by those who are authorized to do so.

The exceptions that can be used in the context of work are limited and can generally be based on either :

  • the need for the employer to process this data to meet its obligations in terms of labour law, social security and social protection: this is the case for the processing of reports by employees,
  • the need for a health professional to process such data for the purposes of preventive or occupational medicine, (health) assessment of the worker's capacity to work, medical diagnoses etc.

For these reasons, employers who would like to initiate any steps aimed at ascertaining the state of health of their employees must rely on the occupational health services.

The CNIL points out that only competent health personnel (in particular occupational medicine) may collect, implement and access any medical forms or questionnaires from employees/agents containing data relating to their health or information relating in particular to their family situation, their living conditions or their possible movements"

However, we find these exceptions difficult to apply in the context of covid-19.

For employees subject to mandatory vaccination, the law allows the employer, or regional health agency if applicable, to store the result of the check on the proof of vaccination status.

Please note that the employer may not keep the proof of vaccination. In other words, the employer may not keep the QR code, only the “Yes/No” result of the test. Keeping the result is limited in time (currently until 15 November 2021).

The information thus collected is personal data subject to the General Data Protection Regulation (GDPR).

Last updated on 21/09/2021

Flag / Icon

Germany

  • at CMS Hasche Sigle

Data that an employer collects to draw inferences about an employee's health is special category personal data. Such data is granted special protection under the General Data Protection Regulation and the German Federal Data Protection Act. The collection and processing of employee health data for the employment relationship is only permitted if the employee consents, or if it is necessary for the exercise of rights or to meet legal obligations under employment law and if there is no reason to assume that the interests of the employee involved in the protection of his or her data prevails. In case of doubt, a distinction will have to be made according to the type of information and the environment in which the employee is employed. Employers are entitled under the temporary amendments to the Infection Protection Act to store and process the personal data on vaccination or immunisation status for up to six months. The data may also be used to adapt the company hygiene policy based on risk assessment, as far as is necessary. Regardless, employers must comply with the requirements of data protection, in particular by taking appropriate and specific measures to protect the health data of the persons concerned in accordance with the GDPR and the German Federal Data Protection Act.

Furthermore, it is permissible to ask whether an employee has symptoms of covid-19. It is equally admissible – albeit contentious – to ask whether a worker is currently ill with covid-19. This is because, without knowledge of the specific danger of an illness, the employer cannot take any special protective measures and might endanger other employees and third parties by employing that employee.

Last updated on 30/11/2021

Flag / Icon

Greece

  • at Kyriakides Georgopoulos Law Firm
  • at Kyriakides Georgopoulos Law Firm
  • at Kyriakides Georgopoulos Law Firm

Medical and vaccination information falls within a special category of data (ie, data concerning health) according to article 9 of the GDPR. Against this background, it can be only processed in exceptional circumstances by relying on one of the following potential legal bases:

(i) it is provided for in a specific legal provision as a respective obligation either for employers of a specific sector or for all employers (article 9(2)(b) of the GDPR); 

(ii) it is deemed necessary so that the employer meets their obligation to protect employees’ health and safety in the workplace, under the provisions of article 9(2)(b) of the GDPR and Greek Law 3850/2010; or

(iii) the employee voluntarily discloses vaccination-related information to the employer, so that transmission of data falls within the scope of article 9(2)(a) of the GDPR.

Moreover, employers must comply with fundamental data-processing principles (article 5 of the GDPR) and any other obligation provided for under the GDPR when processing special categories of personal data as data controllers. In particular, data minimisation and storage limitation principles must be observed by employers. In addition, employees have to be previously informed according to article 13 of the GDPR of the processing of their personal data and appropriate technical and organisational measures must be implemented according to article 32 of the GDPR (eg, restricted access to data, confidentiality etc).

Last updated on 21/09/2021

Flag / Icon

Hong Kong

  • at Lewis Silkin
  • at Lewis Silkin
  • at Lewis Silkin

Employers must ensure that they provide their employees with a Personal Information Collection Statement (PICS) before collecting their personal data in respect of medical and vaccination information, which sets out how they will collect, use and transfer the employees’ medical and vaccination data. It may be that an employer has already issued employees with PICS that cover the provision of medical and vaccination information for the specific purposes now required, but the wording should be carefully checked before relying on it, to ensure it definitely covers the current circumstances.

Under the PDPO, employees should be notified of the purpose for which their personal data is being collected and the personal data should only be used for that purpose. If, once the personal data has been collected, the employer then wants to use it for a different purpose, it will be necessary to seek the employees’ consent to it being used for that alternative purpose. An example may be that an employer notifies employees that it is seeking their medical and vaccination information for monitoring purposes only and later decides that it wants to use that information to devise a return to office strategy and determine whether to dismiss certain employees. In this situation, the employer would need to notify its employees of these alternative purposes and ask each of them to provide their consent to their personal data being used for these new purposes. If the employees refused to provide consent, then the employer would not lawfully be able to use the personal data for the new purposes and, if it did, it would be in breach of the PDPO.

The PDPO also requires employers to obtain no more personal data than is necessary for the purposes it is collected. For example, with a vaccination record, it may not be necessary for the employer’s purposes to know what type of vaccination an employee had and, as such, this information should not be collected.

Employees must also be notified of whether it is mandatory or voluntary to provide their personal data and, if it is mandatory, the consequences if they decline to provide it. For example, with vaccination information, an employer may inform employees that it is mandatory to confirm whether or not they have been vaccinated and, if they decline to do so, they will be treated as unvaccinated for internal policy and strategy purposes.

Employers are required to inform employees of the classes of persons to whom the data may be transferred. For example, if an employer wanted to use vaccination data to provide those who had been vaccinated with some form of benefit, the employer may need to provide the employees’ vaccination data to the third party who provides that benefit. Transferring personal data outside of Hong Kong is not currently prohibited or restricted, but employees should be notified if the data is to be transferred to a third party outside of Hong Kong (eg, a subsidiary or holding company of their employer).

Employees need to be informed of their right to request access to their personal data and employers must take precautions to protect personal data from leakage or unauthorised access, and only retain the data for a reasonable period that is necessary for its purpose.

Last updated on 11/10/2021

Flag / Icon

India

  • at Nishith Desai
  • at Nishith Desai

An employee’s medical information and history (in electronic form) is treated as SPDI under Indian privacy law, for which employers need to comply with the applicable data privacy requirements, such as procuring consent from the concerned individuals, adopting, publishing and complying with a privacy policy for collection, and processing or storage of such SPDI. However, this may not apply where the physical copy of proof of vaccination is only subject to visual scrutiny.

Additionally, where employers are required to disclose such data to any third parties (eg, manpower service providers may be required to disclose employee SPDI concerning covid-19 symptoms to clients to whom their employees are assigned), they should ensure that their privacy policy covers such disclosure of SPDI of employees to third parties and it receives specific consent from the concerned employees providing their SPDI to third parties. The employer in this situation should also contractually ensure that the third party receiving such SPDI complies with the applicable data privacy norms.

Last updated on 18/11/2021

Flag / Icon
Ireland

Ireland

  • at Littler

Information about a person’s vaccination status is special category personal data for the purposes of the GDPR. It represents part of their personal health record and is afforded additional protections under data protection law.

The Data Protection Commissioner has issued guidance stating that the processing of information about an employee’s vaccination status is unlikely to be necessary or proportionate in most employment situations (see here), except potentially in industries which have a very obvious, urgent and direct safety need (such as the provision of frontline healthcare services) or the Irish government introduces new measures requiring employers to process this data.

Last updated on 21/09/2021

Flag / Icon

Italy

  • at Toffoletto De Luca Tamajo

Only the company occupational doctor is entitled to process any health data concerning employees, as expressly clarified by the Italian Data Protection Authority (DPA). Circular no. 198 of May 13th, 2021 issued by the Italian Data Protection Authority (“Documento di indirizzo”), referring to the implementation of the voluntary vaccination campaign in the workplace, clarified that “employers shall not be allowed to collect, directly from the employees concerned, through the occupational doctor, other health professionals or health facilities, information on all aspects relating to the vaccination, including whether or not the employee intends to adhere to the campaign, whether or not the vaccine has been administered and other data relating to the employee's health condition”. Moreover, the Italian DPA has recently confirmed this principle in Circular no. 273 of July 22, 2021 (i.e. that employers cannot directly process the data regarding the vaccination of employees), also in order to avoid any kind of direct and indirect discrimination based on an employee’s decision to be vaccinated or not.

©Toffoletto De Luca Tamajo, ©Ius Laboris

Last updated on 06/12/2021

Flag / Icon

Mexico

  • at Marván, González Graf y González Larrazolo
  • at Marván, González Graf y González Larrazolo
  • at Marván, González Graf y González Larrazolo

Under the Federal Law for the Protection of Personal Data in Possession of Private Individuals or Entities, employers may obtain and treat employees’ personal data without having to obtain consent if such information is required for compliance with employers’ and employees’ obligations. As employers are obliged to implement all necessary measures to prevent workplace accidents and disease outbreaks, we believe that employers are entitled to gather and process such information, if required, to comply with these obligations. Employers must always treat this information and data as confidential.

Notwithstanding the above, employers must provide or make available to employees the data privacy notice through which it is established that their data, including but not limited to health information, may be gathered and processed to comply with the obligations derived from the employment relationship.

Last updated on 21/09/2021

Flag / Icon

Netherlands

  • at Rutgers & Posch
  • at Rutgers & Posch

Information about whether an employee has been vaccinated and other medical information is personal data concerning health within the meaning of GDPR. Employers are not permitted to process such personal data about their employees unless they can invoke a ground for an exception. At present, no such grounds exist. This means that the GDPR prevents employers from recording their employees’ vaccination status or otherwise processing any data associated with their status.

More information can be found here

Last updated on 08/03/2022

Flag / Icon

Poland

  • at Bird & Bird
  • at Bird & Bird

An employee’s vaccination status could be processed based on an employee’s explicit consent (article 9 (2) (a) GDPR). Under the Polish Labour Code, explicit consent to process special category data must be given at the employee’s initiative. The Polish DPA has expressed doubts about accepting consent as a legal basis for the processing of health data in an employer-employee relationship (due to the inequality that exists between the two sides). Therefore, the procedure for collecting such consent should be carefully prepared. Employers should not require their employees to provide information on their vaccination status. However, employers may consider introducing a process by which it would offer employees an option to voluntarily inform them about their vaccination status. It should be entirely up to the employee to provide such information. The employee cannot be exposed to any adverse consequences for not providing such information. In particular, consent or refusal to provide information cannot serve as grounds for discrimination, including denial of access to the workplace. Employers may offer some less restrictive internal procedures for employees who have been vaccinated.

There is no national law that would require employees to provide vaccination, test or immunity records. However, employers can request and retain proof of an employee’s vaccination, test or immunity records if it is provided voluntarily by the employee. Proof of an employee’s such records could be processed based on the employee’s explicit consent (article 9 (2)(a) GDPR). However, we would not recommend doing so, as it may be considered excessive. It is instead recommended to collect declarations by employees or, if that is not sufficient, verify such declarations with vaccination certificates (or another type of proof) without collecting or storing copies of such certificates. This is because the Polish Labour Code gives preference to employees’ declarations over the collection of documents. Also, employees’ declarations contain less data than such evidence.

Last updated on 21/03/2022

Flag / Icon

Portugal

  • at Cuatrecasas
  • at Cuatrecasas

See question 9.

In addition to the aforementioned rules for processing employee’s health data, from a personal data perspective, the processing of special categories of data (vaccination data qualifies as health data) is generally forbidden unless one of the exceptions foreseen in article 9 (2) of GDPR applies. Therefore, this processing would only be lawful if this data is necessary for preventive or occupational medicine or for assessing the working capacity of the employee.

Last updated on 21/09/2021

Flag / Icon

Qatar

  • at Clyde & Co
  • at Clyde & Co

There are various requirements under Law No. 13 of 2006 relating to the PDPL.  The PDPL offers data subjects several rights under articles 3, 5 and 6, namely the right to:

  • have their personal data protected and lawfully processed;
  • withdraw their previous consent to have their personal data processed;
  • object to the processing of their personal data if it is not necessary to achieve the purpose for which it was gathered, if it goes beyond its requirements, or if such processing is discriminatory, prejudicial or in violation of the PDPL;
  • request the deletion or removal of their personal data in the two circumstances referred to above, or if the purpose for which such personal data was processed no longer exists, or if there is no longer any reason to maintain the same by the controller;
  • request the correction of their personal data, provided that the evidence to support such a request is also submitted;
  • access their personal data and request to review the same, before any controller;
  • be notified that their personal data is being processed and the purposes for which it is being processed;
  • be notified of any disclosure of inaccurate personal data about themselves; and
  • obtain a copy of their personal data.

Furthermore, the CDP issued 14 guidelines in November 2020 to clarify the obligations under the PDPL (the Guidelines).  The Guidelines are intended to clarify the obligations under the PDPL. These include, for example, the requirement for controllers to:

  • maintain records of processing activities;
  • implement a Personal Data Management System to effectively manage the personal data that the controller processes and to report any violations of procedures and controls to the CDP;
  • carry out due diligence on data processors and put in place adequate contracts to regulate how they process personal data;
  • obtain authorisation from the CDP when processing any data of a “special nature” (ie, sensitive personal data), which includes data relating to health, religion, criminal convictions, and children;
  • carry out a data privacy impact assessment before undertaking new processing activities, particularly in the case of prospective data exports or the processing of special nature personal data;
  • notify the CDP or affected individuals within 72 hours in the event of certain data breach incidents; and
  • embed privacy into their processing activities and business practices, from the design stage and throughout their lifecycle.
Last updated on 08/11/2021

Flag / Icon

Saudi Arabia

  • at Clyde & Co
  • at Clyde & Co

To help minimise the risk of non-compliance, employers should adopt certain procedures when handling employee data concerning identifiable individuals, such as: ensuring that all employee data, including electronic data, is kept confidential and is not published without the consent of the individual to whom the employee data relates.

Last updated on 15/03/2022

Flag / Icon

Spain

  • at Cuatrecasas
  • at Cuatrecasas

As mentioned, any information concerning health is a special category of personal data, whose processing is limited under specific circumstances.

The law does not entitle employers to ask employees whether they are vaccinated. Processing personal health data must comply with article 22 of Law 31/1995, on occupational risk prevention, which means that:

  • in general terms, employers cannot use personal data on employees’ health for discriminatory purposes or to the detriment of any employees;
  • access to employees’ personal medical information will be limited to medical personnel and health authorities that monitor the health of workers, and providing such information to an employer or other personnel without the express consent of the worker is prohibited; but
  • employers and those responsible for health and safety will be informed of the conclusions of any check-ups to determine the workers’ ability to perform their job or the need to introduce or improve protection and prevention measures, so that they can properly carry out their preventive functions.

Based on this and the fact that there are no different regulations on covid-19 prevention based on employee vaccination, employers do not have access to vaccination information unless employees freely give their consent.

Last updated on 21/09/2021

Flag / Icon

Sweden

  • at DLA Piper
  • at DLA Piper
  • at DLA Piper

Medical and vaccination information relating to an individual constitute health data, which is considered a special category of personal data under article 9 of the General Data Protection Regulation (GDPR). The main rule is that the processing of such data is prohibited, unless there is an applicable exemption to process the data (for example, that processing is necessary for the employer to fulfil their obligations and exercise their special rights within labour law and in the areas of social security and social protection). From a general employment law perspective, however, it does not appear necessary for the employer to register or draw up lists of employees’ immunity in any way to fulfil an obligation or right within labour law and in the areas of social security and social protection.

Article 9.2 (i) GDPR offers another exemption to the general prohibition to process special category data: it may be lawful if the processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and medicinal products or medical devices. However, such processing must be based on EU or member state law, which normally does not apply for “ordinary” businesses.

To summarise, the opportunity for employers to lawfully process employee medical data and data on vaccination under the GDPR is very limited.

Last updated on 24/01/2022

Flag / Icon

Switzerland

  • at Lenz & Staehelin

Employers cannot access employee data related to vaccination status, and the processing of such data is not permitted.

Regarding the protection of other data, employers and employees based in Switzerland are subject to the FADP. Under that Act, personal data is any information relating to an identified or identifiable person. Health-related data is considered to be "sensitive personal data" and is subject to specific protections. Medical data, therefore, would be subject to the requirements for processing sensitive personal data.

Several principles guide the processing of data. The principle of lawfulness of processing states that personal data only can be processed lawfully. This means that such action requires a justifiable reason, which could be the consent of the subject, a predominant public or private interest or a legal provision. In the context of employment relationships, the validity of employees' consent as a justification is often called into question, given the unequal relationship inherent in any employment contract (thus preventing the employee from consenting freely).

According to the principle of good faith, it is not permitted to collect personal data without the knowledge and consent of the person concerned. Anyone who deceives that person is in violation of the principle of good faith. The collection of personal data and the purposes of the processing must be recognisable to the subject.

According to the principle of proportionality, only data necessary and suitable for the set purpose may be processed. In addition, according to the principle of purpose, data collected may only be processed for the purposes that were communicated at the time of collection, that arise from the circumstances or that are provided for by law. Finally, the principle of accuracy implies that the processor of personal data must ensure the data is accurate and, if necessary, correct data that is no longer accurate.

In addition, under certain circumstances, EU General Data Protection Regulation also may apply to Swiss companies. However, its general requirements and principles are similar to those of the FADP.

Last updated on 20/01/2022

Flag / Icon

Turkey

  • at Gün + Partners
  • at Gün + Partners
  • at Gün + Partners

Medical and vaccination information can be processed by employers only with the explicit consent of employees. In labour law, considering the dynamics between employers and employees, any consent given by employees may be challenged as it may not be voluntary. Therefore, the processing of such health data, even with the consent of employees, would impose risks upon employers from a data protection perspective.

Last updated on 21/09/2021

Flag / Icon

UAE

  • at Clyde & Co
  • at Clyde & Co

To help minimise the risk of non-compliance, employers should adopt certain procedures when handling employee data concerning identifiable individuals such as; ensuring that all employee data, including electronic data, is kept confidential and is not published without the consent of the individual to whom the employee data relates.

Last updated on 15/03/2022

Flag / Icon

United Kingdom

  • at Littler

Information about a person’s vaccination status is special category personal data for the purposes of the GDPR. It represents part of their personal health record and is afforded additional protections under data protection law.

An employer should only seek to process such data if it has a lawful basis for doing so under the UK’s implementation of the GDPR and the Data Protection Act 2018. In particular, there are limited lawful reasons for processing special category data such as health records.

It is beyond the scope of this Q&A answer to provide a detailed analysis of the potentially lawful bases for processing the special category data of employees, but general guidance can be found from the ICO – see here.

For these purposes, processing means:

  • checking an employee’s vaccine status digitally (e.g., by scanning a QR code);
  • checking an employee’s vaccine status manually and retaining any data from any such check in any form; or
  • any subsequent usage of the data after it has been checked digitally or manually and recorded.

Employers should be aware that the ICO has issued specific guidance on processing employee vaccine status data. Essentially, this guidance is that although employers may undertake spot-checks of employee vaccination status, there will be significantly fewer cases where it would it be justifiable for employers to retain a record of any employee’s vaccination status: see the ICO’s position on this as follows (quotes taken from the ICO here; emphasis has been added by us):

Does the UK GDPR apply if I decide to check people’s COVID status?

If you are only conducting a visual check of COVID Passes (either a hard-copy document or a pass held on a digital device) and do not retain any personal data from it, this would not constitute ‘processing’ personal data. The activity would therefore fall outside of the UK GDPR’s scope.

However, if you are conducting checks digitally (for example, by scanning the QR code displayed on the pass), this would constitute processing of personal data – even if you do not keep a record of it. The UK GDPR would therefore apply.

If you make a record of any personal data, whether you conduct visual or digital checks, then you would be processing personal data and the UK GDPR would apply.

Can I record information about my employees’ vaccine status?

Your reason for recording your employees’ vaccination status must be clear and necessary. If you cannot specify your use for this information and are recording it on a ‘just in case’ basis, or if you can achieve your goal without collecting this data, you are unlikely to be able to justify collecting it….

Last updated on 13/01/2022

Flag / Icon

United States

  • at Littler
  • at Littler
  • at Littler

With limited exceptions, the Americans with Disabilities Act requires employers to keep confidential any medical information they learn about any applicant or employee. Medical information includes not only a diagnosis or treatment, but also the fact that an individual has requested or is receiving a reasonable accommodation. In addition, employers must maintain reasonable security measures to protect sensitive personally identifying information.  Specific data privacy rules vary state by state.

Up-to-date information on the USA’s response to the pandemic, including State-level news and developments, can be found at Littler’s covid hub here.

Last updated on 21/09/2021