The UK government has confirmed that from Monday 16 August the rules on self-isolation for COVID close contacts will change for (a) the fully vaccinated (meaning all those who have had two vaccine doses, but only from 14 days after the second vaccine dose) and (b) under 18s in England. Instead of self-isolating, these individuals are advised (but not required) to get a PCR test as soon as possible.
Those who are not fully vaccinated will still need to isolate if they are COVID contacts, and everyone (including the fully vaccinated) will still have to isolate if, having taken a PCR test, they test positive. The need to isolate if suffering symptoms also remains.
As double jabbed individuals who are identified as close contacts by test and trace are still at risk of being infected and of transmitting COVID, people are advised to consider other precautions such as wearing a face covering in enclosed spaces, and limiting contact with other people, especially with anyone who is clinically extremely vulnerable. Double jabbed individuals will not be required to self-isolate while they take and wait for the results of the PCR test.
The changes may leave many employers uncertain about the measures they can and should take from 16 August, including whether it will be permissible to maintain a record of individual employees who will no longer need to isolate under the new rules.
There may be a desire on the part of some employers to collect records about the vaccination status of their employees, given that those who are fully vaccinated will be subject to new rules. However, collecting information about an employee’s vaccination status is likely to be tricky for employers outside of limited sectors where there is a specific requirement or compelling reason for staff to be vaccinated. A person’s COVID or COVID vaccination status is special category data for the purposes of the UK GDPR, as it is private health information. Guidance from the ICO confirms that obtaining employee consent is unlikely to be an option for processing this data. Consent is rarely appropriate for these purposes in an employment setting, given the imbalance of power between the employer and employee. Instead employers need to consider whether collecting such data is “reasonably necessary” to comply with one of the other lawful processing grounds.
When might keeping records of vaccination status be “reasonably necessary” given the planned changes to the self-isolation requirements for those who have been fully vaccinated from 16 August?
Employers will need to consider this on a case-by-case basis. There are only limited situations (such as where employees interact with clinically vulnerable individuals or travel to other countries as part of their role) in which there may be a clear legal basis for processing vaccination status.
Employers may wish to record/process the vaccination status of employees for absence planning, as unvaccinated or partially vaccinated individuals are more likely to catch COVID or be a COVID contact and therefore be absent through isolation, illness or both. However, even where a job requires an employee to be physically present in the workplace, it seems doubtful that this fact alone would justify the collection of vaccination data. The ICO’s guidance on vaccination and COVID status checks states that COVID information should not be recorded “just in case” it is needed. It may be that collecting this data would not help accurate absence planning in any event, since being vaccinated does not prevent a person from catching COVID, and if tested positive, being required to self-isolate. Further, where employees have worked from home throughout the pandemic, it may be more difficult to justify collection of vaccination data as it would arguably not be “necessary” for them to be in the workplace and by extension for the data to be collected.
There may be particular aspects of an employee’s job role, however, which justify the collection of vaccination data. Examples include where this is necessary for compliance with a legal obligation in the field of employment, or where necessary for reasons of public interest in the field of public health.
If, bearing in mind the above, employers decide to collect vaccination information and status data, a Data Protection Impact Assessment (DPIA) is recommended, to show that the legality of collecting the data has been considered. Particular thought should also be given to who this information is made available to (the fewer people the better) and where and how it is stored, in order to ensure adequate security.
Should employers still require fully vaccinated employees to notify them if they test positive for COVID?
Given an employer’s obligation to provide a safe working environment for others under the Health and Safety at Work Act 1974, this practice should probably continue for all employees who are coming into the workplace.
Should employees who are fully vaccinated and who are contacts of individuals who test positive remain away from the workplace, even where there is no legal obligation to isolate?
We anticipate that some employers will still require employees who have been in contact with a person who has tested positive (for example employees who share the same office area as someone who has tested positive, or employees who have been “pinged” by test and trace) to stay away from the workplace for a set period, unless they can demonstrate that they should be permitted to re-enter the workplace, perhaps by showing their COVID status. Any such period may also include the time required for the employee to take and receive the result of a PCR test. However, such a rule goes beyond the legal requirements in respect of people who are double jabbed, even whilst they are waiting for test results.
ICO guidance states that visual checks of COVID Passes (either a hard-copy document or a pass held on a digital device) would not constitute ‘processing’, but only if no personal data is retained in the process. However, conducting checks digitally (for example, by scanning the QR code displayed on the pass), would constitute processing of personal data.
In addition to data protection issues, employers may have to consider discrimination issues (which are outside of the scope of this article) arising from the collection of COVID-related data. There is also an administrative and enforcement burden in collecting such information. Whilst the new rules will assist with reducing the impact of the ‘pingdemic’, it seems that they will continue to cause headaches for employers as they grapple with the different requirements for different groups of employees in circumstances where collecting information about which employees fall into which groups poses legal difficulties.