“Can I keep a record of vaccinated employees or customers?” This is a valid question, given the changeable nature of the guidance, meaning that the goalposts keep getting moved for organisations. Currently, in some settings, there is now a requirement to check people’s Covid test results or vaccination status prior to allowing entry and vaccinations are mandated for those fulfilling some job roles (such as healthcare staff). This all adds to the confusion around whether organisations should be checking individuals’ Covid status and what to do, or not do, with the information. 

To help organisations, The DPO Centre has put together five key things companies need to consider in terms of what they can legally ask of customers and employees without overstepping data protection legislation.  

• You must have a lawful basis to process Covid-related health data. Where there is no legal requirement to do so, checking individuals’ test results/vaccination status is at the discretion of the business.   You must identify a lawful basis for processing the personal data relating to an identified or identifiable natural person.  

• Collecting covid-related health data could lead to unjust treatment of data subjects, information must be kept confidential and not used to disadvantage an individual. Transparency with data subjects about the collection of their personal data is crucial.  

• The use of Covid-related data must be fair, relevant and necessary for a specific purpose. You must demonstrating how you intend on using it and carefully consider the value of collecting the information vs the impact it may have on the individual’s privacy.  

• When collecting individuals Covid-related health data, you will need to conduct a Data Protection Impact Assessment (DPIA). A DPIA is required when processing data which could result in a risk to the rights and freedoms of the individual. DPIAs should clearly justify the need for processing the personal data, especially sensitive ‘special category’ data, such as Covid health data.  

• There can be other impacts which need to be considered when processing this type of information which include: Employment law, health and safety, human rights and current public health advice.  

It is recommended that you regularly check and stay up to date with your country’s laws and regulations before processing Covid related health data.  

Rob Masson, CEO of The DPO Centre, said: “There needs to be a discussion relating to the reasonable steps an organisation needs to take to balance an individual’s right to privacy with the wider impact on public health.  

“Many organisations are finding themselves put in the situation of having to process this type of health data for the first time and we are seeing a big increase in organisations looking to outsource their data protection and privacy processes and practices to ensure they get it right.”