COVID-19 vaccine passes and vaccination status checks – are you privacy compliant?
In addition to Government guidance and Covid-19 safety measures, business owners should consider whether its processing of Covid-19 pass information meets the requirements under the Data Protection Act 2018.
A visitor’s Covid-19 status constitutes health data, a type of special category of personal data under UK data protection laws. Compliance obligations around processing this type of personal data are more onerous, due to its inherent sensitivity, and a failure to comply with the 2018 Act could lead to sanctions issued by the ICO, the UK Regulator responsible for data protection matters.
For operators, where you do check or record people’s Covid-19 status, you must justify this in terms of what you collect, what you do with the information, how long you keep it for, and how you keep it secure, amongst other things. The Data Protection Act 2018 requires that you ensure the collection of visitors Covid-19 status is necessary, clear and transparent. What you do with this information should be set out in your Privacy Notice, statement or policy.
The same applies for those employees from whom you seek a vaccination status. An employee has the right to understand what information is held about them, and the easiest way to demonstrate this is with an Employee Privacy Notice. The processing of employee personal data must be fair and justifiable in all the circumstances and where you operate a business with a sizeable number of employees, you should carefully consider the purpose for retaining an employee’s vaccination status long-term.
Remember that the cornerstones of the 2018 Act are transparency and accountability, and that even where you are acting in line with government guidance, this must be demonstrated by your policy documents.
Article from our North East Leisure Supplement 2022, produced in conjunction with Sanderson Weatherall.