In early November 2021, the Government announced that the COVID-19 vaccination would be a condition of employment for all health and social care workers. Just three months later, however, they made a U-turn on the decision, as the reality of potentially losing more than 80,000 unvaccinated NHS healthcare staff hit home. The risk of losing thousands of health workers would have had a devastating impact on an already stretched workforce and ultimately on patient care.
The Secretary of State for Health & Social Care announced on the 31st of January 2022 that COVID-19 vaccinations would no longer be mandated for NHS healthcare staff and following a period of consultation the regulations will be revoked following an announcement on the 1 March 2021 and will apply across all health and social care from 15 March 2022. Unsurprisingly, this U-turn has raised fresh questions and concerns about data privacy, especially if COVID-19 vaccination status could be used as a condition of deployment in future.
Where data privacy fits in issuing compulsory vaccinations as a condition of deployment
Data protection and employment legalisation is intended to protect employees from discrimination on the basis of their health status. Stating the COVID-19 vaccination as a condition of deployment for health care workers, therefore, was a major departure from data privacy regulations. NHS employers can still ask for an employee’s vaccination status, particularly if there is COVID-19 outbreak, as hospitals still have infection control responsibilities as this is still in line with current health related legislation. Additionally, sensitive employee data that has already been collected could have already been analysed and used to assess whether a staff member was in scope of the regulations and may already form part of the staff record as a result. Therefore, revoking the regulations raises questions about information that’s already been collected and used.
What potential data privacy risks are there in collecting and using vaccination data in the health sector?
Currently, NHS employers can still lawfully hold health data, including vaccination status, which is ‘special category’ data under UK GDPR stipulation. However, processing ‘special category’ data is viewed as an intrusion on an individual’s privacy, which could mean employees could ask for information to be destroyed. In these cases, information collected could have already impacted staff and would now form part of a formal record and may need to be retained. As a result of the revocation organisations would need to identify the lawful basis to store the information and this point requires further clarification from Government.
Secondly, employers need to ensure when collecting vaccination data that all data privacy protection requirements have been factored in from the start, including considering risk of discrimination if staff groups are not correctly defined. Groups such as suppliers or students/trainees who aren’t included within existing HR records as they aren’t on the organisation’s payroll, for example, could be in contact with patients and this is where a review of infection, prevention and control measures may be required to protect both its workforce and patients to reduce risks of transmission.
In some instances, however, there may be legitimate reasons for retaining employee data. For example, evidence required for the forthcoming COVID-19 public enquiry or the Government’s intention to update the Code of Practice on the prevention and control of infections which applies to Care Quality Commission registered health and social care providers in England is realised, which will look at strengthening its requirements in relation to COVID-19 and could include data already collected. If there was a decision for all healthcare staff to be fully vaccinated in the future, there would still be a choice for individuals, but there would need to be a clear legal/statutory obligation to collect, use and retain the data.
What rights do NHS staff have who resigned before the initial 3rd February deadline?
When the government first announced that all healthcare staff would need to be double vaccinated by the 1st April to maintain their employment status, staff would have needed to have their first vaccination dose no later than the 3rd February. Guidance from the NHS states that employers should offer staff who may have resigned before this date the option to withdraw or pause their notice period until the consultation and Parliamentary process is confirmed. In addition, for staff who may have left their role as a direct result of the original regulation, NHS employers can extend an offer to re-engage individuals to their role. It is worth mentioning that NHS England and NHS Improvement viewpoint has always been that staff have a professional duty to be vaccinated and NHS employers should continue to support and engage with their staff to ‘drive vaccine confidence’ and to ‘protect themselves and everyone else’.
Ultimately, vaccination as a condition of deployment is a challenging call – we have to take into consideration the wellbeing of the general public, the rights of individuals and the health risk of COVID-19. Employers need to make sure that they are transparent, fair and open when communicating with staff how their sensitive information will be used, to ensure they are not penalised further down the line.
By Llinos Bradley, Senior Data Protection Consultant at Gemserv
