COVID-19: Vaccination status and data privacy

The COVID-19 pandemic has brought significant changes in the way that ordinary people attend to their daily activities. Initially, the changes in behaviour were abrupt and disrupting, but as time progressed it seems as if the changes necessitated by the COVID-19 pandemic have slowly but surely become part of our daily routine.

In a similar fashion, commerce, industry and businesses have become accustomed to functioning within a COVID-19 pandemic environment. Throughout most of the world, legislation and policies dealing with disaster management, labour relations and occupational health and safety have been amended and applied with great agility in order to ensure that employers and employees are well aware of their rights and obligations relating to the employment relationship within the greater COVID-19 pandemic environment.

Enter, however, two new participants to this mix and the applecart does not seem as stable as it did in first half of 2021, particularly insofar as it relates to the employment relationship.

The newcomers represent competing challenges which require serious consideration, namely:

  • Data privacy requirements
  • Global vaccination roll outs and strategies.  

Data privacy requirements

Data privacy and data protection legislation has been a matter of concern for most countries engaging in any form of digital commerce. The importance of data privacy has been highlighted by various legislation adopted addressing the requirements to protect the personal information of individuals around the globe, such as Europe’s General Data Protection Regulation (Regulation (EU) 2016/679), the Californian Consumer Privacy Act of 2018, the Brazilian General Data Protection Law (LGPD) Federal Law no. 13,709/2018, Australia’s Privacy Act of 1988 and Privacy Principles, Egypt’s Personal Data Protection Law No.151 of 2020, Kenya’s Data Protection Act 2019, Nigeria’s Data Protection Regulation (Regulation) 2019 and South Africa’s Protection of Personal Information Act 4 of 2013.

The common denominator of the various data privacy legislation adopted by various countries is the main objective to promote the protection of personal information processed by public and private bodies by introducing certain conditions and requirements for the lawful processing of personal information so as to establish minimum requirements for the processing of such information.

Global vaccination roll outs and strategies

Government structures worldwide have undertaken the massive task of sourcing, distributing and overseeing the rollout of vaccines against COVID-19. To this end, national registers for COVID-19 vaccinations have been established and vaccination systems based on pre-vaccination registrations and appointment systems have been or are being implemented. All those vaccinated are recorded in such national registers and provided with a form of confirmation of vaccination. This is either in the form of a vaccination card or recorded digitally by way of web applications.

Internationally, trends have formed in many developed countries requiring confirmation of vaccination to be presented before individuals are allowed to travel, enter public spaces and before being allowed to enter the workplace.

Australia has made vaccinations mandatory for high-risk aged-care workers and employees in quarantine hotels, whilst also making vaccinations obligatory for Paralympic athletes who will be going to Tokyo. In Britain it is intended that vaccination will be mandatory for care-home workers from October 2021, as well as English nightclubs and other social venues with large crowds requiring confirmation of vaccination from the end of September 2021. France has approved a bill that makes vaccinations mandatory for health workers and requiring confirmation of vaccination in social venues. The Italian government has mandated that health workers and pharmacists, must be vaccinated, with refusal resulting in possible suspension without pay. In the United Sates, the cities of San Francisco and New Orleans require patrons to provide confirmation of vaccination prior to admittance to social venues such as restaurants and gymnasiums, whilst New York City will require confirmation of vaccination for customers and staff at social venues such as restaurants and gymnasiums from 13 September 2021. 

Competing challenges: Vaccination status v data privacy

It seems, therefore, that employers may be stuck between a rock and a hard place. On the one hand, the employer has an obligation to protect the personal information of its employees in terms of the provisions of data privacy legislation, whilst, on the other hand, international trends seem to indicate that, unless you disclose your vaccination status by way of presenting confirmation of your vaccination status, certain social liberties will be withheld from you.

The question, therefore, arises as to how an employer is to deal with the personal information of their employees relating to their vaccination status.

Given the inclusion of information relating to an individual’s health is considered to be sensitive personal data, in general, employers will be required to be extremely circumspect with how they intend to deal with the collection, processing and dissemination of their employees’ vaccination status. Employers will need to comply with the provisions of any applicable data privacy legislation which may be applicable under the circumstances in respect of the processing and safeguarding of such personal information.

Even when collection and processing of the vaccination status of employees may be sanctioned by legislation, it is only then that employers would be provided with a lawful basis for processing.

Due regard and consideration will certainly still have to be given as to how the employer will safeguard such personal information in its possession. Other considerations will be which reasonable organisational and technical measures the employer will implement in order to avoid the loss of, damage to or unauthorised destruction of such personal information and/or any unlawful processing of such personal information relating to its employees’ vaccination status.

What are the practical implications?

It is conceivable that customers within certain industries may require that suppliers who render services to them, not only provide them with suitably qualified personnel, but also with personnel who have been vaccinated against COVID-19, with the expectation that such personnel can present their vaccination cards as confirmation thereof. The question is whether such a demand would be justifiable?

As at the date of this article, the World Health Organisation (“WHO”) has stated that, while a COVID-19 vaccine will prevent serious illness and death of an individual, the WHO still cannot confirm the extent to which a COVID-19 vaccine keeps an individual from being infected and passing the virus on to others. Therefore, it is arguable that such a demand from a customer does not, with the information available at present, seem to safeguard the workplace for the employees, the customer and/or the public. In fact, it could be submitted that the general requirements as to social distancing, screening, sanitisation and wearing of masks would be far better employed to achieve the desired objective of a safer workplace.

However, the demand would, indeed, assist in the vaccination roll out and strategies from a government perspective. The customer is effectively applying a form of social/communal pressure on a supplier and/or its employees to make sure that they are vaccinated in order to maintain a viable business. As such, suppliers may want to consider implementing a policy which encourages employees to be vaccinated, not only for the benefit of their own health, but also as part of their civil duty to the greater community and in order to ensure that the supplier can continue to render its services to the market and thereby maintain a viable business.

Generally, data privacy legislation and policies do not necessarily prohibit the collection, processing and dissemination of personal information, but do require that the parties involved in the processing, collecting and dissemination of the personal information, must be held accountable for their actions. Therefore, care needs to be exercised by both the supplier and the customer in order to ensure that they have the necessary grounds to collect, process and disseminate the personal information and that they have taken the appropriate and reasonable technical and organisational measures to safeguard the personal information.

Depending on the provisions of the applicable data privacy laws of the jurisdiction within which a supplier is established, one could potentially rely on the fact that a particular employee has deliberately made their vaccination status public to process such information (disclosures on social media platforms are common place these days).  

Conclusion

Given the serious nature of the consequences that the COVID-19 pandemic leaves in its wake and the international trends that certain civil liberties of individuals have been and will continue to be limited in order to effectively battle the COVID-19 pandemic, it is certainly conceivable that we may very well see legislation continue to take a more concrete stance on the vaccination status of individuals. This will most certainly impact the fundamental rights of such individuals and infringements on the fundamental rights of the individuals will have to be justified in terms of the principles of law governing the limitation of the fundamental rights of such individuals.

However, until a more concrete stance on the vaccination status of individuals is taken up in legislation, employers would be well advised to apply strict adherence to the provisions of all applicable data privacy legislation when collecting, processing and disseminating their employees’ vaccination status.

Phillip Kruger

Director: Legal, RSM South Africa

 

Region(s): 

AUTHOR

Phillip Kruger
Phillip Kruger
Director: Legal
RSM South Africa