Covid-19 vaccination status and data privacy

The COVID-19 pandemic has brought significant changes in the way that ordinary people attend to their daily activities. Initially, the changes in behaviour were abrupt and disrupting, but as time progressed it seems as if the changes necessitated by the COVID-19 pandemic have slowly but surely become part of our daily routine.

In a similar fashion, commerce, industry and businesses have become accustomed to functioning within a COVID-19 pandemic environment. In South Africa, the Disaster Management Act 57 of 2002 (the “DMA”), the Labour Relations Act 66 of 1995 (the “LRA”) and the Occupational Health and Safety Act 85 of 1993 (the “OHSA”) have been amended and applied with great agility in order to ensure that employers and employees are well aware of their rights and obligations relating to the employment relationship within the greater COVID-19 pandemic environment.

Enter, however, two new participants to this mix and the applecart does not seem as stable as it did in first half of 2021, particularly relating to the employment relationship.

The newcomers represent competing challenges which require serious consideration, namely: (i) Data Privacy Requirements and (ii) The National Vaccination Roll Out and Strategy.  

Data Privacy Requirements

The Protection of Personal Information Act 4 of 2013 (“POPIA”) has come into full force and effect on 1 July 2021, after a 12 month grace period was allowed for businesses to implement the necessary processes and policies to be compliant with the provisions of POPIA.

The main objective of POPIA is to promote the protection of personal information processed by public and private bodies by, among others, introducing certain conditions for the lawful processing of personal information so as to establish minimum requirements for the processing of such information.

POPIA also introduces the concept of so-called “Special Personal Information” (“SPI”) which is defined as the religious or philosophical beliefs, race or ethnic origin, trade union membership, political persuasion, health or sex life or biometric information of a data subject or the criminal behaviour of a data subject.

The National Vaccination Roll Out and Strategy

The South African government, as many other governments worldwide, has undertaken the massive task of sourcing, distributing and overseeing the rollout of the vaccine against COVID-19. To this end, a national register for COVID-19 vaccinations was established and the vaccination system is based on a pre-vaccination registration and appointment system. All those vaccinated are recorded in a national register and provided with a vaccination card.

Internationally, a trend has formed in many developed countries requiring a vaccination card to be presented before individuals are allowed to travel, enter public spaces and before being allowed to enter the workplace.

In South Africa, however, we have not reached this point yet. The DMA, LRA and OSHA do, however, place an obligation on the employer to ensure that it provides a safe workplace for employees and the public.

Furthermore, the Department of Labour has issued the Consolidated Direction on Occupational Health and Safety Measures in Certain Workplaces (the “Direction”), dated 11 June 2021, which allows employers to adopt a mandatory vaccine policy.

Such a mandatory vaccine policy, however, must allow an employee to refuse to be vaccinated on constitutional grounds, such as the right to bodily integrity and the right to freedom of religion, belief and opinion, or medical grounds. If an employee refuses to be vaccinated, the employer must take steps to reasonably accommodate the employee in a position that does not require the employee to be vaccinated, in order to enable the employee to remain employed at the organisation, which might include allowing the employee to work offsite or at home, or to work in isolation from other employees.

Therefore, the South African law does not yet allow an employer to limit or refuse an employee their employment entitlements purely based on their vaccination status.  

Competing Challenges: Vaccination Status v Data Privacy

It seems, therefore, that employers may be stuck between a rock and a hard place. On the one hand, the employer has an obligation to protect the personal information of its employees in terms of the provisions of POPIA, whilst, on the other hand, international trends seem to indicate that, unless you disclose your vaccination status by way of presenting your vaccination card, certain social liberties will be withheld from you. Furthermore, employers are required in terms of the DMA, LRA and OSHA to provide a safe working environment for all of their staff.

All the while, however, employers are only empowered by the Direction with the ability to adopt a mandatory vaccine policy, which upon deeper reflection, is not truly “mandatory” in the sense of the dictionary definition of the word at all.

The question, therefore, arises as to how an employer is to deal with the personal information of their employees relating to their vaccination status.

Given the inclusion of personal information relating to an individual’s health as SPI in terms of POPIA, employers will be required to be extremely circumspect with how they intend to deal with the collection, processing and dissemination of their employees’ vaccination status.

POPIA is very clear in its provisions that SPI may only be processed in the event that:

  • processing is carried out with the consent of a data subject (i.e the employee);
  • processing is necessary for the establishment, exercise or defence of a right or obligation in law;
  • processing is necessary to comply with an obligation of international public law;
  • information has deliberately been made public by the data subject (i.e the employee); or
  • processing is for historical, statistical or research purposes to the extent that –
    • it serves a public interest and the processing is necessary for the purpose concerned; or
    • it appears to be impossible or would involve a disproportionate effort to ask for consent, and sufficient guarantees are provided for to ensure that the processing does not adversely affect the individual privacy of the data subject to a disproportionate extent.

As such, in order for an employer to collect, process or disseminate personal information regarding its employees’ vaccination status, the employer would have to comply with the provisions of POPIA in respect of the processing of SPI.

As per the above, the South African law does not yet require employers to process the vaccination status of their employees as an obligation of law. As such, it would be of the utmost importance that employers obtain the consent of employees in order to collect, process and/or disseminate their employees’ vaccination status.

In this regard POPIA requires such consent to be a voluntary, specific and informed expression of will in terms of which permission is given by the employee to the employer for the collection, processing and dissemination of the personal information of the employee.

What are the practical implications?

Consider a scenario where Company A contracts with Company B, wherein Company A will provide cleaning services at the premises of Company B, by way of sending a team of their employees to provide such services.

Company B, however, requires Company A to provide only employees who have been vaccinated against COVID-19 and can present their vaccination cards as confirmation thereof. As justification for such a demand, Company B states that the DMA, LRA and OSHA places an obligation on Company B to ensure that it provides a safe workplace for employees of Company B and the public.

In order to evaluate the stance taken by Company B, one needs to consider the justification for such a demand from various perspectives:

Firstly, a practical question arises, namely: will adherence to the demand of Company B achieve the desired outcome?

As at the date of this article, the World Health Organisation (“WHO”) has stated that, while a COVID-19 vaccine will prevent serious illness and death of an individual, the WHO still cannot confirm the extent to which a COVID-19 vaccine keeps an individual from being infected and passing the virus on to others. Therefore, insisting that all employees provided by Company A to Company B in the rendering of the services are vaccinated, does not, with the information available at present, seem to safeguard the workplace for the employees of Company B and/or the public. Therefore, from a practicality perspective, the demand of Company B does not achieve the desired outcome.

Secondly, the question as to the National Vaccination Roll Out and Strategy requires consideration, i.e. does the demand of Company B assist the National Vaccination Roll Out and Strategy?

In this regard, it is certainly conceivable that the demand of Company B would, indeed, assist in the National Vaccination Roll Out and Strategy. By requiring Company A to only provide employees who have been vaccinated to render services at the premises of Company B, Company B is effectively applying a form of social/communal pressure on Company A and/or its employees to make sure that they are vaccinated in order to render the services and maintain a viable business.

Thirdly, one has to consider whether Company B’s request is reasonable given the requirements relating to data privacy.

POPIA and its requirements does not necessarily prohibit the collection, processing and dissemination of personal information. What POPIA does require, however, is that the parties involved in the processing, collecting and dissemination of the personal information of a data subject (i.e the employee in this example), must be held accountable for their actions. Therefore, Company B’s request is not necessarily unsustainable in terms of POPIA, but care needs to be exercised by both Company A and Company B in order to ensure that they have the necessary grounds to collect, process and disseminate the personal information and that they have taken the appropriate and reasonable technical and organisational measures to safeguard the personal information.

In light of the above, one would have to concede that Company B’s demand does not achieve the desired objective of creating a safer workplace for the employees of Company B and/or the public. If the COVID-19 vaccine only prevents serious illness and death, but does not hinder the transferability of the virus, it is submitted that the general requirements as to social distancing, screening, sanitisation and wearing of masks would be far better employed to achieve Company B’s desired objective of a safer workplace.

However, from a National Vaccination Roll Out and Strategy perspective and a social responsibility point of view, Company B’s request does seem to have merit. As such, Company A may want to consider implementing a mandatory vaccine policy, as envisaged in the Direction, but as discussed above, the Direction does not truly provide the legal muscle required to enforce it as being “mandatory”. Therefore, an alternative approach may be recommended in that Company A implements a policy which encourages employees to be vaccinated, not only for the benefit of their own health, but also as part of their civil duty to the greater community and in order to ensure that Company A can continue to render its services to the market and thereby maintain a viable business.

In terms of POPIA, it is submitted that the neither the Direction, nor the DMA, in its present form provides a basis for processing of the vaccination status of an employee to be deemed as necessary for the establishment, exercise or defence of a right or obligation in law. In a similar fashion, presently there has not yet been an initiative taken to apply to the Information Regulator to declare the vaccination status of individuals to be processed on the basis of public interest. Therefore, Company A will either have to obtain the consent of the employees, as discussed above, or Company A could rely on the fact that a particular employee has deliberately made their vaccination status public, by publishing this on public platforms, such as Facebook and various other social media platforms or groups. Company A could also embark on a social responsibility campaign, encouraging their employees to disclose their vaccination status voluntarily, in order to further assist the National Vaccination Roll Out and Strategy.    

Conclusion

Given the serious nature of the consequences that the COVID-19 pandemic leaves in its wake and the international trend that certain civil liberties of individuals have been and will continue to be limited in order to effectively battle the COVID-19 pandemic, it is certainly conceivable that we may very well see legislation in South Africa take a more concrete stance on the vaccination status of individuals. This will most certainly impact the constitutional rights of such individuals and infringements on the fundamental rights of the individuals will have to be justified in terms of Section 36 of the Constitution of South Africa.

However, until a more concrete stance on the vaccination status of individuals is taken up in legislation, employers would be well advised to apply strict adherence to the provisions of POPIA when collecting, processing and disseminating their employees’ vaccination status and to encourage their employees, as a matter of social policy, to battle the COVID-19 pandemic by being vaccinated.

Phillip Kruger

Director: Legal, Johannesburg


Related articles

Post-pandemic M&A outlook - cautiously confident

Reimagining HR business models

Authors

How can we help you?

Contact our offices

Cape Town

Johannesburg

 


KEEP UP-TO-DATE WITH our LATEST INSIGHTS AND EVENTS

rsm_updates.jpg

Choose your preferences