CONTACT US 0131 226 8200

Latest Blogs

Returning to the office - Vaccine information and Data Protection FAQs

As more and more staff who have been working from home start to return to the office, we've put together some FAQs about vaccine information and data protection.


  1. Can an employer ask its employees to take a rapid covid-test before entering the office?

  2. Yes - you can ask employees to take a lateral flow test before they come into the office and this is a common trend we are seeing across the UK in order to reduce the spread of the virus and minimise business disruption.

    Enforcing a testing policy could cause some issues for an employer depending on what you plan to do if an employee refuses to get tested. Importantly, if an employee did not comply and they were then dismissed there would be a risk of a claim of unfair dismissal (provided the employee has 2 or more years of service). The case law around this is still developing but generally there is some evidence to show that an Employment Tribunal is willing to support disciplinary action in cases where employees refuse to comply with an employer’s health and safety measures. It’s possible that asking an employee to do a lateral flow test is viewed as an employer attempting to fulfil their obligations under the Health and Safety at Work Act 1974 to take reasonable steps to reduce any workplace risk. However, this would be assessed on a case-by-case basis having regard to the reasonableness of the employer’s decision to dismiss. An employer would need to demonstrate a clear rationale for requiring the testing, and consult and communicate with staff about this, before deciding to make it mandatory.

    Overall however, employees are likely to comply with the request and provided an employer is not taking any disciplinary action for non-compliance, not recording the data and you are applying the policy to everyone equally (i.e. regardless of vaccine status), then, under the current guidance, we would view this as a sensible step for employers to take with limited legal risk. Note: there is an increased risk of a discrimination claim under the Equality Act 2010 (discussed more at Q3 below) if you require only those who are unvaccinated to take lateral flow tests.

  3. If this is allowed, can an employer register the results and under which conditions?

  4. As you may be aware, due to its sensitivity, health data has the protected status of special category data under data protection law and results of a lateral flow test would fall within this category. As such employers must identify an Article 9 (of the UK GDPR) condition for processing this type of data which provides a lawful basis for doing so.

    In this case you could seek to rely on the condition that the processing is necessary to enable you, as an employer, to meet your legal obligations, such as ensuring health & safety at work or complying with the requirement not to discriminate. So long as the processing you carry out falls within this condition, you can process that information, which could include keeping a record of the results of the tests. However, you will need to consider your reasons for doing so, who it might be appropriate to share this data with and how long it is appropriate to retain these records.

    Ideally you should have carried out (or will carry out) an impact assessment to document your reasoning behind the processing of this health data to show it falls within Article 9 (i.e. necessary to meet legal obligations/ensuring health & safety at work) and that you are therefore either under a legal duty to process the health information about the individual or that the benefits of the processing of the health information justifies the privacy intrusion or other adverse impact on them (so in other words it is a proportionate response to a particular problem). We can help you to carry out an impact assessment if you need some support (please contact the team below). However, in the meantime we have set out 6 key steps you need to consider as an organisation around the use of this personal information:

    1. Only collect and use what is necessary.

      To help decide if collecting and using health data is necessary to keep your staff safe, ask yourself the following questions:

      1. How will collecting extra personal data help keep your workplace safe?
      2. Do you really need this information?
      3. Will the test you are considering actually help you to provide a safe environment?
      4. Could you achieve the same result without collecting this personal information?

      If you can show that your approach is reasonable, fair and proportionate to the circumstances, then it is unlikely to raise data protection concerns.

    2. Keep it to a minimum

      When collecting personal information, including people’s COVID-19 symptoms or any related test results, organisations should collect only the information needed to implement their measures appropriately and effectively. Don’t collect personal data that you don’t need. Some information only needs to be held temporarily, and there is no need to create a permanent record.

      Your reason for checking or recording people’s COVID status must be clear, necessary and transparent. If you cannot specify a use for this information and are recording it on a ‘just in case’ basis, or if you can achieve your goal without collecting this data, you are unlikely to be able to justify collecting it.

    3. Be clear, open and honest with employees about their data

      Some people may be affected by the measures you intend to implement. For example, staff may not be able to work. You must be mindful of this, and make sure you tell people how and why you wish to use their personal information, including what the implications for them will be. You should also let employees know who you will share their information with and for how long you intend to keep it.

      You can let employees know what you are doing with their data through a clear, accessible privacy notice or other policy document. See more on this below.

    4. Treat people fairly

      If you’re making decisions about your staff based on the health information you collect, you must make sure your approach is fair. Think carefully about any detriment they might suffer as a result of your policy, and make sure your approach doesn’t cause any kind of discrimination.

    5. Keep the information secure

      You should also ensure it is only retained as long as is strictly necessary before being deleted or anonymised.

    6. Staff must be able to exercise their information rights

      As with any data collection, organisations are expected to inform individuals about their rights in relation to their personal data, such as the right of access or rectification. Staff must have the option to exercise those rights if they wish to do so, and to discuss any concerns they may have with you.

    7. As mentioned above, you should have a privacy policy or other appropriate policy document which outlines your compliance measures and retention policies for special category data and which can be provided or made available to employees to let them know what is happening to their data. You may have this already to cover existing health data as part of your employment records, but even if this is the case it may now need to be updated to cover this new data being collected. We can help you put one together if you need support with this.

      If you want to share or retain any special category data more widely than considered appropriate from your impact assessment you would then need to obtain consent to do so. However, you need to be particularly careful if you ask for consent when you are in a position of power over an individual, e.g. if you are their employer (or prospective employer). In this situation you have to be confident that you can demonstrate that the consent is not just explicit but also “freely given”. This means providing a genuine choice and enabling the individual to refuse that consent without detriment. If there is no genuine choice, consent is not freely given and will be invalid.

      Assuming the processing is deemed necessary as a result of the impact assessment referred to above, we would argue consent is not required.

  5. Can an employer ask for proof of vaccination from its employees before entering the office?

    From an employment law perspective, an employer should be careful before asking an employee for proof of vaccination before entering the office. If an employer is intending to put in place a policy which prevents those who are unvaccinated from working or attending the office, then they risk a discrimination claim being brought against them under the Equality Act 2010. For example, it is possible that an employee is unable to have the vaccine due to health reasons (such as being auto immune) or religious reasons (the vaccine may contain ingredients which their religion does not approve of) and if they then wanted to attend the office but weren’t allowed on the basis they had not had the vaccine then they could raise a claim for disability or religious discrimination.

    A better idea which reduces the legal risk for employers, is to encourage employees to be vaccinated by sharing facts and benefits about the vaccination published by the UK Government and allowing employees paid time off to get the vaccine. This would likely help an employer fulfil its obligations under the Health and Safety at Work Act 1974 (as mentioned above) to take reasonable steps to reduce any workplace risk. With this in mind, an employer should continue to pay attention to keeping the office as Covid safe as possible by encouraging social distancing, face coverings, hand sanitiser, protective screens and facilitating hybrid working where appropriate. Note: these are not all legal requirements throughout the UK but are something an employer could try to adopt as policy.

  6. If we can ask for a proof of vaccination, can we register this and under which conditions?

    The rules around recording and retaining details of an individual’s vaccination status are the same as set out under question 2 above as this is also special category data and a separate impact assessment would be recommended.

  7. If a client/customer requests a Covid test result from one of our employees (e.g. in order to go on site), do we, as the employer, have to request our employee undergo a Covid test and, if so, are we allowed to share the test results of employees with the client/customer?

    Whilst you could request a Covid test result from your employees on behalf of your customer, you would still need to demonstrate a clear rationale for requiring this and communicate/consult with staff about this. It will also depend on what you plan to do with the information (and/or whether you plan to make it mandatory) as you face the same risks as mentioned above.

    In terms of sharing that data with customers, from a data protection perspective, you would likely need to obtain an employee’s consent to this unless you can find another legitimate reason or lawful basis for doing so under Article 9. If you do decide to ask for your employee’s consent to sharing this data with a customer, you would need to ensure this was explicitly and freely given, as mentioned above, which would mean the employee would need to be given the option to say no without detriment.

If you’d like advice on any of the issues raised above please email or

Smiles All Round as Floe Oral Care raises £350k Se...
Autumn Newsletter: Still some bumps ahead

Contact us today