News and Events

Can I ask my employees if they've been vaccinated?

View profile for Employment Team
  • Posted
  • Author

As employees begin to return to the workplace, many employers may want to know who in their workforce has been vaccinated against Covid-19. Employers planning on asking employees for this information must ensure they have a clear and necessary reason and that they implement appropriate safeguards to protect this data.  Our Employment Law team reviews this topic and explains the situations when employers may be able to request this information, how they process that and how long they store any details regarding this.

Vaccination data and General Data Protection Regulation

As with all employees’ personal data, you must have a lawful basis under Article 6 of the UK General Data Protection Regulation (GDPR) for collecting and processing employees’ vaccination status. Most employers will likely rely on “legitimate interest” as the lawful basis which requires them to show they have a legitimate interest and that processing the data is necessary to achieve it, taking into account the employee’s interests, rights and freedoms.

Guidance from the Information Commissioner’s Office (ICO) states that the following are all relevant factors employers should consider when deciding whether or not they have a legitimate reason to record employees’ Covid-19 status:

  • sector of work,
  • the type of work carried out by staff, and
  • the health and safety risks in the workplace.

It may, for example, be necessary to record vaccination status where employees work with clinically vulnerable people, or where they work in an area where they are at a greater risk of contracting the virus.

For sectors where vaccination is, or will be, mandatory, such as care homes, employers may also be able to justify processing employees’ vaccination status on the basis that it is necessary to comply with their legal obligations.

Consent is another lawful basis for processing personal data under Article 6. However, ICO guidance states that consent will rarely be appropriate in an employment setting because of the imbalance of power between the employee and employer.

Identify an additional condition under GDPR

Vaccination status is “special category” data meaning that you must meet an additional condition listed under Article 9 of the UK GDPR. You may be able to claim that the processing of employee vaccination status is necessary for carrying out rights and obligations connected with employment, such as ensuring the health and safety of all workers and providing a safe work environment.

Another condition employers may rely on is that processing the data is necessary for reasons related to public health, such as determining whether, after 16 August 2021, it is necessary for an employee to self isolate after receiving a notification from the NHS test and trace app.

Use of employee vaccination information

You must inform your employees of the specific reasons why you are collecting and recording their vaccination status. In accordance with data protection principles you must only use this information for the purposes for which you collected it and you must also ensure that employees are not subject to less favourable treatment because of their vaccination status.

You should consider whether your purpose for collecting the vaccination data could be served by collecting anonymised data. Anonymised data is not subject to the UK GDPR and may be sufficient where, for example, you want to gauge the vaccination levels and risk of infection in your workplace as part of a health and safety risk assessment. You must however make sure that the data is truly anonymised, meaning it is incapable of being used to identify an individual employee.

Retention of vaccine information

Your employees’ vaccination status should be kept for no longer than is necessary for the purposes for which you collected it and this should be kept under constant review. If you have to keep this data longer than you anticipated you should inform your employees and explain your reasons.

You must also ensure that the data is kept securely with appropriate security measures in place and that only a limited number of people are able to access it.

If you have questions about employee vaccinations or about your data protection responsibilities, contract our Employment Law Team on 023 8071 7717 or email

To receive regular Employment Law updates from the team regarding recent tribunal cases and legislation updates, you can subscribe to our weekly Employment Law Newsletter by completing our subscription form or emailing us at


This is for information purposes only and is no substitute for, and should not be interpreted as, legal advice.  All content was correct at the time of publishing and we cannot be held responsible for any changes that may invalidate this article.