News and Events

Data protection implications regarding employees who have had the Covid-19 vaccine

View profile for Employment Team
  • Posted
  • Author

Our Employment Law team have previously discussed whether employers are able to force employees to have the Covid-19 vaccine, considering factors such as time off, consent, health and safety and the definition of a “reasonable management request”.  Today, we review more closely the data protection issues that may arise for employers who wish to maintain a record of which employees have been vaccinated, reviewing GDPR and the Data Protection Act 2018, why you may wish to record this information, as well as practical steps to take with storing the data and handling objections from employees.

Am I legally allowed to hold information regarding employee vaccinations?

You may be able to process data regarding your employees’ Covid-19 vaccination status under the retained EU law version of the General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.  As with any data you hold about your employees, you must have a legitimate reason for processing vaccination data and you must process it in line with the six data protection principles, which state that the data must be:

  • Used lawfully, fairly and in a transparent way;
  • Collected for specified, explicit and legitimate purposes and processed in an appropriate way;
  • Relevant to the purpose;
  • Accurate and kept up to date;
  • Kept only as long as necessary;
  • Kept securely.

Your employees’ vaccination status relates to their health and is therefore considered “special category” data.  Special category data requires an additional justification under Article 9 of the UK GDPR in order to be lawfully processed. As an employer, you may be able to justify processing your employees’ vaccination status if you can demonstrate that the information is “necessary for the purposes of carrying out the obligations and exercising specific rights […] in the field of employment” or “necessary for reasons of public interest in the area of public health”.

Can I rely on employees’ consent when recording their vaccination status?

Consent is listed in the UK GDPR as a justification for processing special category data.  For consent to be valid it must be freely given, and this may not be the case in an employee/employer relationship due to the imbalance of power. Therefore, you should be able to show that processing your employees’ vaccination status is necessary for reasons relating to your employment obligations or public health, and not rely on employee consent alone.

What action should I take to comply with GDPR?

Before you begin collecting any data regarding your employees’ vaccination status, you should conduct a data protection impact assessment to address questions such as:

  • why you need the data;
  • how long you will hold the data for;
  • how the data will be stored;
  • who will have access to the data.

Why you need to process information regarding employee vaccination status will depend on the nature of your organisation. For example, some employers may use that information to help plan employees’ return to the office.  Employers who operate services for vulnerable people, such as care homes, have an obvious interest in knowing which of their employees are vaccinated and possibly less likely to transmit the virus to vulnerable service users.

If you do have a valid reason for processing data about your employees’ vaccination status you should only collect the amount of data necessary to achieve that purpose and keep it only as long as is necessary. Try to limit the number of people who have access to the employee vaccination data and ensure that those who do have access understand their obligations to maintain confidentiality.

Your employees should be kept fully informed as to why you need to process information regarding their vaccination status and how you will keep this information secure. Any privacy notices or data protection policy should be updated. 

How do I manage an employee who objects to me storing their data?

Employees have the right to object to you processing their personal data.  If an employee raises an objection to you processing their vaccination status, you should discuss their concerns with them and carefully consider their views.  Ensure they fully understand why you need the data and reassure them that it will be held in confidence. If they still object, you may have to weigh their individual rights against your interests in processing their data.

Data protection can be a confusing area of the law for employers to navigate. The extent to which you may be allowed to lawfully process employee data regarding the Covid-19 vaccine may vary depending on your organisation. To discuss your concerns regarding data protection and the Covid-19 vaccine, you can contact our team on 023 8071 7717 or email

To receive regular Employment Law updates from the team regarding recent tribunal cases and legislation updates, you can subscribe to our weekly Employment Law Newsletter by completing our subscription form or emailing us at

You may also be interested in the following articles regarding the Covid-19 vaccine:


This is for information purposes only and is no substitute for, and should not be interpreted as, legal advice.  All content was correct at the time of publishing and we cannot be held responsible for any changes that may invalidate this article.