Collecting and Processing Vaccination Data in the Workplace

PUBLISHED: 30th June 2021

Photo to illustrate article

The Data Protection Commission Issues Guidance. Ciara O'Kennedy explain.

With the pending return to the workplace for many employees, some clarity for employers has been provided by the Data Protection Commission’s (DPC) recently published Guidance Note on the processing of COVID-19 vaccination data in the employment context.

In the Guidance the DPC sets out its general position:

in the absence of clear advice from public health authorities in Ireland that it is necessary for all employers and managers of workplaces to establish vaccination status of employees and workers, the processing of vaccine data is likely to represent unnecessary and excessive data collection for which no clear legal basis exists.

The DPC states that the processing of health data during the COVID-19 pandemic should at all times be guided by the Irish Government’s public health policies. It notes that the most recent version of the “Work Safely Protocol” suggests that there are  limited circumstances where vaccination should be offered as a workplace health and safety measure.  Vaccination may also be considered to be a necessary safety measure in circumstances such as the provision of frontline healthcare services.  According to the DPC, such employers could lawfully process vaccination data on the legal basis of necessity.

What is necessary?

Of particular concern to the DPC is the principle of data minimisation under Article 5(1)(c) of the GDPR.  Its Guidance recommends that employers should continue to implement public health infection and control measures to maintain workplace safety, which are set out in the “Work Safely Protocol"  and avoid any unnecessary processing of the personal data of employees.  These measures do not require employers to have knowledge of their employees’ vaccination status.

GDPR and special category personal data

The vaccination status of an individual falls under special category data under Article 9 of the GDPR and is afforded additional protection under data protection legislation because it also forms part of an individual’s health record.  The DPC stresses the voluntary nature of the COVID-19 vaccination, suggesting that this adds weight to the recommendation that a COVID-19 vaccination should not generally be considered a necessary workplace safety measure.  The DPC also notes the lack of control that employees have in the receipt of COVID-19 vaccinations because it is dependent on their age and medical conditions (if any), for example.  As a result, therefore, processing vaccination data in the employment context is unlikely to be necessary or proportionate from a data protection perspective. 

The Guidance Note explicitly references the power imbalance between an employer (as the data controller) and employee (as the data subject) and recommends that employees should not be asked to consent to the processing of vaccination data because such consent may not be freely given. 

Infectious diseases

However, the DPC draws attention to the situation where a Medical Officer of Health in carrying out their duties under the Infectious Diseases Regulations 1981 (as amended) may require access to the vaccination status of employees from employers.  The DPC states that this processing is permitted where it is carried out on a case-by-case basis at the request of a Medical Officer of Health and determined to be necessary.


Finally, in the context of travel, the DPC recommends that keeping a record of an employee’s COVID-19 vaccination status should not strictly be necessary but rather an employer can request from an employee the date on which they will return to work (following a period of self-isolation, where necessary).


This Guidance is welcome in light of a growing number queries as to the lawful collection and processing of information about the COVID-19 vaccination status of employees by employers.  It is of course subject to review in the context of constantly evolving public health advice and regulations relating to  the COVID-19 pandemic.

For more information, please contact Ciara O'Kennedy at

By using this website you allow us to place cookies on your computer. Our cookies do not personally identify you.