Many offices are now opening or planning to open soon with the increasing coverage of COVID-19 vaccines. To ensure the safety of their workplaces, some employers request their employees to submit a vaccination certificate to record their vaccination status. These certificates may ease the process of reopening offices. However, with the introduction of requirements such as vaccine passports, concerns have been raised about the privacy of personal health data and possible misuse. In this article, I will be discussing whether employers can collect vaccination data from their employees.

What makes vaccination certificates a piece of sensitive information?

Put plainly, vaccination certificates are medical records. Medical records fall under the definition of sensitive personal information, as per Rule 3 of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (hereinafter referred to as SPDI Rules).

Article 9 of GDPR considers health data as a special category of personal data. It specifies that a data subject must give explicit consent for the processing of health data. The purpose behind this processing can be for employment, social security, and social protection law. Given the sensitive nature of medical records, they directly touch an individual’s most intimate sphere. The unauthorised access or disclosure of medical records may result in a violation of individual rights and interests.

Some examples where medical records are fraudulently used are:

• Obtaining medical services and other healthcare facilities through identity theft
• Fraudulently claiming the insurance amount
• Selling medical records to a third party

As offices reopen, companies require their employees to receive both the doses of their vaccine and submit their vaccination certificates. A vaccination certificate contains name, age, gender, ID verification status, beneficiary reference ID, vaccine name, dates of first and second doses, vaccine location, etc. The Ministry of Health and Family Welfare has also permitted the workplaces to conduct vaccination drives.

Can employers ask for vaccination certificates?

Yes, they can. If your employer is an Indian company, they must collect and process this information as per the requirements laid down in the SPDI Rules. In a Gartner poll, only 8% of 227 human resource leaders of various companies stated that they are asking employees to show proof of their vaccination. 36% of participants submitted that they will only require employees to self-report their vaccination. Moreover, 48% of participants said that their company will not track the vaccination status of their employees.

Purpose of collecting vaccination data, retention, and intended recipients

According to Rule 5 of the SPDI Rules, a body corporate shall only collect sensitive personal data for a lawful and necessary purpose connected to a function or activity. Here, if we understand that collecting vaccination data is essential to maintain health and safety standards in the workplace, the law will not impede the employers from collecting it. However, an employer that seeks to collect vaccination certificates will have to fulfill its obligations under the SPDI Rules.

At the outset, they should clearly communicate the purpose of collecting vaccination certificates. For example, it can be to understand the vaccination status of employees before reopening their office. They should specify who will receive vaccination certificates and the duration for which they will be retained. The retention duration should be reasonable, and once the purpose is fulfilled, the stored information shall be destroyed accordingly.

The Personal Data Protection Bill, 2019 also mentions situations when personal data can be processed for employment-related purposes. Such purposes include-

• Providing any service or benefit to employees
• Recruitment/termination of employment
• Performance assessment

Consideration for employers

While employers cannot force employees to share their vaccine certificates mandatorily, they advise or find ways to lure them into giving information. One such method is providing attractive incentives to their employees for their vaccination status. A striking example is Walmart. This American multinational retail corporation offers $75 to employees who share proof of vaccination. Such incentives are so attractive that many forget about these records being sensitive personal information.

If a company decides to collect vaccination certificates from its employees, it must comply with the requirements given in the SDPI Rules. An employer must consider the following recommendations:

1. Asking whether an individual has taken their vaccination doses can be sufficient. Digging deeper into the specific details may lead to unfavourable situations. For example, an employee may not have taken the vaccine due to medical reasons.
2. Employers should avoid strict internal policies regarding the submission of proof. Failure to submit should not affect the position and rights of the employees. If employees are submitting their certificates, employers must implement well-defined access level mechanisms in place.
3. Providing sensitive personal information requires the free and express consent of an individual. An employer should ensure that its employees know the purpose behind such an exercise.

Featured Image Credits: Certificate photo created by frimufilms – www.freepik.com