Q Can we make it mandatory for our employees to be vaccinated?
The current legal position in Ireland is such that there are constitutional and other legal barriers that would make it extremely difficult for an employer to implement a mandatory vaccination programme for COVID-19. The Irish constitution provides for a right to bodily integrity; the right to a private life and the right to personal autonomy that would make any mandatory vaccination policies problematic. Article 8 of the European Convention on Human Rights (ECHR) also guarantees the right to a private life. In light of the constitutional and European human rights challenges, it is unlikely that an employer would be in a position to implement a mandatory vaccination programme.
Q Can we ask employees if they have been vaccinated?
The short answer is no, except in very limited circumstances. Employee’s health data constitutes special category personal data under the GDPR. An employer must therefore have a legal basis for processing such data and ensure suitable safeguards are in place. Employers could seek to rely on the processing of this data being necessary to comply with a legal obligation – i.e., the legal obligation to ensure the safety, health, and welfare of their employees under the Act. This would then enable employers to collect this personal data in line with the GDPR and the Data Protection Act 2018 which allows for the processing of special categories of personal data for ‘purposes of public interest in the area of public health’.
The DPC have re-iterated their view that, in the absence of clear advice from public health authorities that it is necessary for all employers and managers of workplaces to establish vaccination status of employees and workers, the processing of vaccine data is likely to represent unnecessary and excessive data collection for which no clear legal basis exists.
Q What about Healthcare staff?
The DPC guidance refers to the Work Safely Protocol and outlines that there are limited set of circumstances in which vaccination should be offered as a workplace health and safety measure. The DPC also identifies that there may be situations, such as for frontline healthcare workers, where vaccination may be considered a necessary safety measure, based on sector specific guidance such as set out by the Irish Medical Council. The DPC quotes the guidance from the Irish Medical Council which states that, practitioners ‘should be vaccinated against common communicable diseases’ and advises that in these situations an employer will be in the position to lawfully process vaccine data based on necessity. Prior to operationalising any activity in this area, employers would need to conduct a data protection impact assessment (DPIA) in advance in accordance with Article 35 GDPR. HSE staff may be re-deployed to a non-patient-facing role where a risk is deemed to exist.
Q Can employers prevent an employee/s from attending the workplace if they refuse the vaccine?
It is an individual’s right to choose whether to be vaccinated. If an employer, having carried out a risk assessment in line with their duties under the Safety Health and Welfare at Work Act, concludes that there is a risk of an employee coming into contact with the virus, or, that there is a risk of putting patients at risk, the employer can consider re-assigning the employee to another role if they are unwilling or unable to be vaccinated. The HSA has helpful guidance on this which can be found here.
Employers should be mindful of any equality implications regarding those who may not be able to get vaccinated. Where an employee decides not to get vaccinated because of pregnancy, religious belief or medical grounds, excluding such employees from the workplace on this basis could give rise to a discrimination claim.
Q Can we impose a disciplinary sanction on an employee for refusing to be vaccinated?
This is generally not recommended. Should an employer seek to assert that a refusal to get a vaccine constitutes a health and safety breach by the employee warranting disciplinary action the employee could bring a number of claims including:
- A claim of discrimination on equality grounds.
- A claim for constructive/unfair dismissal.
- A payment of wages claim, if the employee was unpaid for a period because of their inability/refusal to receive the vaccine.
- A claim alleging unfair procedures in the application of a disciplinary sanction if a full investigation, disciplinary and appeal process has not been completed.
Q Do I have to provide my employee with paid time off to attend a vaccination appointment?
Employers are advised to follow their usual company sick pay/absence policy in relation to attendance at medical appointments. It would be reasonable to allow an employee paid time off to attend a medical appointment and to encourage said appointments to be taken at the start or end of the working day where possible.
Q Can employers request sight of an employee’s Digital Covid Certificate as a means of managing COVID-19 in the workplace?
No, requesting the Digital Covid Certificate (DCC) from employees would not be compliant with data protection law as all three categories of information contained in the DCC are special category data (vaccination status, a negative COVID-19 test result or confirmation of having recovered from COVID-19 in the last 6 months). This would therefore fall foul of the guidance from the DPC on this.
Q After vaccination, are control measures still required?
Yes, control measures will still be required. Vaccination should only be seen as a useful supplement to the correct use of engineering controls, safe working procedures, personal protective equipment, instruction, information and training and should not replace them. Employers should be mindful that some employees might not respond to vaccination (non-responders).
Employers should therefore be mindful that, unless they fall within the limited set of circumstances where vaccination in healthcare settings is considered a necessary safety measure, the general processing of vaccine data is likely to constitute data processing for which is there no legal basis, and therefore incompatible with the GDPR and data protection law.
The advice from the DPC can be found here.