Skip to main content

Self-isolation, COVID-19 vaccinations and GDPR: employers' questions answered

From Monday 16 August, employees who have been double vaccinated (or are aged 18 and under) will be able to continue to go into their workplaces even if they have been in close contact with someone who has tested positive for COVID-19. 

This blog examines the issues employers need to consider.

From Monday 16 August, do our staff still have to tell us if they've been identified as close contacts of anyone who has tested positive for COVID-19?

That will depend on your policy, and whether they test positive or develop symptoms themselves. If they test positive, (or are required to self-isolate because they've been in contact with someone who has) they will have a legal duty to self-isolate for at least 10 days unless they are exempt. 

If they have a legal duty to self-isolate, they must inform you of this unless they are working in the place where they are self-isolating (such as their home). 

The Health Protection (Coronavirus Restrictions) (Self Isolation) (England) Amendment Regulations provide that, from Monday 16 August anyone aged 18 or under, or who has been double vaccinated, won't have to self-isolate after being identified as a close contact of someone who has tested positive, unless they also test positive. 

Anyone who isn't exempt will have to continue to self-isolate.

In terms of vaccination status, in order to qualify, the individual must have had their second COVID-19 jab at least two weeks before they came into close contact with the positive case. So, for example, if your employee had their second vaccination on 10 August, they would still have to self-isolate until 24 August if they are identified as a close contact of someone with the virus during that period. 

NHS Test and Trace will continue to notify people if they've been in close contact with anyone who has tested positive and will recommend that they take a PCR test to find out if they also have the virus. They don't have to self-isolate while they are waiting for these results. If they test negative, they don't have to take any further PCR tests unless they develop symptoms. 

Note: close contacts don't have a legal duty to take a PCR test and, if they choose not to be tested, you won't know that they've been contacted (and could be asymptomatic) unless you ask them to notify you if they are identified as a contact of someone with the virus. 

NHS Test and Trace will also inform them that they must self-isolate unless they are exempt under the new rules. 

Does someone who is self-isolating before 16 August 2021 need to continue to self-isolate beyond that date?

That depends on their individual circumstances. 

Anyone who is exempt under the rules can stop self-isolating from midnight on Sunday 15 August. But, if they aren't exempt, they have to continue to self-isolate for the full 10 days.  

Do these new rules also apply to people who are 'pinged' via the Test and Trace app?

No. Currently, anyone who is 'pinged' is advised to self-isolate for 10 days, but they are not legally required to do so. 

We assume that the government will change the wording of these notifications to make it clear that anyone who is pinged doesn't have to self-isolate if they are under 18 or have been double vaccinated. That would bring the advice in line with the new legal rules.

You can read our guidance for employers on the NHS Test and Trace App here.

Do we need to check that our staff are exempt from the duty to self-isolate?

To some extent, that will depend on the nature of your business, how much direct contact individual staff members have with others and whether they work with people who are clinically vulnerable or extremely vulnerable. 

Legally, you aren't under a positive duty to check your staff are exempt, as the duty to self-isolate rests with the individual. But you do commit an offence if you knowingly allow someone who ought to be self-isolating to attend work. Individual company directors and managers also commit an offence if the employer’s breach is found to have been committed with their consent or connivance or through their negligence.

We, therefore, recommend that you clearly communicate how you expect your staff to behave once they have been identified as a close contact of someone with the virus.  

There's still some confusion about the new rules (particularly regarding the need to have received a second vaccination a full two weeks before you can rely on the exemption to avoid self-isolating) so it's helpful to communicate this clearly to your workforce. This point is particularly important if your organisation engages younger people, who were the last in the queue for vaccinations, as many won't have had their second jabs yet. 

Make it clear to your staff that if they come into work after receiving a notice to self-isolate, they are confirming that they are legally exempt from the duty to self-isolate and have taken a PCR test which is negative. And, if they do come into work when they should be self-isolating, you will treat it as a serious disciplinary offence, which may result in their dismissal.

Please see the answer to the question 'Can we ask our staff if they've been vaccinated?' below for information about the GDPR and data protection issues you need to consider.

Can we compel staff to come into work if they are exempted from the requirement to self-isolate?

Potentially, yes. If they fall within one of the exemptions, they do not legally have to self-isolate unless they test positive and are under a duty to continue to come into work unless you agree they don't have to. However, if they refuse, you will need to consider their reasons for doing so before taking any action against them to avoid potential constructive unfair dismissal claims, automatic unfair dismissal claims (if they are worried that their workplace poses an imminent threat to them or others there) and, possibly, discrimination claims if they are vulnerable or live with someone who is.

Although fully vaccinated people are much less likely to catch the virus than those who are partially vaccinated or unvaccinated, if they can work from home, you may wish to allow them to do so. This will reduce the risk that they may develop COVID-19 and spread it around your workplace. 

The government's press release says this:

'As double jabbed people identified as close contacts are still at risk of being infected, people are advised to consider other precautions such as wearing a face covering in enclosed spaces, and limit contact with other people, especially with anyone who is clinically extremely vulnerable.'

Can we ask our staff if they've been vaccinated?

Yes, potentially, but you would be collecting personal data and, as it is health data, it is also special category data (which gets even more protection). There are therefore data protection issues to consider.

The ICO has published guidance on 'Vaccination and Covid Status Checks' which states that: 'before you decide to check people’s COVID status, you should be clear about what you are trying to achieve, and how asking people for their COVID status helps to achieve this'In addition, 'your reason for checking or recording people’s COVID status must be clear, necessary and transparent. If you cannot specify a use for this information and are recording it on a ‘just in case’ basis, or if you can achieve your goal without collecting this data, you are unlikely to be able to justify collecting it'.

In the context of the changes to the law coming into force on Monday 16 August, the reason for collecting this information is clear where you have staff on site: you will need to ensure that your staff are legally able to come into work after being in contact with someone who tests positive. In addition, you may need this information to protect other staff on site. 

But, as is so often the case with data protection, it is very context driven and the current ICO guidance suggests that you consider 'the sector you operate in, the kind of work your staff do and the health and safety risks in your setting’. 

What this will mean is that if your staff are working from home, it is unlikely that you will have a reason to collect the information as you don’t need to check whether they can come on site and they won’t be a health and safety risk.

One point to bear in mind is that the ICO guidance hasn't been updated to reflect the new rules on self-isolation. We therefore recommend that you keep checking the guidance, and take action if the ICO's advice changes.

What evidence can we rely on to check our employees' COVID vaccination status?

You can rely on the official NHS COVID Pass Verifier app, the existing online COVID Pass service or by checking an individual’s NHS COVID Pass letter. 

In addition, unless you are legally required to check the vaccination status of your staff, you can also view their NHS vaccination appointment card. 

What legal basis can we rely on to process this information and how long can we retain it?

UK GDPR applies to the ‘processing’ of personal data. If you are only conducting a visual check of COVID Passes (either a hard-copy document or a pass held on a digital device) and do not retain any personal data from it, this won't constitute ‘processing’. The activity would therefore fall outside of the UK GDPR’s scope.

However, if you are conducting checks digitally (for example, by scanning the QR code displayed on the pass), this would constitute processing of personal data – even if you do not keep a record of it. The UK GDPR would therefore apply. Similarly if you note the information on the employee’s HR file or some other record then you will be processing personal data and the UK GDPR would apply. .

UK GDPR requires that your use of this data must be lawful, fair and transparent. It should also be limited to that which is relevant and necessary for a specific purpose and comply with GDPR and data protection laws.

The first hoop to jump through is to consider whether the use is lawful i.e. do you have a legal basis to process the personal data? This will involve both an assessment of the usual bases under Article 6 such as legitimate interests or compliance with laws and, also, an assessment of the additional conditions in Article 9. The reason Article 9 is in play is because vaccination status is health data.

The most relevant Article 9 conditions in this context are:

  • The employment condition (Article 9(2)(b)) where processing is necessary to ensure the health safety and welfare of employees; or
  • Legal claims (Art 9(2)(f)) where processing is necessary for the establishment, exercise or defence of legal claims. This would include retaining the information to defend any claim that your organisation (or individual directors) allowed staff who were legally required to self-isolate to come into work in breach of COVID regulations. Similarly, you may also be able to rely on this condition if you are concerned that other employees or members of the public coming into contact with them at work, might be sue you for personal injury if they caught COVID-19 as a direct result of that contact.

In both cases, you would only be able to rely on these conditions if you are collecting the vaccination status of people who are on site and coming into contact with others. As mentioned above, you won't have a legal basis you can rely on to obtain information about employees who work from home, or those who work alone.

You also can't rely on consent for GDPR purposes. It is difficult to rely on consent in the employment context generally and the ICO has said that it should not be used here.

Are there any other data protection issues we need to consider?

Yes. You must minimise the data you collect and only record what you actually need. You can’t collect personal data 'just in case'. So, in the context of someone's vaccination status, you will only need to capture whether they have been fully vaccinated (probably via recording 'yes' or 'no') and indicate whether their second vaccination took place at least two weeks before you recorded that information. You don't need to know what type of vaccine they received, or the reasons why they chose not to be vaccinated.

Similarly, to avoid the allegation that you have collected the data 'just in case', you should, ideally, not collect everyone’s information in readiness for 16 August. Instead you should collect it when you need it e.g. when someone calls in to ask whether they can come into work or whether they need to self-isolate. Whilst there is some complexity around whether you can ask for vaccination status, what is clear is that you can require your staff to tell you when they are required to self-isolate. You can then ask them about vaccination status if they tell you that they are required to self-isolate.

As with all personal data you need to make sure that the information is recorded accurately and kept up to date. You shouldn't keep it for longer than necessary. This will be judged by reference to the reason you collected it in the first place.

Finally, you will need to be transparent about how you are using the personal data and either issue an update to your employee privacy notice or issue a standalone explanation of how the data will be used.

Our Coronavirus updates

We're working hard to keep you up to date with legal developments around Coronavirus. We've set up a portal which includes lots of helpful articles and advice to help you.

If you have a query, that we haven't answered, please contact us