The Energy Act: Future regulation of energy smart appliances

View All

Case Studies

Powering Alt HAN Co.'s Smart Meter Rollout

View All

Upcoming Events

LEMA Summit 2024

View All


Digital Operation Resilience Act (DORA) - Is your organisation on track?

View All


Vaccines are made mandatory for healthcare workers, but data privacy must be prioritised

10th Jan, 2022

On the 6th January 2022 the Department of Health and Social Care laid out regulations that amended the Health & Social Care Act 2008*.

This regulation mandates compulsory Covid-19 vaccinations for specific staff groups within the health sector, as defined nationally. These new regulations will come into force on 1st April 2022 which means that workers will need to have received their first dose by 3rd February 2022 in order to be fully vaccinated by this date, unless legally exempt.

Health sector staff as defined in the ‘Immunisation Against Infectious Disease’ (Green Book) are already required to demonstrate that they have been vaccinated against a number of conditions. In some ways, this is a logical continuation of existing practices, but even so this is highly contentious as the scope is to be expanded to other staff groups. As a result, health organisations will now need to implement completely new processes and start what may feel like uncomfortable conversations with employees.

The regulations could introduce serious consequences for individuals employed within the health sector. If staff choose to not be vaccinated there is a risk of job losses, particularly for specialist staff where there is no option to redesign their roles or redeploy them. Additionally, the regulation could prevent a person being recruited to a role due to their Covid-19 vaccination status.

A recent report by the House of Lords Secondary Legislation Scrutiny Committee highlighted that there are no contingency plans to cope with expected job losses as a result of staff being unvaccinated within health. This is likely to attract additional recruitment costs and cause potentially major disruption to the health service. As of 2nd December 2021 the number of NHS Trust health care workers recorded on the National Immunisation Management System (NIMS) database*, stated that 90.7% of health care workers have received 2 doses of the vaccine. This figure is likely to increase as it does not hold information for all staff groups, only those that are paid via the NHS Electronic Staff Record (ESR).

Guidance was issued by the NHS to healthcare providers on 6th December 2021 advising them to prepare for the regulation, a full four months before the regulation comes into force. Further guidance is expected to be issued this week.

I will explore the data protection issues associated with the deployment of health workers and how data privacy fits.

Where does data privacy fit in deploying compulsory vaccination as a condition of deployment?

Considering data privacy at the outset is essential due to the impact on an individual’s human right to a private life. In general, data protection and employment legislation is designed to protect individuals from discrimination on the basis of their health status, so Covid-19 vaccination as a condition of deployment is a significant departure.

Compulsory vaccination has the potential to dramatically change how unvaccinated people live and where they work. The impact on individuals needs to be balanced against the public health risk of Covid-19 transmission and this is where data privacy must be considered.

Collecting sensitive data from staff for such a purpose requires employers to collect, analyse and use the information to potentially dismiss a member of staff if an individual remains unvaccinated. This is where data privacy must be carefully considered and balanced against the needs of the organisation.

What could be the data privacy risks in collecting and using vaccination data in the health sector?

Health data, including vaccination status, is ‘special category’ data under UK GDPR and requires extra protection. Processing special category data is privacy intrusive and attempts to collect this information by the employer could lead to individuals declining to disclose their vaccination status, given that the information could be used to decide whether the individual stays in employment. Whilst employers in the health sector now have a legal obligation to collect this data, not just of their current workers, but of new recruits too, individuals will still have the right to decline to provide the information and organisations would need to consider how to overcome this challenge.

Employers need to ensure that in rolling out Covid-19 vaccinations as a condition of deployment that data protection obligations have been carefully considered from the start. This includes considering the risk of discrimination if staff groups in scope are not clearly defined. Groups could include suppliers, independent providers, students/trainees who are not included within existing HR records as they’re not paid via the orgainsations payroll. These groups could have face to face contact with patients, or service users, or are entering areas which are utilised for the provision of a Care Quality Commission (CQC) regulated activity, which may result in incidental patient contact. As these staff groups are difficult to identify due to information not being held centrally, they could potentially continue to work, whilst their peers may be redeployed or dismissed. This issue must considered at the outset.

Vaccination status data may also need protecting from unauthorised internal access, to prevent the risk of discrimination and other adverse consequences.

What should the health sector do to avoid these risks?

Organisations must complete a Data Protection Impact Assessment (DPIA) to help them consider the potential risks to individuals of planned compulsory vaccination processes, and to define and design the controls necessary to address them. This way employers can ensure lawful processing – ensuring that minimum amount of data is used for the purpose, data is not retained for longer than necessary and is safeguarded appropriately.

As well as undertaking a DPIA, it is best practice to complete a local Equality Impact Assessment as defined within the NHS England guidance. This assessment will enable the organisation to consider where there is a potential risk of discrimination and take appropriate action to mitigate the risk.

The most important element is to demonstrate transparency, fairness and openness; to communicate with staff how their information is being used and allow them to exercise their individual rights. These may include the right to restrict processing where the employee wants to challenge the accuracy or completeness of data, or the right to object to processing. In the latter, the organisation will need to consider whether it has compelling legitimate grounds for the processing which overrides the interests, rights and freedoms of the individual. A robust communication plan and supportive materials should also be developed to reassure staff with transparency at its core.

In many organisations, introducing compulsory vaccination may be a sensitive process. It is essential that the organisation carefully considers the messages it sends to employees about how their needs and rights are considered.

Deploying a sound privacy management framework demonstrates that the organisation takes data privacy seriously, in an open and transparent manner, which enables it to successfully navigate a difficult set of circumstances.

If you would like to get further information or talk to one of our experts then please do not hesitate to contact us at

* data published by NHS England


Llinos Bradley

Principal Consultant - Data Privacy

Read Bio