The Office of the Information and Data Protection Commissioner (the “IDPC”) has recently issued a guidance document (“Guidance Document”) addressed to employers based in Malta, acting as data Controllers 1In accordance with the GDPR, the Data Controller is a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. (“Controller”), intending to collect information on the COVID-19 vaccination status of their employees.
Controllers are encouraged to adopt a risk-based approach and therefore prior to commencing the processing 2‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restruction, erasure or destruction. activities, the employer should conduct an assessment on the impact of the prospective processing activities to ensure that the data protection principles found in article 5 of Regulation (EU) 2016/679 of the European Parliament and of the Council on the Protection of natural persons with regard to the processing of personal data and on the free movement of such data, (General Data Protection Regulation) (the “GDPR”) are adhered to. Should it transpire that the processing of such information is unduly cumbersome upon the rights and freedoms of the data subject 3an identified or identifiable natural person (the “Data Subject”), it is within the Controllers’ duty to carry out a fully-fledged data protection impact assessment in terms of Article 35 of the GDPR.
Pursuant to Article 5(1)(a) of the GDPR, personal data shall be processed lawfully, fairly and in a transparent manner in relation to the Data Subject. In accordance with Article 9(1) the collection of employees’ vaccination status, constitutes the ‘processing of special categories of Personal Data’ 4Special categories of personal data means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. Prior to the adoption of the GDPR, special categories of personal data were commonly referred to as ‘sensitive data’. and whilst the collection of such data is generally prohibited, Article 9(2) of the GDPR provides for certain exemptions.
In order to adhere with the principle of ‘lawfulness’, the Guidance Document recommends that employers (qua Controllers) could possibly rely on the exemptions catered for under Articles 9(2)(h) and (i) of the GDPR, that is, where the processing is necessary ‘for the purposes of preventive or occupational medicine’ and/or where the ‘processing is necessary for reasons of public interest in the area of public health’. However, in so doing, the duties imposed on Controllers under the GDPR should be scrupulously followed. It should be noted that ‘consent’ is not a valid legal basis in the employment context, as there is an imbalance of power between the employer and employee, and therefore consent cannot be considered to be freely given.
Additionally, in keeping with the ‘fairness’ and ‘transparency’ principles, data regarding the employee’s vaccination status should not result in unfair, discriminatory or otherwise unjustified treatment of employees and Controllers must also ensure full transparency throughout the processing activity by updating any internal data protection notices. Other important principles to keep in mind, include ‘purpose limitation’, ‘data minimisation’, ‘accuracy’ and ‘storage limitation’.
In recognition of the highly sensitive nature of such information, the security risks attached to the collection of such data must also be considered by Controllers and therefore appropriate technical and organisational measures should be implemented to counteract these risks.
The Guidance Document may be viewed here