Let’s consider a scenario. You’re 24. You live in a busy three-bedroom house with your parents and two siblings. You’ve been hired at the multinational where you interned but have neither been to the office nor met your colleagues.
Like the rest of your family, you are double-jabbed, but you also worry about keeping your ageing parents safe.
You may feel safe to assume that following a successful vaccine roll-out, you can return to the office secure in the knowledge that your colleagues will also be vaccinated. You would assume wrong.
Employers and their staff are still waiting for the mass return to offices, but the answer to the question of who has been vaccinated and who has not remains unclear.
The problem centres on guidance from the Government’s Work Safely Protocol published in May and subsequent guidance from the Data Protection Commission.
“That guidance said, in the absence of direction or policy from the Government, there’s no legal basis for the processing of vaccination-related data of employees because it’s a sensitive category,” says Melanie Crowley, employment law partner at Mason Hayes Curran.
“That’s a fancy way of saying that you can’t ask if employees are vaccinated or not.”
This has left employers in difficulty when it comes to return-to-work arrangements.
“We have a situation where an employer gives staff time off for vaccination and takes them for a meal in a restaurant where they need their vaccination certificates,” says employment law specialist Richard Grogan.
“That employer cannot retain that information in the workplace, so has to assume nobody is vaccinated and put health and safety assessments in place on that basis.
“So we have the crazy situation where an employer cannot ask the question, and we’re left going back to the two-metre rule.”
In the absence of further clarity from the Government, one solution could be implementing antigen or PCR testing for everyone. Could that compensate for workplace vaccination gaps?
“It does partially compensate,” says Kingston Mills, professor of experimental immunology at Trinity College Dublin. “At one stage, Covid certificates were going to include negative tests as another means of enabling activity.
“That would be a second-best philosophy. The testing has to be 100pc implemented, and getting compliance is not that straightforward.
“We’ve spoken to companies which implemented testing whereby if you test negative twice, you can come to work.
“For those that aren’t vaccinated, for whatever reasons, if they got tested twice a week with rapid testing, that would be a good fallback. But it’s still second-best to everyone being vaccinated.”
In the context of a pandemic, when even dating apps offer vaccination badges and many are posting their vaccine dates on social media, the classification of vaccine status as “sensitive” may seem like pearl-clutching.
Jevan Neilan, data protection partner with Mason Hayes and Curran explains why what might seem inconsistent could make sense in practice.
Neilan says there is a proportion of individuals who are not OK with vaccination.
“By not protecting that status, those individuals may feel aggrieved by having to explain or defend their choices,” Neilan tells Review. “Therefore, it’s something personal to somebody. We used the example before of whether someone supports a particular political party, something which is specifically afforded a special category status. In many contexts, membership of a political party might not be divisive or especially sensitive, but it can be. Regulators now are much more open to viewing vaccination status as falling within a special category of data because of the sensitivity of that issue and the associated personal health choices.”
The UK equivalent of our DPC, the Information Commissioner’s Office, has suggested interpreting the rules in a way to allow for vaccine checks. They define “processing” in a different way.
“If you are only conducting a visual check of Covid passes (either a hard-copy document or a pass held on a digital device) and do not retain any personal data from it, this would not constitute ‘processing’,” its website states.
Scanning QR codes could constitute a breach, however. Could the same interpretation be applied here?
“The verification or checking of vaccine documentation by an employer is likely to constitute the processing of special category personal data, in particular where a mobile app may be used to verify a QR code or any record is made of the checking of a vaccine certificate or of any related information,” a spokesperson for the Data Protection Commission tells Review.
But perhaps it’s not for the DPC to fix this one alone. The commission says the “guidance is intended to be reflective of the current advice of public health authorities and it will be subject to review as the public health approach and legal frameworks develop in relation to the processing of vaccination data.”
Or as Richard Grogan puts it, succinctly: “The Government, Nphet, the Health and Safety Authority and the Data Protection Commission need to get together and determine how we’re going to get people back without breaking the rules. Because what we have at present is a complete mess.”