The continued success of the nationwide rollout of the COVID-19 vaccine is undoubtedly a cause for celebration and tentative optimism. However, this also poses new challenges for employers in ensuring a safe workplace for their workers and for those who visit their premises. Indeed, some employers are considering making having a vaccination a contractual obligation for employees as we move further along the roadmap to recovery.

Can employers force employees to have the vaccine, and what can be done if an employee either refuses or cannot be vaccinated? Here, we set out a short guide to these issues, along with some key data protection considerations for employers.

Can an employer require that employees get the COVID-19 vaccine?

In short, this is a high-risk approach. The vaccine is not required by law, and there may be many valid reasons why an employee cannot be vaccinated. ACAS guidance also notes that employers should support employees to get the vaccine, but cannot force staff to have it.

The key issue that rears its head is discrimination. There are employees who should not, or may not want, to receive the vaccine who may fall within one or more of the protected characteristics under the Equality Act 2010. This those with certain health conditions, e.g. allergies, religious or perhaps even philosophical beliefs. A mandatory vaccination policy, without carve-outs or exceptions would certainly leave employers open to the risk of indirect discrimination claims. If such a requirement was indirectly discriminatory, the employer would need to be able to justify its position which may be difficult if it adopts a blanket approach.

Can an employer dismiss an employee for refusing the vaccine?

Discrimination aside, employers who do not dismiss an employee for one of the five potentially fair reasons are at risk of unfair dismissal claims from employees with qualifying service. If an employee refuses to be vaccinated, or cannot be vaccinated and there is a contractual obligation to do so, can an employer fairly dismiss them? Our view is that this is unlikely.

A contractual obligation to be vaccinated is not likely to be reasonable unless it is essential and necessary for the employee to carry out their role. With the notable exception of employees in a high-risk healthcare environment (and even then on a fact specific basis), it is doubtful that an employer could argue this is necessary, and that an employee’s refusal was a reason serious enough to be misconduct or a substantial reason justifying dismissal.

What can employers do?

Although the vaccine rollout is now well underway, the impact of the vaccine is still in its early stages so employers should avoid hard-line policies and knee-jerk reactions. A supportive attitude to vaccination is much safer and likely to be more productive than a heavy-handed and reactive approach requiring contractual obligation. If an employee cannot have the vaccine or refuses it, an employer should consider what alternatives are available. Employers have an obligation to ensure the health and safety of their staff at work, so staff who cannot have the vaccine should keep other distancing measures, and have regular testing.

Data protection considerations

In addition to any employment law considerations, it is also important for employers to consider the data protection implications of this issue. In processing personal data, employers need to comply with data protection laws and do so lawfully, fairly and transparently. Records held about employees’ health fall under the category of special category data (so require additional safeguards). As with the processing of all special category data, employers must identify both a lawful basis under Article 6 of the UK GDPR and a condition for processing under Article 9 of the UK GDPR. If they cannot do so, any processing will be in breach of the UK GDPR.

Any employer considering implementing a vaccine monitoring or testing programme will likely be implementing a new process in the business and be processing health data – they should therefore conduct a DPIA (Data Protection Impact Assessment) to assess any new areas of risk. The DPIA will assist in working through whether they need to collect the information and in demonstrating what the grounds for processing the special category data would be. As the collection of special category data requires additional safeguards, it will also assist in examining what those additional safeguards would look like – so not just additional security per se, but who would be able to access the information (perhaps on a need-to-know only basis) and what the information would be used for. Employers may also need to update their employee privacy notice to reflect the new activity, including how long it will be kept for and whether there was a need to update their data protection policies and procedures and a record of processing activity.

As the recovery from the pandemic continues and the rate of vaccination increases, we expect to see vaccination requirements more and more, and no doubt it will soon be tested at an Employment Tribunal. To avoid your business being the test case, you should consider your policies carefully and take advice as early as possible.