This article explores the current rules and changes to self-isolation requirements and what this means for employers as well as examining if it might be better for employers to seek voluntary disclosure of a vaccination status from employees.
What are the current rules on self-isolation for employees and employers?
At present, in England (under the Health Protection (Coronavirus, Restrictions) (Self-Isolation) (England) Regulations (SI 2020/1045) it still remains an offence:
- For a worker who has been asked to self-isolate by NHS Test & Trace to unreasonably fail to self-isolate (subject to a fine of between £1,000 and £10,000); and
- For an employer to knowingly allow a worker who has been asked to self-isolate by NHS Test & Trace to come into work when aware that the worker is required to self-isolate (subject also to a fine of between £1,000 and £10,000 as well as liability under the Health and Safety at Work Act 1974 for failing to provide a safe place of work).
Many employers, aiming to practically create a safe workplace and demonstrate efforts to comply with their statutory duty to do so, have created clear policies for staff setting out expectations for employees to notify them if they have been contacted by NHS Test & Trace (or, indeed by the NHS Covid-19 app which leads only to a recommendation to self-isolate and not the same legal requirement). Usually these policies will be clear about what an employee will be paid where required to self-isolate; workers will be entitled to SSP from day 1 where contacted by NHS Test & Trace and some employers are willing also to allow employees to take annual leave or to pay some form of enhanced sick pay to cover self-isolation (although the sheer volume and repeated periods may have run the coffers dry in this respect for some employers).
It is worth noting that the government has also updated guidance to exempt those who ae providing critical services from self-isolation requirements when notified of contact with a positive Covid-19 case. The exemption is narrower in practice than the headlines may have suggested though, with the employee currently needing to be specifically named on a letter from a government department confirming they are in scope in order to qualify for the exemption.
What about positive cases in the workplace?
Updated working safely guidance contains a requirement for employers to notify the relevant local authority of all positive cases in the workplace
What is due to change in relation to self-isolation on 16 August 2021?
From 16 August, individuals that are fully vaccinated will no longer be required to self-isolate if they are identified as a close contact of someone who has tested positive for Covid-19. If identified as close contacts, double vaccinated individuals will still be advised to take a PCR test, to detect the virus and variants of concern. Where an individual tests positive for Covid-19, they will still be legally required to self-isolate (regardless of their vaccination status).
Therefore, the proposed changes from 16 August will be a derogation from employees being obligated to self-isolate if told to do so by NHS Test & Trace. However, there will be no derogation from employees being required to self-isolate if they have received a positive Covid-19 result.
It is unclear how this will interact with the employer's duty not to knowingly allow a worker to come into work when required to self-isolate – for example, whether an employer will simply be expected to rely on the information provided by an employee about whether they do, or do not, have to self-isolate after being contacted by NHS Test & Trace.
Are the 16 August self-isolation rule changes already legally in force?
No. The proposed changes have not yet been implemented in legislation and we expect that legislation and further guidance will be issued before 16 August. Even the date seems relatively uncertain, with the business secretary (Kwasi Kwarteng) reported to have said this will be reviewed on the data one week before it is proposed to come into effect.
Is there any further guidance for employers?
No. The government's latest guidance on working safely during Covid-19 has not yet been updated to reflect the proposed changes on 16 August, nor does it provide employers with any guidance on dealing with employees' vaccination status (and whether and/or when the government would suggest it is helpful for an employer to factor this into their health and safety risk assessments and plans).
Can employers ask employees to tell us or prove their vaccination status?
You may be able to ask employees to do so voluntarily (either directly or via the NHS Covid Pass) – but there are significant data protection risks to consider first before you jump in. You would need to be confident that you have a compelling reason for doing so (and that the risk you are seeking to address cannot, for example, be adequately controlled by continued social distancing and hygiene measures).
To comply with data protection requirements, you need to have a 'lawful basis' for processing the information relating to vaccination status. The ICO's guidance does helpfully make it clear that "if there is a good reason for checking people's COVID status, it is highly likely there would be an appropriate lawful basis for processing it" (our emphasis added). It's important to note that the relevant guidance was drafted by the ICO with COVID status related information in mind, rather than vaccination status – clearly it's easier to justify the collection and recording of COVID status related information given the more direct and immediate risk to others in your workplace. The processing of vaccination status data will (as a matter of common sense as well as technical legal interpretation) be harder to justify given that this information: (i) may be considered more personally sensitive or private; and (ii) is often not as obviously and directly related to risk to your workforce or customers. The relevant 'lawful basis' as required by data protection law is likely to be (depending on your 'good reason' for needing to collect vaccination status data) related either to compliance with your (health and safety related) legal obligations as an employer or, in some cases, your legitimate interests. Since vaccination status will be health data (i.e. considered to be worth extra protection as a matter of law), you will also need to meet an additional condition for the processing. The ICO suggests the most likely conditions will be either:
- The employer condition - that processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller in the field of employment law (and it's worth noting that "necessary" is a high standard here – it's much more than just convenient or interesting or nice to have); or
- The public health condition – that processing is necessary for reasons of public interest in the area of public health. However, in order to rely on this condition, processing has to be carried out under the responsibility of a health professional or someone who owes a legal duty of confidentiality (i.e. in reality, this option is likely to be of relatively limited value to most employers).
The guidance from the ICO is quite clear, therefore, that you would need to be confident you can justify asking employees for vaccination status by reference to your legal obligation as an employer to conduct risk assessments and take appropriate health and safety measures with regard to the workplace (and certainly not for example because you want to refer to it in marketing campaigns!).
The potential for confusion created by the relaxation of the self-isolation rules on 16 August could potentially provide businesses in England with a stronger rationale for collecting vaccination data (because otherwise businesses are relying on employees who may not get full pay voluntarily continuing to fully comply with legal self-isolation requirements). Knowing who is (and critically, who isn't) vaccinated will enable a business to ensure that self-isolation rules are being complied with in their new form, and that PCR tests are taken as appropriate to reduce risk before a doubly vaccinated "close contact" contacted by NHS Test & Trace returns to work. However, our view (at this stage at least) is that this factor taken on its own is unlikely to be a good enough reason to justify collecting vaccination status related information for the purposes of data protection law. Waiting for clarification from the government as to updated guidance ahead of 16 August might be worthwhile if you're not yet clear that you have a good reason for seeking the information.
Where you are satisfied or close to being satisfied that you have a genuine need to collect employee vaccination data (which cannot be more proportionally met using another less intrusive approach), you will still need to manage the data protection risk and a Data Protection Impact Assessment (DPIA) will be mandatory in almost all cases given the potential risks to employees. A good DPIA will help you not only to 'test your thinking' in terms of whether or not your reason to collect the data is good enough, but it will help you to identify and mitigate risk and will also serve as a vital tool to demonstrate "accountability" (the backbone of GDPR) should your decision to check/record vaccination status ever be subject to challenge. We can be very confident that if this issue ended up in the Information Commissioner's inbox, one of the investigating officer's very first requests would be "show me your DPIA, and if you haven't completed one, show me your documented reasons for not having done so". As such, we strongly recommend that you take the time to ask yourselves the tricky questions about employee vaccination data up-front and document your 'thinking' in a robust DPIA.
Before collecting the information you will also need to consider your obligation to be transparent with employees, ensuring that they understand why the information on vaccination is being sought, how it will be stored, how long you will keep it for and who will have access to is. This information could be delivered through a specific privacy notice or other written communication.