As Cayman continues to press to get the vast majority of its residents vaccinated against COVID-19, questions are arising on whether public health needs and regulations trump privacy concerns.
Put simply, does legislation that protects the health of employees in the workplace take precedence over the Data Protection Act which safeguards the private information, e.g., medical records, of workers?
That is a question HSM law firm paralegal Cory Martinson looked at recently, and considered whether, in light of the Data Protection Act, employers can record vaccine statuses. It turns out the answer isn’t a simple yes or no.
In his analysis of the issue, Martinson says the Data Protection Act “absolutely” applies when it comes to any information relating to an employee.
“Vaccination information is medical data which falls under the definition of sensitive personal data in the DPA which means an employer must meet stricter legal requirements before processing,” he says. “Processing is broadly defined as recording, holding, obtaining or carrying out any operations on the personal data.”
Under the Data Protection Act, “stricter legal requirements” mean that an employer must identify a legal basis when it comes to processing sensitive personal data.
That legislation stipulates that employers must ensure that employees are made aware of why their data is being collected, who will see it, and how the data will be used.
The more sensitive the personal data, the more security is required to ensure against unlawful processing, Martinson says. Security steps can include policies and access controls, as well as technical and physical measures.
The appropriate legal basis for processing such data varies depending on the specific employer, the employee’s position within the organisation, and any legal framework to which the employer must adhere. For example, Martinson says, there will be a stronger legal basis for knowing the vaccination status of a nurse working in an intensive care unit than that of a dump truck driver.
“Legal frameworks will be employment sector specific but the Labour Act (2021 Revision) has a general requirement under section 58 that ‘Every employer shall ensure so far as is reasonably practicable the health, safety and welfare at work of that person’s employees,'” he says.
While this may provide a legal basis for processing personal data, “an argument exists that the interpretation of the words ‘necessary’ and ‘reasonably practicable’ are open to distinction,” Martinson adds.
If the collection of vaccination data is considered to be ‘reasonably practicable’, then the next question is whether it is ‘necessary’.
“The answer to this question will vary from employer to employer, as well as between occupations,” Martinson says in his analysis, adding that an organisation should first consider less privacy-intrusive means of achieving the same goal.
“For example, can the risk to employees be sufficiently reduced through mandatory mask requirements, social distancing and hand hygiene? Can employees work from home or alternate between home and the workplace so not all employees are in the workplace at once? Is a blanket policy necessary or is a more strategic approach just as effective but less privacy intrusive? There is no ‘one size fits all’ solution. If in doubt, you should seek legal advice,” he says.
The Labour Act does not include a specific provision regarding the protection of employees from the transmission of communicable diseases.
Organisations that collect data in contravention of the Data Protection Act could face an enforcement order from the Office of the Ombudsman if, after receiving a complaint or initiating its own investigation, it finds that the business is not in compliance with the law, Martinson says. Such an enforcement order may require the cessation of processing and that the data be destroyed.
Non-compliance with an enforcement order is an offence which carries a fine of up to $100,000 or imprisonment for up to five years, or both, following a court proceeding. And, as enforcement orders are routinely published on the Ombudsman’s website, this type of enforcement action has a high likelihood of becoming public knowledge, Martinson says.
In his conclusion, Martinson notes that vaccination status and data protection laws worldwide are a rapidly evolving area of jurisprudence, with some governments taking legislative measures to mandate vaccinations in an attempt to provide a degree of certainty. He points out that “only in the event of a judicial challenge will more ‘comprehensive’ legal guidance be available”.