CIBC FirstCaribbean Bank (Cayman) was “excessive” in how it dealt with information it gathered about its employees’ COVID-19 vaccination status and PCR test results after staff returned to their workplaces in 2021, Ombudsman Sharon Roulstone has ruled.
After an investigation arising from a complaint by two employees, the watchdog found that the bank did not have a valid legal basis for processing the information relating to its staff’s vaccinations and results, and was unfair in requiring negative COVID test results only from unvaccinated employees.
The issue arose in 2021, after vaccinations were widely available and people were returning to their offices after months of working remotely.
In September that year, the bank implemented a new policy requiring its staff to provide proof of vaccination or, if they were not vaccinated, weekly negative PCR results. Anyone who failed to comply was required to go on unpaid leave, according to the Ombudsman report on the investigation.
As the basis for requiring the medical information from its staff, the bank relied on section 58 of the Labour Act, which states: “Every employer shall ensure so far as is reasonably practicable, the health, safety and welfare at work of that person’s employees.”
The Ombudsman’s report noted that the bank determined that it was necessary to process the vaccination and PCR results data to secure the safety of its employees. However, Roulstone noted, “This position seems untenable in light of the existence of options that were less intrusive in respect of the rights of the individuals, such as the use of PPE, social distancing, working remotely, etc.”
She added that Department of Labour and Pensions guidelines on COVID vaccinations and the duty of employers regarding the safety of their staff did not appear to support the bank’s policy, “in particular where disciplinary action or dismissal is concerned, which was the effective consequence of non-compliance by the employee”.
Unfair to test only non-vaccinated staff
The Ombudsman also stated that the argument for “necessity” of the bank’s policy in relation to trying to ensure staff were COVID-negative was weakened by the fact that the vaccination did not prevent people from contracting the virus.
“Targeting the PCR testing scheme at non-vaccinated individuals was unfair, given that being vaccinated does not ensure that people are ‘COVID-negative’, and therefore, it should have been implemented for all staff. This would have eliminated the need to request, analyze and store the vaccination status of any individuals,” Roulstone said in her findings.
She added that it was difficult for the bank to justify the requirement for staff to notify it of their COVID test results, as the law at the time obliged anyone who tested positive to notify health authorities and go into isolation. Therefore, “there was no need for the [employer] to obtain, analyze or store the test results of any of its employees” as it would have been made aware of any positive results when an employee called in sick.
The report noted that in response to the Ombudsman’s queries, the bank confirmed that the personal information was held for one month, in electronic format, that it was not kept on the employee files and was not shared.
Email complaint
The Ombudsman found fault with a reminder email that was sent to seven members of the bank’s staff who had not yet provided their vaccination status. The recipients were not BCC-ed on the email, meaning each one could see who else it had been sent to.
The complainants considered this a breach of data protection of sensitive personal information, as the recipients could infer from the email who was unvaccinated. The Ombudsman agreed, saying this approach “could have facilitated the profiling of the seven individuals” and ruled that the bank should use BCC in future when sending similar emails.
Roulstone also investigated a complaint by one of the two employees regarding their data being sent to the bank’s human resources department in the Bahamas, which at the time dealt with the Cayman office. The bank assured the Ombudsman that adequate security measures were in place to protect the transfer of the information.
But the Ombudsman ruled that the bank had not demonstrated how it met that security requirement to keep the data safe, and has given it 45 days to provide documentation to her office showing the safeguards that are in place when transferring data overseas.
In her other rulings following the investigation, Roulstone found that the bank employees had been properly informed of the purpose for the data gathering, that this purpose was legitimate, and that the data was not kept for longer than required.
She noted that the data processing that led to the complaints is no longer in practice and, therefore, she determined that no corrective action was required.
Related Videos
