Data Protection – your lawful basis for using VaxCheck.

As the vaccine is administered and rolled out you may find the need to share information quickly or adapt the way you work. Data protection will not stop you doing that.

It’s about being proportionate – if something feels excessive from the public’s point of view, then it probably is.

The personal data you provide combined with the data inputted by medical staff to create your vaccination certificate becomes, what’s known under GDPR, as Special Category Personal Data as its “data concerning health”.

Special Category Personal Data is afforded extra protection under GDPR and you are not allowed to process it unless at least one of ten applicable exemptions exist. 

These exemptions are listed in Article 9 of GDPR.

When you have identified an applicable exemption to the circumstances of your processing this only lifts the ban on processing of this health data. You are still required to find and apply a relevant Article 6 GDPR condition to be lawful in your processing of this personal data. 

Data Protection is very condition specific but the below examples demonstrate how your organisation will be allowed to process the health data that we process through our VaxCheck solution. 

In many cases rather than being prevented from processing the data you will be afforded a choice of lawful ways you can process a person’s data held on VaxCheck.

The scenarios we list below, while accurate, are indicative only and you should seek independent advice or refer to the Data Protection Commission website to satisfy yourself.

If you have particular specific queries about whether you should use VaxCheck and whether your processing would satisfy the proportional and necessary principles embedded in the law we can provide frank advice on that. Email our Privacy Officer at cillian@smartscan.io 

Client/User Scenarios.

  1. If you run a business with public access to a facility (pub, restaurant, concert venue, theatre, cinema, hairdresser, shop, trains, bus etc) 

The exemption to the prohibition of processing of health data would be;

GDPR Article 9. 2 (i) 

processing is necessary for reasons of public interest in the area of public health

Combined with 

GDPR Article 6.1 (c) 

processing is necessary for compliance with a legal obligation to which the controller is subject.

In this case the employer has a legal obligation under the Safety, Health and Welfare at Work Act legislation to maintain a safe working environment.

  1. Employers 

Employers, generally, cannot use consent as a lawful basis to process personal data of their staff, but in these following scenarios, it is permissible.

If you are an employer and you are going to use VaxCheck to manage staff back into a normal office environment your lawful basis is;

  1. For those employers who have occupational health providers contracted; 

GDPR Article 9.2 (h)

processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional. 

Combined with 

GDPR Article 6.1 (c)

processing is necessary for compliance with a legal obligation to which the controller is subject.

In this case the employer has a legal obligation under the Safety, Health and Welfare at Work Act to maintain a safe working environment.

  1. Those without occupational health contractors but who can provide non vaccinated staff an alternative working environment that is not of a lower standard than the working environment where the vaccinated staff are situated will, most likely, to able to use;

GDPR Article 9.2 (a)

the data subject has given explicit consent to the processing of those personal data for one or more specified purposes.

Combined with 

GDPR Article 6.1 (c)

processing is necessary for compliance with a legal obligation to which the controller is subject.

In this case the employer has a legal obligation under Health and Safety legislation to maintain a safe working environment.

  1. For employers without contracted occupational health providers and who also can not equitably accommodate those unvaccinated into their office, they, under the direction of public health authorities, undertaken to protect against COVID, may use Article 6.1(e) and Article 9(2)(i) GDPR and Section 53 of the Data Protection Act 2018 for deploying VaxCheck

3. If you are a religious body 

The exemption to the prohibition of processing of health data would be;

Article 9.2 (d)

processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects.

Combined with

Article 6.1 (d)

processing is necessary for the purposes of the legitimate interests pursued by the controller  

The pandemic has caused a lot of uncertainty including in the area of data protection. The legislation did not envisage counties having to deal with a European public health disaster of this scale but its articles, intention and spirit are flexible enough to allow the processing of health data where, for instance, not to do so would breach the responsibilities you, as a business/organisation, have to protect your staff, your customers or users.