Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

APAC-CIS: COVID-19 vaccination status - What can employers collect? Part two

The global COVID-19 pandemic has posed, and still poses, many challenges in the context of employment, one of which are the rapidly changing requirements in terms of privacy, data protection, and disclosure of the employees' vaccination status. This Insight series looks across a variety of countries with regards to which information employers can collect, outlining the local requirements in Australia, New Zealand, and Singapore in part one and in China, Japan, India, and Russia in part two.

RomoloTavani / Essentials collection / istockphoto.com

China

What are the rules (if any) surrounding the collection and use of vaccination data?

If an employer's China office employs a natural person in China and processes (i.e. collects, uses, discloses, stores, or deletes) data related to the candidates' and employees' COVID-19 vaccination status, the Personal Information Protection Law ('PIPL') applies.

If an employer does not process the data linked to the candidates' and employees' COVID-19 vaccination status in China, e.g. when candidates or employees upload their data directly to the servers outside of China, and the employer verifies and stores that data in such server, the PIPL also applies, since it is for the purpose of providing access to employees and candidates in China.

A department rule adopted by the Cybersecurity Administration of China ('CAC'), which requires that COVID-19 related data should only be used for the purpose of defence and control of COVID-19, except for the organisations required by the applicable laws (e.g. the Law on the Prevention and Treatment of Infectious Diseases). Other organisations or individuals should obtain consent from the data subjects before they collect and use COVID-19 related personal data, and must take security measure to protect such data from data breach incidents.

What would be the appropriate legal basis for such processing?

The legal basis is provided by Article 13 of the PIPL; however, the PIPL does not clearly indicate what kind of organisation can rely on this legal basis. Currently, we understand it can be used by most of the employers, but it must be necessary for public health emergencies purposes, rather than allowing for processing of such data without any limitations.

Consent

The CAC's general Notice on the protection of personal information and use of Big Data to support the prevention and control of COVID-19 ('the Notice') stipulates that consent is the only legal basis for the processing, unless where laws and administrative regulations provide otherwise.

Legal obligation

The legal obligation basis is unclear; however, it is not required by laws and regulations to collect nor store the vaccination data.

Performance of contract

Personally, and commonly, the performance of the contract cannot be explained as a legal basis for collection or usage of vaccination data. The vaccination data cannot reflect the real health status of an employer: even if an individual gets vaccinated, there is still a chance that they can be infected; such data collection is thus not necessary for its processing purposes. Notably, non-vaccination is not direct evidence that the employee is unable to work; it is therefore not a condition for the contract performance. But, for some special positions or roles, such as doctors in hospitals, we understand it should be necessary since the risk is different.

Is an organisation permitted to ask employees or visitors for their vaccination status prior to permitting them to enter the workplace?

For all organisations, as far as I understand, it is not permitted, as it is not a necessary condition for all the employees, but some special positions may be permitted, which should be assessed on a case-by-case basis.

Regarding public health emergencies, it should be noted that not all of the data processing is necessary to respond to public health emergencies. Currently, in practice, the proof of health status should be the health code and the travel history of the previous 14 days; sometimes it can be expanded to the nucleic acid testing if the local government has a policy for COVID-19 control in place, it is currently not mandatory to get vaccinated, and it should not be a condition for employment, which would impact the right of employment.

Although it can be collected with the employee's consent, such data is not necessary for the purposes of COVID-19 control, such collection may not be compliant with the data minimisation principle under Article 6 of the PIPL, for its purposes, collection, or usage of such data will not prove the employee's health status. Thus it cannot be used as a proof prior to accessing the workplace of the employer.

Can an organisation collect or ask for proof of vaccination and/or testing records?

Commonly, an organisation will not be required to ask for the proof or vaccination and/or testing records, as there is no legal basis for this processing. As we discussed above, the vaccination is not a proof of health status, and testing records should not be commonly required to be displayed in daily work, but only in some emergencies.

Sometimes organisations can collect the testing records, if the data subject has travelled to cities or areas where there are any COVID-19 infectious cases and the health code colour has changed from green to yellow or red, or the Chinese Government ('the Government') requires it as a public policy of COVID-19 control, it is reasonable and necessary to use this to prove the data subject's health status, respond to the health incident, and protect other individuals' health as well.

Is an organisation allowed to disclose information on COVID-19 results within the company and/or to health authorities?

As required by the Notice, without the data subject's consent, no one should disclose COVID-19 related data to the public, except for data which has been anonymised. Under Article 25 of the PIPL, a personal information processor should not disclose the personal information to the public without the consent of the data subject, which is also an obligation of the Government or public authorities who process such data.

If an organisation finds COVID-19 results to correspond to a yellow or red health code, the organisation has the obligation to disclose the COVID-19 testing results and the health code to the health authorities, and take measures to protect the premises, such as requiring all individuals not to enter them, whilst also coordinating with the health authorities to conduct COVID-19 testing. The legal basis for the processing should be the compliance with legal obligations rather than consent. Thus, in this case, the organisation does not need to obtain consent from data subjects for this processing.

How long is an organisation required to keep/store vaccination data?

According to Article 19 of the PIPL, the data should be stored only for the shortest period for the processing purposes, except for other provisions required by laws and regulations.

Regarding the vaccination data, organisations should not store the vaccination data of a specific natural person, except if these organisations are permitted by laws and regulations, since the vaccination data is not required as a proof of the health status and is not necessary for the purposes of COVID-19 control.

Regarding the testing data, although normally it is not collected or stored, as it is not necessary all the time, except in an emergency status, such data should be retained by employers for seven days if the data subjects' health code and testing result corresponds to a green health status. For all other results, the organisation may need to retain the data for a long period to coordinate with the health authorities, the hospital, or other permitted organisations to respond to the health incident. After the emergency period, the data is not suggested to be deleted, but anonymised, as well as to formulate a record for back-up and further inspections of health authorities or the Government.

Japan

What are the rules (if any) surrounding the collection and use of vaccination data?

There are no rules specific to the collection and use of vaccination data. The Act on the Protection of Personal Information (Act No. 57 of 2003 as amended in 2015) ('APPI') is the most relevant piece of legislation. However, currently, the APPI and its subsidiary regulations do not clearly state how to handle vaccination data itself. According to Article 2(1) of the APPI, 'personal information' covers information relating to a living individual which contains information whereby a specific individual can be identified. As a general understanding, vaccination data may therefore contain information which can identify a specific individual. Vaccination data is thus construed as personal information under the APPI.

On the other hand, the APPI has the concept of 'special care-required personal information', which is defined as personal information comprising a data subject's race, faith, social status, medical history, criminal record, fact of having suffered damage by a crime, or other descriptions prescribed by cabinet order of which the handling requires special care so as not to cause unfair discrimination, prejudice, or other disadvantages to the data subject.

As the vaccination data is not 'medical history' itself, it does not seem to be special care-required personal information. However, the interpretation regarding whether the vaccination data falls under the special care-required personal information is unclear. Currently, there is no official guideline issued by the Personal Information Protection Commission ('PPC') regarding whether the vaccination data falls under the special care-required personal information.

What would be the appropriate legal basis for such processing?

In order to collect the personal information, consent of the data subject is not required except where such personal information is special care-required information. If the vaccination data is mere personal information, then consent of the employee is not required. However, the employer must promptly inform the employee of the utilisation purpose of such vaccination data (Article 18 of the APPI). In addition, the employer must take necessary and appropriate action for the security of the vaccination data, including the prevention of leakage, loss, or damage of the personal data (Article 20 of the APPI). Further, the employer must obtain the consent of the subject employee to disclose its vaccination data to third party (Article 23 of the APPI) even if it is not special care-required personal information.

However, Article 23 also provides some exceptions where the consent of the data subject is not required to disclose its personal information to third party. Especially related to vaccination data, the most related exception is cases in which there is a special need to enhance public hygiene or promote fostering healthy children, and when it is difficult to obtain a data subject's consent. In these cases, the consent of data subject is not required.

Is an organisation permitted to ask employees or visitors for their vaccination status prior to permitting them to enter the workplace?

Vaccination against COVID-19 is not mandatorily required under the current laws and regulations in Japan, but it is strongly encouraged. Therefore, there are no clear laws and regulations related to the vaccination at the workplace.

In principle, the organisation has the discretion and freedom as to who can enter the workplace. Therefore, it is allowed to ask visitors about their vaccination status. However, although the vaccination is strongly encouraged, the Ministry of Health, Labour and Welfare (‘MHLW’) emphasises that the COVID-19 vaccination is voluntary and not mandatory, thus the employer should not force the employees to get the vaccination and treat unvaccinated employees unfairly.

Therefore, it can be said that asking for the vaccination status is allowed; however, to force the employees to take vaccinations and to show their vaccination status might fall under unlawful business instructions.

Can an organisation collect or ask for proof of vaccination and/or testing records?

The employer can collect or ask for proof of vaccination and/or testing records as long as the employer notifies the purpose of collection. Regarding testing records, as it might be construed as special care-required personal information, practically speaking, it is recommended for the employer to obtain consent from the employee for the collection of testing records and proof of vaccination.

Is an organisation allowed to disclose information on COVID-19 results within the company and/or to health authorities?

COVID-19 results may fall under the definition of special care-required personal information as it is 'medical history'. Nonetheless, the personal information on COVID-19 results can be shared within the company as the sharing within the company is not regarded as a disclosure to a third party.

On the other hand, disclosing information on COVID-19 results to health authorities is basically third-party disclosure, and thus it is required to obtain consent from the data subject. However, if such disclosure is based on laws and regulations, obtaining consent of the data subject is not required (Article 21(1)(i) of the APPI). In this regard, Article 10 of the Act on the Prevention of Infectious Diseases and Medical Care for Patients with Infectious Diseases (Act No. 114 of October 2, 1998) states that when a prefectural governor deems it necessary for the purpose of preventing the outbreak of an infectious disease, then the prefectural governor may conduct necessary investigations. This is one of the examples of 'laws and regulations' as set out in Article 21(1)(i) of the APPI. Also, if Article 21(1)(iii) and (iv) of the APPI apply, then the consent of the data subject is not required:

  • 21(1)(iii) includes cases in which there is a special need to enhance public hygiene or promote fostering healthy children, and when it is difficult to obtain a principal's consent; and
  • 21(1)(iv) provides for cases in which there is a need to cooperate in regard to a central government organisation or a local government, or a person entrusted by them performing affairs prescribed by laws and regulations, and when there is a possibility that obtaining a principal's consent would interfere with the performance of said affairs.

How long is an organisation required to keep/store vaccination data?

There are no rules regarding the storage period of vaccination data. However, the data related to third-party provision is required to be kept for a period of three years according to Article 25(2) of the APPI and Article 14(iii) of Enforcement Rules for the APPI.

India

What are the rules (if any) surrounding the collection and use of vaccination data?

An employee's vaccine status should be considered health data under the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ('the Data Privacy Rules'). The Data Privacy Rules categorise health data as sensitive personal data or information ('SPDI'), which requires certain compliance measures to be undertaken. This includes the employer (the 'collecting entity') being required to obtain employee consent for collecting, processing, storing, or transferring the employee's health data (in electronic form). Typically, consent for collecting health data is collected at the time of hiring and recruitment of the employee. In the event such consent is already obtained, a separate consent may not be required to collect vaccination data.

In all cases, employers should only collect and retain the minimum amount of information needed to fulfil their purpose and should not retain the data for longer than is required and used only for lawful purposes. Ideally, employers should not seek this information unless it is necessary to do so. If the organisation's aim could be achieved by other, less privacy-intrusive means, it should not request this data. For example, if the employees in question are not working from the office, or unlikely to come into contact with each other, customers, or suppliers whilst carrying out their duties, requesting this data is unlikely to be deemed reasonable or proportionate.

Additionally, employers should put in place a privacy policy setting out:

  • what data they will collect and process;
  • why they are collecting and processing this data;
  • how it will be processed and for how long it will be retained; and
  • the intended recipients of the information, drawing this to the attention of the employees.

Employers should take appropriate steps regarding the accuracy and security of the data, and bear in mind their duty of confidentiality in respect of employees who have provided information about their vaccination status.

What would be the appropriate legal basis for such processing?

Since such data would be considered as SPDI, employers may collect proof of an employee's vaccine status if there is a valid reason to do so, for example as a condition for office access or for undertaking official travel, and subject to compliance with the Data Privacy Rules including employee consent.

It may be noted that some Indian states have made it mandatory for employers to obtain proof of vaccination from their staff. For example, in Bangalore, the municipal authority requires employees to keep their vaccination proof handy while in the office.

Is an organisation permitted to ask employees or visitors for their vaccination status prior to permitting them to enter the workplace?

Yes, an organisation can ask employees or visitors for their vaccination status prior to permitting them to enter the workplace. However, considering that the vaccination status would be considered as SPDI, it would be imperative for the organisations to comply with the Data Privacy Rules, especially with respect to the visitors.

Some organisations may limit office entry only to its staff for the time being. It may be noted that some states in India (Maharashtra, for example) have categorically stated that if an organisation does not allow any member of the general public (visitors) to enter the office premises, it may not be required to ensure full vaccination of its entire staff, although it is strongly advised.

Can an organisation collect or ask for proof of vaccination and/or testing records?

Yes, employers can collect proof of an employee's vaccine status if there is a good reason to do so, for example for office access or official travel, subject to compliance with the Data Privacy Rules. The Indian Government has established an online registration portal to register for vaccinations known as 'Co-WIN'. Individuals are provided a provisional certificate upon completion of the first dose, and a completion certification after the second. These certificates are issued by the Indian Ministry of Health and Family Welfare ('MoHFW') through the Co-WIN app. The organisation may request employees for a copy of such certificates.

Note that employees are not legally required to get a COVID-19 test done before physically returning to the office. However, employers may ask the employees to report the results of the COVID-19 test, if it is asking the employees to get tested. However, recording such results may lead to the creation of medical records of the employees, and to that extent, the employers are required to comply with the Data Privacy Rules, as mentioned above.

Is an organisation allowed to disclose information on COVID-19 results within the company and/or to health authorities?

Yes, it should be possible to disclose such information, provided it is for valid reasons. However, organisations must comply with the data privacy law requirements, including obtaining employee consent since such information may be categorised as SPDI as per the Data Privacy Rules.

In the case of transfer of any SPDI (which would include vaccination data), the Data Privacy Rules require the transferring entity to ensure that the transferee entity (whether located in India or any other country) has the same level of data protection that is adhered to by the transferring entity. Further, the transfer may be allowed only if it is necessary for the performance of the lawful contract between entities, or where the data owner has consented to the data transfer.

How long is an organisation required to keep/store vaccination data?

Since an individual's medical and health data (in electronic form) constitutes SPDI, the Data Privacy Rules require that an organisation collecting such data should only retain the same for as long as it requires the data for the lawful purpose(s) for which it was obtained. It may be noted that the employee has a right to withdraw their consent at any stage.

Any additional information?

Since the MoHFW frequently asked questions ('FAQs') on the vaccination of individuals being voluntary, it may not be legally possible to terminate the employment of non-vaccinated individuals mandatory.

Russia

What are the rules (if any) surrounding the collection and use of vaccination data?

Various measures undertaken in Russia were aimed at ensuring the immunisation against COVID-19 of the Russian population. Specific regulations were introduced to ensure health and safety at offices, production and trading sites, as well as public places. These measures have been introduced both on the federal level and by regional authorities, and are being constantly updated, due to the spread of the pandemic. In this regard, companies with premises or operating in different Russian regions should track the regional COVID-19 legislation, comply with different mandatory requirements, and follow the State authorities' guidance.

In most of the Russian regions, vaccination has become mandatory for visiting such public places, as theatres, museums, certain business-related meetings, and public events. For example, in Moscow, a QR code, which is issued in result of the COVID-19 vaccination, is required to visit any event with more than 500 guests.

COVID-19 measures also apply to employees, as well as to individuals hired as independent contractors (those engaged under civil law contracts, including self-employed individuals) and agency workers (further collectively referred to as 'employees').

Currently, in most of the Russian regions, the employers and employees must comply with mandatory vaccination within specific industries.

Is an organisation permitted to ask employees or visitors for their vaccination status prior to permitting them to enter the workplace?

In general, vaccination is voluntary. However, given the current COVID-19 situation and considering that certain industries are at a higher risk of spreading the infection, the majority of Russian regions have introduced mandatory vaccination in specific (listed) industries. Employers in those industries must ensure that up to 80% of their employees have been vaccinated. This requirement extends to all such companies and employees operating in those industries, but does not cover companies operating in other industries in the same region.

For instance, in most of the Russian regions (if not all), COVID-19 vaccination is obligatory for the employees working in catering, beauty and spas, fitness clubs, swimming pools, laundries and dry cleaners, entertainment centres, museums, libraries, concert halls, public transport and taxis, education, health care, and social services, to name only a few. It also applies to trade, customer service in banks and post offices, entertainment centres, as well as to mass sporting and physical culture events, among others.

In addition to ensuring mandatory vaccination in those industries, employers are also obliged to report to regional governmental authorities about their employees' COVID-19 status. Employers are, thus, legally entitled to collect, from certain categories of employees, the respective information about their COVID-19 status. Such information may include not only specific vaccination details, but also related information on compliance with quarantine measures or self-isolation.

Based on the above requirements, employers have to request information about the employees' vaccination, that includes vaccination certificates issued by medical organisations and QR codes.

If an employee working in one of the industries with mandatory preventive vaccination refuses to be vaccinated, an employer is obliged to suspend them. Otherwise, a company may be charged with administrative liability. However, in case an employee has justifiable reasons to refuse vaccination, the employer must obtain the documents confirming such justifiable refusal in order to support their decision on the non-suspension of the employee. Such documents may include medical certificates confirming contraindication to vaccination and existing immunity against COVID-19.

Thus, in order to make a proper decision with respect to the selection of which employees may be potentially suspended or put on a remote-work assignment, employers need to obtain certain information from employees: such information is likely to include sensitive personal data about an employee's health status.

Additionally, employers in certain Russian regions must report the exact number of vaccinated employees to the authorities, those who work remotely and those who work onsite. Such reports include the employees' personal information.

Can an organisation collect or ask for proof of vaccination and/or testing records?

Vaccination details, medical contraindication to vaccination, and information regarding existing immunity against COVID-19 constitutes personal data related to health.

Information about health is considered sensitive personal data by Russian data protection laws as. Processing of sensitive personal data is generally prohibited, except for the following cases:

  • a data subject has given written consent;
  • a data subject made this data available for distribution to an unlimited number of persons;
  • the processing is conducted for the protection of life, health, and other vital interests of personal data subjects or third parties, when obtaining a data subject's consent is not possible;
  • the processing is conducted in accordance with Russian laws on State social assistance, labour laws, or pension laws;
  • the processing is conducted by a doctor, medical institution, or other person who must ensure medical secrecy, for medical or healthcare purposes;
  • the processing is required for the definition and execution of rights of a personal data subject and third parties, as well as for judicial purposes; and
  • in some other strictly limited cases.

The existing Russian legislation, along with the clarifications of the regulatory authorities, does not establish any specific regulation for the processing of personal data, including sensitive data, due to newly enacted COVID-19 regulations. Therefore, companies must choose the proper legitimate basis to process COVID-19 related information from the options above and must comply with the general legislative requirements and principles of processing personal data, including in the context of compliance with COVID-19 preventive measures. A company must process personal data based on such principles as lawfulness, purpose limitation, security and confidentiality, completeness and accuracy, and transparency, among other things.

The processing of visitors' vaccination personal data by organisations, visiting of which requires the provision of QR codes, is based on their legal obligation. However, the safest option for an employer on processing of employee health data would be obtaining an employee's written consent, prior to processing an employee's sensitive personal data.

According to the Labour Code of 31 December 2001 No. 197-FZ ('the Russian Labour Code'), the processing of employee personal data should be regulated by the employer's local policy. This means that employers should also update their data privacy policies to cover the new COVID-19 data processing activities, purposes of data processing, and new categories of personal data which are processed.

Is an organisation allowed to disclose information on Covid-19 results within the company and/or to health authorities?

If vaccination-related information of employees is transferred to third parties (e.g. affiliated companies, service providers, or medical institutions), employers should obtain separate written consent on any transfer of employee information to such third parties.

According to Russian data protection and labour laws, an employer may collect employee personal data directly from a data subject. There is also a basic requirement to have a legitimate basis for processing personal data, when vaccination-related information is collected from a medical organisation, rather than from a particular employee, or from a relative of an employee, or other representative. Such legitimate basis could be the protection of life, health, or other vital interests of personal data subjects or third parties, when obtaining the data subject's consent is not possible. If obtaining consent is possible, then a consent by a data subject is commonly chosen as the legitimate basis for such data processing.

How long is an organisation required to keep/store vaccination data?

Another important aspect is the retention period for the collected vaccination-related personal data. According to the general rule, a data controller may process personal data until the achievement of the purpose for which the personal data was collected has been reached, or during the period of data processing specified in the data subject's consent form. Once either of the above is reached, the data controller is under obligation to delete (i.e. destroy) the data within 30 days. In practice, vaccination-related information about individuals is processed until it is necessary to ensure compliance with the legislative requirements, or until achievement of the purpose of the personal data processing, unless the employee withdraws their consent earlier.

Conclusions and recommendations

Current Russian data protection legislation does not contain specific rules for the processing of COVID-19 related information. Official clarifications by Russian authorities on the issues related to data processing during the COVID-19 pandemic have not yet been issued either. Therefore, Russian data controllers need to assess each COVID-19 related data processing activity from the perspective of potentially needing to justify their actions, by the processing due to compliance with a legal obligation of a data controller, in a particular Russian region. In case the data processing goes beyond the scope of being a legal obligation, data controllers should obtain written consent from the data subjects for the relevant data processing. We strongly recommend justifying the processing of sensitive information, related to employees' health, by written consent, where other specific grounds for sensitive personal data processing are not relevant. Transfer of employee COVID-19 related personal data to third parties, unless such transfer is required by law, usually also requires the employees' written consent.

Companies should also review and update their internal data processing policies, preferably periodically, to ensure that they contain the most current information about COVID-19 related data processing specifics.

Keshawna Campbell Lead Privacy Analyst
[email protected]
Chanelle Nazareth Privacy Analyst
[email protected]

Comments provided by:
Dr Milind Antani Lead Lawyer
[email protected]
Nishith Desai Associates
Archita Mohapatra Associate
[email protected]
Nishith Desai Associates
Darren Punnen Core Member
[email protected]
Nishith Desai Associates
Dehao Zhang Counsel
[email protected]
Fieldfisher LLP
Hiroyuki Masuda Lawyer
[email protected]
One Asia Lawyers
Maria Ostashenko Partner
[email protected]
ALRUD Law Firm
Anastasia Petrova Of Counsel
[email protected]
ALRUD Law Firm