UK GDPR: Is checking the COVID status of visitors, customers and employees legal?

For certain settings, it is now a legal requirement to get vaccinated and check people’s COVID status.

Data protection rules must be considered when implementing COVID-status checks. Organisations should take into account:

  • employment law and contracts with employees (if you are considering checking employees’ COVID status);
  • equalities and human rights (including privacy and data protection rights); and
  • health and safety requirements.

Organisations should also consider other regulations specific to your sector, as well as current public health advice and the latest government guidance in your part of the UK.

Checking such health data (special category data) may also be done at the discretion of the organisation, so when voluntarily doing so, you must be clear about the purpose.

  • Be clear about what the request is looking to achieve, and clear about how knowing this private health information will help achieve this.
  • Use of such data must then be relevant, fair and necessary for the specific purpose.

Organisations should check the government guidance to determine whether they are required to conduct checks.

Find further information via the below links information for each devolved administration:

> England

> Northern Ireland

> Scotland

> Wales