Vaccination related data and POPIA: Can businesses ask for vaccine status information?
This article addresses the critical question of whether or not a business can, in terms of the Protection of Personal Information Act 4 of 2013 (POPIA), request an employee, customer, contractor or third party to disclose their vaccination status.
Disclosing one’s vaccination status entails the “processing” of “special personal information” under POPIA. Specifically, such information constitutes health data under section 26 of POPIA, and is afforded additional protection given its sensitive and confidential nature.
POPIA provides for very specific legal justifications or lawful bases that allow for the processing of health data. These are set out in detail in sections 27 and 32. Section 27(1) deals with general authorisation concerning special personal information and specifically allows a responsible party to process such data if:
processing is carried out with the consent of a data subject;
processing is necessary for the establishment, exercise or defence of a right or obligation in law; or
information has deliberately been made public by the data subject.
As such, is there a specific right or obligation in law that justifies the processing of vaccination-related health data? At the time of writing this article, the answer is no. A good example to illustrate this point stems from the Consolidated Direction on Occupational Health and Safety Measures in Certain Workplaces (published 11 June 2021), which obliges an employer to take measures to screen workers/employees when they report for work in order to determine whether it is safe to allow them to be present at the workplace.
The corresponding guidelines for such screening practices are overtly silent on the disclosure of a person’s vaccination status. Therefore, in the absence of a clear and express obligation in law that specifically mandates the disclosure of a data subject’s vaccination status, responsible parties can only rely on the remaining justifications under section 27(1) of POPIA to process them.
Further, section 32(1) of POPIA deals with the specific authorisations concerning the processing of health data. Processing of such data is allowed if it is carried out by: medical professionals, healthcare institutions and facilities, and social services, if such processing is necessary for the proper treatment and care of the data subject, or for the administration of the institution or professional practice concerned;
insurance companies, medical schemes, medical scheme administrators and managed healthcare organisations, if such processing is necessary for the activities specified under section 32(1)(b);
schools, if such processing is necessary to provide special support for pupils or to make special arrangements in connection with their health;
any public or private body managing the care of a child if such processing is necessary for the performance of their lawful duties;
any public body, if such processing is necessary in connection with the implementation of prison sentences or detention measures; or
administrative bodies, pension funds, employers or institutions working for them, if such processing is necessary for the processing activities specified under section 32(1)(f)
In light of the above, apart from parties who are allowed to process vaccination-related health data under the special categories of authorisation set out in section 32 of POPIA, until legislators specifically put forward an express right to access or process vaccination-related health data in law, we are of the view that businesses that request information regarding the vaccination status of their employees, guests to their premises, customers or third-party contractors would require an express (and POPIA) compliant consent from the data subject to whom the special personal information relates.
Authors: Preeta Bhagattjee, Aphindile Govuza and Reece Westcott