Jab or No Job a Privacy law issue

Over the past two weeks there has been a flurry of discussions around the legality of employers threatening to issue sanctions to employees if they do not take the Covid 19 vaccine. This was instigated by a company threatening to require the resignation of employees who fail to take the vaccine. The firm told its employees that with the availability of the vaccines persons are to ensure that they get the jab in accordance with its COVID-19 protocol and if they fail to so do they would be required to submit their resignation.

Very rarely to do you have so many Counsel opining and putting pen to paper on the same issue over such a short period of time. Assumedly, given the novelty of the recent NIDS decision that expanded the existing right to privacy, the issue of the right to privacy did not seem to come up for consideration. Instead, the discourse was framed as a labour law issue.

An alternative framing of the issue gives rise to a totally different conversation and may well make the expositions on labour law moot. A prerequisite for the employer to take any action against an employee is knowledge of whether the employee has taken the vaccine any at all. Contrary to what has been posited there is actually law that governs whether an employer can ask an employee whether he or she has been vaccinated: The Charter of Fundamental Rights and Freedom supported by the Data Protection Act. The issue now becomes, does the employer have the right to question his employee about whether he has received the jab as opposed to what power the employer has if the employee does not take the jab.

This issue is of particular importance given the significant impact on the protection of employees’ rights and freedoms with regard to the processing of their personal data. The act of requiring an employee to disclose whether he has received a vaccine is a form of processing personal data. More importantly not only is this personal data but under The Data Protection Act, as the employees vaccine status speaks to his health condition, it is “sensitive personal data”. While we acknowledge that there may be a legitimate objective of the employer in requiring an employee to disclose whether he has received a jab in order to provide a safe place of work, its implementation must still be in accordance with the law and demonstrably justified.

Article 13(3)(j) of the Charter of Fundamental Rights and Freedoms provides that by virtue of one’s inherent dignity as persons and citizens of Jamaica, a free and democratic society ; each person has right to -

(i) protection from search of the person and property;

(ii) respect for and protection of private and family life, and privacy of the home;

(iii) protection of privacy of other property and of communication;

The Chief Justice in the NIDs decision expanded the right to privacy and declared that privacy has at least three aspects: privacy of the person; informational privacy, and privacy of choice. These aspects of privacy arise not because they are conferred by the state but are possessed by all persons simply by being human.

He went on to say that informational privacy which does not deal with a person’s body but deals with a person’s mind, and therefore recognizes that an individual may have control over the dissemination of material that is personal to him. Unauthorized use of such information may, therefore lead to an infringement of this right; and the privacy of choice, which protects an individual’s autonomy over fundamental personal choices. Effectively, without more it would be a breach of the employees constitutional right for the employer to enquire into whether his employee has received the vaccine.

Save for the constitutional right to a fair trial there is no absolute right. The Chief Justice in the NIDS decision also set out the means by which the state can lawfully restrict one’s constitutional right.

“(i) The action must be sanctioned by law;

(ii) The proposed action must be necessary in a democratic society for a legitimate aim;

(iii) The extent of such interference must be proportionate to the need for such interference;

(iv) There must be procedural guarantees against abuse of such interference.”

Enter the Data Protection Act. The Data Protection Act sanctions the processing of personal data and sensitive personal data which extends to the disclosure of sensitive personal data such as an employer asking an employee whether he/she has been vaccinated. This processing however can only take place in specific circumstances that has been prescribed in the Act.

The circumstances under which sensitive personal data can be processed is set out in section 22(1)(b) and states as follows — (a) the data subject consents in writing to the processing of the sensitive personal data; (b) the processing is necessary for the purposes of exercising or performing any right or obligation which is conferred, or imposed, by law on that data controller in connection with employment or social security benefits; © the processing is necessary in order to protect the vital interests of the data subject or another individual. There are other circumstances set out in the legislation but these are the most relevant.

Option (a) consent, is not a viable option given the unequal bargaining power of the employee in the face of the employer. In order to rely upon the third option ©, processing in order to protect a vital interest, the employer would have to conduct a vital interest assessment test. He would have to assess the legitimate interest of the employer and other persons and weigh it against the employees right to informational privacy. This approach will necessarily entail looking at the efficacy of the vaccine and the availability of the vaccine.

The route of least resistance would be to rely on the second option. i.e. the processing is necessary for the purposes of performing an obligation which is imposed by law on that data controller in connection with employment. In this instance there is no balancing exercise to be performed.

Several Acts in Jamaica contain provisions in relation to occupational safety and health and impose obligations on employers to provide a safe place of work such as the Factories Act, the Labour Officers (Powers) Act, the Building Operations and Works of Engineering Construction (Safety, Health and Welfare) Regulations, the Docks (Safety, Health and Welfare) Regulations, and the Women (Employment of) Act.

Assuming arguendo your firm fell under the ambit of any of these pieces of legislation one could argue that requesting the disclosure of the vaccine status of an employee is necessary for the purposes of performing an obligation imposed by the law that is connected to employment i.e. providing a safe place of work. We are aware that there is currently an Occupational Health and Safety Bill before parliament. At the time of writing this article however I am not sure if this legislation has been passed.

This issue of employers requiring employees to disclose their vaccination status has come up for consideration in other European countries that have a similar Data Protection regime. The above approach i.e. relying on the request being a means by which they can comply with a legal obligation to provide a safe place of work, is in line with the UK Information Commissioner’s approach and that of the Belgian Information Commissioner. The French and Italian data protection supervisory authorities however are of the view that disclosure of vaccine status, may need to be founded upon explicit legal provisions presumably authorizing the requesting of that specific information.

Finally, if an employer is able to comply with all the above, the prudent employer would be well advised to conduct a data protection impact assessment before he begins processing the employee’s sensitive personal data. It would be incumbent upon him to assess the risk associated with the manner in which he envisages processing the personal data and ensure that adequate controls are implemented to remediate the identified vulnerabilities of the proposed manner of processing.

The Jamaican data privacy regime ushered in by the NIDS decision and bolstered by the Data Protection Act create a brand new paradigm that will take some time to get used to. Regardless of whether we choose to get familiarized with it or not, the new data privacy regime will have a far reaching impact on how government entities and privacy entities conduct business. The quicker we embrace a culture of privacy and implement personal data processing standards is the faster Jamaica will be able to start reaping the benefits of the 4th industrial revolution.

Chukwuemeka Cameron LLB LLM is a privacy practitioner and the founder of Design Privacy a company that helps you comply with local and international privacy laws. Feedback can be sent to ccameron@designprivacy.io. For information on how ready you are for the DPA check out our website at www.designprivacy.io