COVID-19 Vaccination at Work and Data Privacy
Malaysia received its first batch of the COVID-19 vaccine on 22 February 2021.
Many employers will understandably be eager for their employees to be vaccinated given that a single positive case of COVID-19 in the workforce can result in suspension of business and operations.
This Alert aims to provide an insight on whether employers can impose mandatory COVID-19 vaccination on employees and data privacy issues in the processing of COVID-19 vaccination status of employees.
Can employers impose mandatory COVID-19 vaccination on employees?
An immediate response to this would be “No”.
As at the date of this Alert, it is not mandatory to be vaccinated against COVID-19.
Further, under the Frequently Asked Questions on COVID-19 Vaccine issued by the Ministry of Health on 31 December 2020 (“FAQ”), it has been clarified that vaccination against COVID-19 is voluntary and individuals must fill in the consent form to be vaccinated.
So, is there anything else that the employers can do?
Occupational Safety and Health Act 1994 (“OSHA”)
A relevant legislation which may shed light to this is OSHA, particularly the following sections:
- Section 15 of OSHA imposes a duty on employers to ensure, so far as is practicable, the safety, health and welfare at work of all its employees. This duty includes, amongst others, the provision and maintenance of a working environment for employees that is, so far as is practicable, safe, without risks to health, and adequate as regards facilities for their welfare at work.
- Section 24 of OSHA provides that employees have a duty (amongst others) to comply with any instruction or measure on occupational safety and health instituted by their employer.
Based on these sections, it appears that employers may rely on section 15 of OSHA in making a request to their employees to be vaccinated. In view of the high transmissibility of COVID-19, it would be reasonable for them to make such a request, as part of their duty to ensure the safety, health and welfare at work of all their employees.
What if the employees refuse COVID-19 vaccination?
It is not surprising if some employees (although eligible to be vaccinated) may refuse the COVID-19 vaccination for fear of unknown side-effects. This is especially so if a person has underlying health conditions or is not in the proper state of health to be vaccinated.
In such situation, in the absence of any laws imposing mandatory COVID-19 vaccination, employers would not be able to compel vaccination on such employees. Further, as mentioned earlier, under the FAQ, all vaccinations of the COVID-19 vaccine are voluntary.
To put it simply, if an employee refuses to be vaccinated, this in itself will not be a basis for dismissing the employee.
That said, while employers are at liberty to set policies relating to workplace safety, (e.g. requiring vaccination in order to return to work or attend at the work place), proper engagement should be carried out to understand why a particular employee refuses to be vaccinated.
Ultimately, it is important for attempts to be made to work out sustainable solutions with the employee, e.g. work from home arrangements.
Termination, as is the case with proper and fair labour practice even where there is basis for it, should always be the last resort where no other solutions are available.
Data privacy issues
In addition, employers need to be mindful of the data privacy issues that can arise in the processing of employee information relating to COVID-19 vaccination.
Under the Personal Data Protection Act 2010 (“PDPA”), “sensitive personal data” is defined to include (amongst others) any personal data consisting of information as to the physical or mental health or condition of a data subject (in this case, the employees). COVID-19 vaccination status would fall within the definition of “sensitive personal data” under the PDPA, as this amounts to data on the health condition of the employee.
Accordingly, under section 40 of the PDPA, a data user shall not process any sensitive personal data of a data subject unless the data subject has given his explicit consent to the processing of such data. A person who contravenes this commits an offence and shall, on conviction, be liable to a fine not exceeding RM200,000 and/or to imprisonment for a term not exceeding two years.
Therefore, employers (being the data user) are required to obtain the explicit consent of its employees (being the data subject) before collecting and processing the COVID-19 vaccination status data (being a sensitive personal data) of the employees.
There is no specific form or content of the consent prescribed under the PDPA. Section 3(1) of the Personal Data Regulations 2013 merely provides that the consent shall be in any form that such consent can be recorded and maintained properly by the data user. Do note that if the consent to process personal data is in a form that also concerns another matter, it is required that such consent be presented in a way that is distinguishable from the other matter. The consent should as far as possible be clear and unambiguous.
What steps can employers take?
For employers who are keen for their employees to be vaccinated, here are a few steps that employers can take:
- Provide the employees with publicly available medical information on the safety, effectiveness and any potential side effects of the COVID-19 vaccine so that the employees can make an informed decision for themselves. There is plenty of helpful information prepared by the Ministry of Health on the COVID-19 vaccines, including information on the National Covid-19 Immunisation Programme. Employers must however always keep in mind that the decision to take the vaccine or otherwise is a decision that belongs to the employees.
- Procure consent forms to record the explicit consent of employees for the processing of information relating to vaccination against COVID-19 consistent with the provisions of the PDPA.
- Where employees refuse to be vaccinated, employers must not force them to do so. Instead, alternative measures such as work from home arrangements and enforcement of standard operating procedures such as social distancing, sanitisation and use of face masks can be considered or continued.
This alert is for general information only and is not a substitute for legal advice.