Data protection laws breached by HSE for asking staff about vaccine status

Data Protection Laws Breached By Hse For Asking Staff About Vaccine Status
Mr Grogan said that a person had been sent around asking staff if they had been vaccinated and if they did not want to reply, they did not have to do so. (Photo by Christopher Furlong/Getty Images)
Share this article

Vivienne Clarke

An employment law expert has warned that the HSE breached data protection laws when it sent someone to determine the vaccination status of staff.

Richard Grogan told RTÉ radio’s Morning Ireland that a person had been sent around asking staff if they had been vaccinated and if they did not want to reply, they did not have to do so.


However, he said he knew of one hospital where 30 staff, who had not indicated their vaccination status, were subsequently telephoned by the hospital’s director of nursing.

“That creates huge GDPR issues, because the issue then is every frontline worker in that hospital has had their vaccination status told because the director of nursing now knows whether you're vaccinated or not vaccinated.”

He said he was not aware that any health and safety assessment had been completed, and he maintained that the person themselves breached data protection.


“What they've done is created a GDPR nightmare of litigation because everybody in the frontline now have a situation where their status has been disclosed without their consent.

“This could easily have been done by putting in place a proper risk assessment and dealing with it on that basis.

GDPR nightmare

“The Data Protection Commission has said that even asking those questions is contrary to GDPR unless you've got a risk assessment done in advance and I have no evidence that that risk assessment was done and given to staff before they got it, so that's the real issue here.”

When asked if he would be representing staff who were involved, Mr Grogan, said he did not have any signed up yet, but a number had contacted him about this issue. On being asked the numbers involved, he said it was “a significant number”.


“I know one hospital where 30 people did not wish to disclose their status and all of those 30 received a telephone call.”

Mr Grogan said the problem was there were five different groups handling the issue, “all going their own way, we have no coordinated group and nobody is asking the questions.

“I accept that the HSE has a really strong argument to say they have to keep Covid out, nobody wants Covid anywhere, I don’t want Covid, but they have to comply with the rules.

“You can’t retrospectively solve a GDPR breach.”

Read More

Message submitting... Thank you for waiting.

Want us to email you top stories each lunch time?

Download our Apps
© 2024, developed by Square1 and powered by