Vaccine management in the workplace: Advice for employers

 閱讀中文版本

Hong Kong launched a mass voluntary Covid vaccination campaign in February. As mentioned in a previous story, 14% of employers in Hong Kong said they would make employee vaccination mandatory and some said they would just encourage employees to do so.

While it is not a legal requirement for employers in Hong Kong to implement any mandatory vaccination policy, some employers are considering the possibility of making it mandatory if the government makes it legally permissible to do so. 

Forrester's latest report identifies the privacy, ethical, and operational risks employers around the world must address if they consider the implementation of vaccine and immunisation passports, a digital document that provides evidence of an individual's immunisation status for the purpose of workplace attendance. 

“While Covid-19 is loosening its grip, it’s not going away,” said Enza Iannopollo, senior analyst at Forrester.

“Vaccine passports don’t offer the silver-bullet solution that many might hope for easing pandemic protocols and restrictions, and businesses should be planning for life with Covid in the medium to long term. Our overarching message to organisations everywhere is one of caution. With the right planning and consideration, the return to work will be smoother and more successful for all involved.”

Privacy and ethics

• Strive for proportionality, fairness and transparency. Forcing employees to expose sensitive personal information or insights about their health could be both disturbing and unlawful depending on your jurisdiction Having received the vaccine is part of an employee medical record, and employers must treat that information at such. Proportionality, fairness, and transparency are key principles to follow to avoid breaking the rules and employees’ trust. Employers should collect only the minimum amount of data needed to trigger specific policies to ensure proportionality and data minimisation. They should also encrypt medical data they collect and create and enforce strict access, sharing and deletion policies to ensure fairness and protection. Finally, employers must communicate clearly with employees about how they will treat the information they collect, how long they will keep it for and with whom and why they might share it.

• Build a data protection impact assessment to answer privacy questions. Building a data protection impact assessment (DPIA) or a privacy blueprint can help employers get to the core of this privacy challenge. It will help them take a more balanced approach between the privacy risks they create by collecting employees’ sensitive data and its benefits. Start from the definition of a lawful purpose, with an appropriate legal basis. Don’t think about “employee consent” as a panacea. Remember this: Consent requires that employees have a meaningful opt-out option, but employers asking for vaccination proof for entering the workplace can’t make such a claim. A DPIA will also help focus on technical mitigation, such as security controls, as well as governance and processes. 

• Mind the privacy and ethical gaps of exposing those who don’t have a vaccine. Exposing those who can’t or don’t want to get a vaccine is a consequence of your immunisation policy, and it’s a problem. From a privacy perspective, people who don’t carry proof of vaccine might suffer from other medical conditions, such as allergies, or have religious or political beliefs for refusing the vaccine. Privacy offers strong protection to all these circumstances. Investigating why an employee doesn’t want to carry proof of vaccine creates huge liability. Don't do it. Maintain flexible work-from-home policies if possible or allow employees to take time off if they prefer to avoid coming back to the workplace. 

Operational risks

• Identify the privacy, ethical, and fraud risks with vaccination tracking. When proof of vaccination deters an individual’s access, there is incentive for that individual to deceive for self-interest, given the right conditions. Other forms of tracking, such as manual or paper-based certificates, carry the same privacy and ethical risks, in addition to potential fraud risk with fake certificates.

• Manage the impact on employee stress and sentiment. Consider the potential distress for those that can’t get the vaccine or are delayed due to factors beyond their control when they would willingly get it. The impact of uneven or slow vaccine rollout extends to employees’ immediate bubble, like family members. An employee could be vaccinated, but if their child can’t be or schools aren’t open, it still affects their ability to work and return to a work site.

• Re-examine business travel policy for new entry requirements and scrutiny. The IATA Travel Pass is a digital passport to verify pre-travel test or vaccination requirements, already in trial by airlines Emirates and Etihad Airways. CommonPass, from the Commons Project, The World Economic Forum, and a coalition of public and private partners, is another platform for travelers to document Covid-19 status for country entry requirements. International or local travel, companies still need to have clear rationale for what constitutes necessary business travel; travel approval processes and procedures; guidelines for health, safety, and increased support in place for business travelers who may become ill during or after their trip; and procedures for post trip actions like getting a Covid test.

• Address the personal cyber safety of employees and their families. Vaccines, and all the challenges and anxiety surrounding them, pose a perfect opportunity for attackers who are always looking for innovative ways to prey on people’s vulnerability. We will see an increase in phishing, smishing (SMS-based fraud), and other human-related attacks as vaccines start rolling out in full. Manage this human risk by educating your employees and their families on how to be cybersafe at home, at work and on the move.