Outcomes - Selected Case Summaries
Categories
Proof of vaccination had no legal basis and was excessive - CIBC FCIB (Cayman)
Decisions | 21 March 2023
In September 2021 employees of the data controller were informed that a new policy was being implemented, requiring them to provide proof of Covid-19 vaccination or weekly negative PCR test results. Employees who failed to comply were required to go on unpaid leave. Two employees complained to the Office of the Ombudsman, alleging violations of the DPA.
The Ombudsman investigated the matter and found that there were no violations of the first principle (right to be informed), the second principle (further processing), or the fifth principle (retention). However, the Ombudsman noted that the data controller did not have a legal basis (data processing condition) for the processing, as required under the first data protection principle. As well, the processing of the vaccination status and PCR testing was excessive, as it was not necessary to meet the obligations under the Labour Act, which was the legal basis invoked. A reminder email to employees who had not yet provided their data, sent without use of BCC, risked inferences to be made about the individuals’ health and/or medical status, and therefore violated the seventh principle.
The processing of personal data that lead to the complaints is no longer in practice, and therefore no corrective action was required. As requested by the Ombudsman, the data controller also demonstrated how it was meeting the requirements of the eighth data protection principle, relating to the international transfer of personal data.