As you will know the introduction of domestic vaccine passports for indoor dining was made possible by the enactment of the Health (Amendment) (No.2) Act 2021 (hereinafter referred to as the “Act”), which was passed by Dail Eireann, on the 14^th of July 2021, by 72 votes in favour and 66 votes against. Part 2 of the Act will expire on the 9^th of October 2021, unless extended by both House of the Oireachtas prior to this date.

As matters stand, the only businesses legally mandated to implement vaccine passports are indoor dining facilities, however, the ICHR have been made aware that an increasing number of businesses without legal mandate, are electing to implement vaccine passports as a requirement of admission into their premises / as a requirement for access to goods and/or services.

To date we have been advised of the following businesses and venues who have required or who are requiring production of vaccine passport for admission purposes or as a condition of service:

• Access to organ transplant by Beaumont Hospital;
• Access to indoor canteens by students, on college premises;
• Access to hospitals in the capacity of a visitor;
• Access to in-person hospital appointments for children, where the parents are unvaccinated;
• Access to indoor child soft play areas, unless the parents are vaccinated;
• Access by players to competitions such as snooker;
• Access to school information evenings unless parents are fully vaccinated;
• Access by children to foreign school trips, unless accompanied by an adult;
• Access to training courses;
• Access to cinemas; and
• Access to concerts;

Therefore, should a situation arise whereby the Irish Government withdraw the mandate for vaccine passports in indoor dining facilities, it is quite likely that private businesses will continue to elect to implement such passports without being legally required to do so. We believe that any such processing of health data represents unnecessary and excessive data collection for which no clear legal basis exists and therefore any such processing is illegal.

See below explanation of the law in this area for further guidance.

1) General Data Protection Regulations

The General Data Protection Regulations (the “Regulations”) which came into force on the 25th of May 2018 lay down rules relating to the protection of persons with regard to the processing of their personal data.

The recitals to the Regulations state that: –

“The protection of natural persons in relation to the processing of personal data is a        fundamental right”.

Article 8 of the EU Charter of Fundamental Rights states that everyone has the right to the protection of their personal data and such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned, or some other legitimate basis laid down by law.

Information regarding whether or not a person has been vaccinated against SAR-CoV-2 constitutes health data, which is a type of special category data under the Regulations.

2) Article 6 (Lawfulness of Processing) of the General Data Protection Regulations

In order to lawfully process health data, the data controller must first determine a legal basis for the processing of such data under Article 6 of the Regulations, which is limited to the following:

2.1 The Data Subject has given Consent to the Processing of his or her Personal Data for One or More Specific Purposes;

Please find below the basic requirements for effective valid consent under the Regulations

Article 7 (Conditions for Consent) of the Regulations provides: –

“1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.”

Recital 32 (Conditions for Consent) provides: –

“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. 

Recital 42 (Burden of Proof and Requirements for Consent) provides: –

“Where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation….. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.”

Recital 43 (Freely Given Consent) provides: –

“In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation. Consent is presumed not to be freely given if it does not allow separate consent to be given to different personal data processing operations despite it being appropriate in the individual case, or if the performance of a contract, including the provision of a service, is dependent on the consent despite such consent not being necessary for such performance.”

Article 29 Data Protection Working Party: Guidelines on Consent under Regulation 2016/670 Adopted on 28 November 2017 (“WP29”) provides: –

“Generally, consent can only be an appropriate lawful basis if a data subject is offered control and is
offered a genuine choice with regard to accepting or declining the terms offered or declining them
without detriment

“3.1. Free / freely given

The element “free” implies real choice and control for data subjects. As a general rule, the GDPR
prescribes that if the data subject has no real choice, feels compelled to consent or will endure
negative consequences if they do not consent, then consent will not be valid. If consent is bundled
up as a non-negotiable part of terms and conditions it is presumed not to have been freely given.
Accordingly, consent will not be considered to be free if the data subject is unable to refuse or
withdraw his or her consent without detriment. The notion of imbalance between the controller
and the data subject is also taken into consideration by the GDPR.”

2.2 Processing is Necessary for the Performance of a Contract to which the Data Subject is Party or in Order to Take Steps at the Request of the Data Subject Prior to Entering into a Contract;

Article 29 Data Protection Working Party: Guidelines on Consent under Regulation 2016/670 Adopted on 28 November 2017 (“WP29”) provides: –

“3.1.2. Conditionality

To assess whether such a situation of bundling or tying occurs, it is important to determine what the
scope of the contract or service is. According to Opinion 06/2014 of WP29, the term “necessary for
the performance of a contract” needs to be interpreted strictly. The processing must be necessary to
fulfil the contract with each individual data subject. This may include, for example, processing the
address of the data subject so that goods purchased online can be delivered, or processing credit
card details in order to facilitate payment.

2.3 Processing is Necessary for Compliance with a Legal Obligation to which the Controller is Subject;

Please be advised that the only premises entitled, at law, to impose restrictions upon entry to an indoor premises (on the basis of a person’s vaccination status) are those set out under:

1. the Health (Amendment) (No. 2) Act 2021; or
2. Statutory Instrument 385 of 2021.

For the avoidance of doubt, a “relevant indoor premises” means an indoor premises:

• on or at which food or non-alcoholic beverages may be lawfully sold or supplied for consumption on such premises;
• any business or service that would otherwise be lawfully permitted to sell alcohol for consumption on the premises; and
• such other indoor premises, or class of indoor premises, that the Minister for Health may prescribe through regulations.

2.4 Processing is Necessary in Order to Protect the Vital Interests of the Data Subject or of Another Natural Person;

The Data Protection Commission Guidance Note: Legal Bases for Processing Personal Data dated December 2019 (the “2019 Guidance”) provides the following: –

“Controllers are most likely to rely on this legal basis where the processing of personal data is needed in order to protect someone’s life, or mitigate against a serious threat to a person, for example a child or a missing person.

 

Vital interests may be an appropriate legal basis in atypical circumstances, where none of the other legal bases clearly apply. For example, where sensitive special category personal data is concerned, such as health data – potentially in an emergency situation – vital interests may provide both a legal basis under Article 6, but also an exception from the prohibition of processing such data under Article 9 GDPR. Many cases in which the protection of vital interests is relied upon as a legal basis for
processing are likely to involve special category health data, and Article 9(2)(c) GDPR allows for processing such data where necessary to protect someone’s vital interests; but, this only applies if the data subject is physically or legally incapable of giving consent.

 

2.5 Processing is Necessary for the Performance of a Task Carried Out in the Public Interest or in the Exercise of Official Authority Vested in the Controller;

The Data Protection Commission Guidance Note: Legal Bases for Processing Personal Data dated December 2019 (the “2019 Guidance”) provides the following: –

 

“This legal basis is likely to apply to a more limited sub-set of controllers, where it is necessary for them to process personal data to carry out a task in the public interest, or exercise their official authority.

 

Article 6(3) GDPR also sets out that where processing is based on this legal basis, it should be grounded on EU or national law, which meets an objective or public interest and is proportionate and legitimate to the aim pursued. Thus, a controller may rely on this legal basis if it is necessary for them to process personal data either in the exercise of official authority (covering public functions and powers as set out in law) or to perform a specific task in the public interest (as set out in law).

 

2.6 Processing is Necessary for the Purposes of the Legitimate Interests Pursued by the Controller or by a Third Party, except where such Interests are Overridden by the Interests or Fundamental Rights and Freedoms of the Data Subject which require Protection of Personal Data, in particular where the Data Subject is a Child.

 

Where a data controller seeks to rely on the Legitimate Interests basis, they should be aware that such utilisation brings with it heightened obligations to balance the legitimate interests they are seeking to pursue with the rights and interests of the data subject.

The Data Protection Commission Guidance Note: Legal Bases for Processing Personal Data dated December 2019 (the “2019 Guidance”) provides the following: –

As such, legitimate interests is likely to be an appropriate legal basis in cases where controllers process data subjects’ personal data in a way which they would reasonably expect and which would have a minimal impact on their privacy, by virtue of the nature of the processing or safeguards introduced.

Where there would be a more than minimal impact on the data subject’s privacy rights, or other rights, freedoms, or interests, it may still be possible to rely on this legal basis, but the legitimate interest being pursued by the controller would need to be a particularly compelling justification for processing.

3) Article 9 (Processing of Special Categories of Personal Data) of the General Data Protection Regulations

In circumstances where the premises can determine a legal basis for the processing of health data under Article 6 (which appears unlikely), then the premises should be aware that the processing of special categories of personal data (which includes health data) is generally prohibited unless the Premises can avail itself of one of the exemptions under Article 9, which is limited to the following:

• the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
• processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
• processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
• processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
• processing relates to personal data which are manifestly made public by the data subject;
• processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
• processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
• processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
• processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
• processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

TAKE ACTION

 

If you have been requested to produce evidence of your vaccination status against SARS-CoV-2 in order to access a premises / goods and/or services (excluding indoor dining facilities), please find the following letters:

Letter 1: Letter to business/venue asking them to confirm the lawful basis for the processing of your special category data. Note that this letter contains a detailed examination of the law in this area, such that any queries around the lawful processing of your special category data should be addressed in this letter. Please note the sections in yellow that require completion.

Letter 2: Failing a response from the business within 7 days (or in circumstances where you receive an unsatisfactory response), you may send this letter to the Data Commissioner asking them to commence an investigation into the unlawful processing of your special category data. Please note that you should send the Data Commissioner a copy of any correspondence you have sent to the business/venue in question and any response received.

It is worth noting that the Data Commissioner has issued two guidance papers regarding Covid-19 which have provided i) there is no lawful basis to undertake temperature checking in the workplace; and ii) there is no lawful basis (with the exception of frontline health care workers) to request the vaccination status of employees in the workplace. Given the Data Commissioners willingness to address illegalities around the implementation of Covid-19 policies, it is fair to assume that should the Data Commissioner receive a substantial number of complaints regarding domestic vaccine passports, that she may see fit to issue a guidance note on same.