HSE breached GDPR with circular about vaccination status, says expert

‘Nightmare of litigation’ created as status disclosed without consent, says Richard Grogan

An employment law expert has warned that the HSE breached data protection laws when it issued communications through a circular to determine the vaccination status of staff.

Richard Grogan told RTÉ radio's Morning Ireland that a circular had been sent asking staff if they had been vaccinated and if they did not want to reply, they did not have to do so.

However, he said he knew of one hospital where 30 staff, who had not indicated their vaccination status, were subsequently telephoned by the hospital’s director of nursing.

“That creates huge GDPR issues, because the issue then is every frontline worker in that hospital has had their vaccination status told because the director of nursing now knows whether you’re vaccinated or not vaccinated.”


Mr Grogan said he was not aware that any health and safety assessment had been completed and he maintained that the circular itself breached data protection.

“What they’ve done is created a GDPR nightmare of litigation because everybody in the frontline now have a situation where their status has been disclosed without their consent, this could easily have been done by putting in place a proper risk assessment and dealing with it on that basis.

"The Data Protection Commission has said that even asking those questions is contrary to GDPR unless you've got a risk assessment done in advance and I have no evidence that that risk assessment was done and given to staff before they got it so that's the real issue here.

Risk assessment

“Unfortunately in this country we have different organisations responsible for this and there are certain steps that need to have been taken, the first one was there needed to be risk assessment, that needed to be given to staff, then there needed to be a direction from Nphet that this was required, and then because of the HSA is responsible once you get inside a workplace, the HSA would then have had to give a direction that this is going to be required in the workplace,” he explained.

When asked if he would be representing staff who were involved, Mr Grogan, said he did not have any signed up yet, but a number had contacted him about this issue. On being asked the numbers involved, he said it was “a significant number”.

“I know one hospital where 30 people did not wish to disclose their status and all of those 30 received a telephone call.”

Mr Grogan said the problem was there were five different groups handling the issue, “all going their own way, we have no co-ordinated group and nobody is asking the questions.

“I accept that the HSE has a really strong argument to say they have to keep Covid out, nobody wants Covid anywhere, I don’t want Covid, but they have to comply with the rules.

“You can’t retrospectively solve a GDPR breach.”