Data Protection and GDPR for PR Consultants

Clíona J. M. Kimber S.C. Bar of Ireland

Address to PRII: 15 September 2021

The issues

Data Protection is very important for in-house and agency PR consultants who ranging from working in public and private sector organisations to being sole traders to being senior agency leaders / MDs who advise across the areas of reputation, consumer / FMCG, Public Affairs, finance, construction, internal communications, to name but a few.

Data Management of project communications for large infrastructure projects is a big issue also especially around public consultations on projects.

Brexit has thrown a spanner in the works especially where there is uncertainty about where computer servers are housed.

Much, but not all, of what is sent on behalf of clients or employers by public relations professionals to journalists is unsolicited e.g., media releases, invitations to events. Generally, public relations practitioners and press officers have access to a media contacts database/s in some format e.g., Excel. These databases commonly contain journalists’ names, who they work for, their work and possibly personal email address, their work and possibly personal mobile number.

According to the GDPR, storing or using such data constitutes ‘processing’ personal data. Journalists have the same rights in relation to their personal data as any other person under GDPR. Public relations practitioners and press officers must therefore ensure they are compliant with the GDPR. Breaches of these regulations can have a severe impact on organisations, including onerous fines.

All members of staff who have access to, or store on their phone, laptop etc, such as mailing lists or data bases of contacts must therefore be made aware of the GDPR and act within the regulations.

I will look at the following matters:

  • The GDPR
  • Principles
  • Key issues and solutions
  • Data base management
  • Privacy & data protection policies 
  • Consent at events, photographs
  • Some Stories on Enforcement
  • The Learnings



The GDPR, in article 5, sets out 5 key principles. These are not aspirations, but are serious obligations placed on the controller or processor should they elect to process any personal data, regardless of the extent or duration. The principles are that personal data must be:

  • Collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘purpose limitation’);
  • Processed lawfully, fairly and in a transparent manner (‘lawfulness, fairness and transparency’);
  • Restrict disclosure and processing;
  • Taken care of in storage, processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed (‘storage limitation’);
  • accurate and, where necessary, kept up to date (‘accuracy’).

Article 5 also provides for an additional principle, directed at the controller, that it shall be responsible for, and be able to demonstrate compliance with, the above principles (accountability’).


In  brief, the most common areas of difficulty are:

  • The scope of ‘personal data. What is personal is very broad – it is defined as ‘any information relating to an identified or identifiable natural person’ and is not limited to ‘identifiers’,
  • Lawfulness of processing – there are six reasons in legislation, but in essence three – reasons (a) (e) and (f) of the list of six – are applicable to public relations:

‘(a) consent’ and that it must be freely given, explicit, informed and revocable at any time, or legitimate interest.

(e)  processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

(f)  processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

  • Sensitive personal data

Where processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation is prohibited unless there are two good reasons.

  • What is a Legitimate interest – in brief, it is really necessary for your business, bearing in mind that unsolicited mailing and sales are not permitted. This will be looked at in more detail at Key issues and Solutions
  • The need to exercise Due care in the retention of data:
  • Confidentiality of data to be preserved and there should only be limited sharing of data; even within the workplace information should be kept secure and access should only be on a need to know basis.
  • Confidentiality should be preserved and secure systems and devices ensured while working at home.
  • Transfers to third countries’, may be problematic and this can include cloud storage abroad. Therefore, the laws of that third country need to be considered to determine whether or not any effective technical measures can prevent any access from infringing on the rights of a data subject.

Transfers to the UK will be considered transfers outside of the EU/EEA and will require a mechanism to ensure an adequate level of data protection. Fortunately,  the EU Commission  formally adopted two UK adequacy decisions on 28 June 2021, one under the GDPR and the other under the Law Enforcement Directive (LED). This means that personal data can continue to flow freely from the EU to the UK, without putting in place additional safeguards, such as the Standard Contractual Clauses. They are of a four-year duration.

Key issues and solutions

Lawfulness of processing databases of contact

There are many practical questions facing PR professionals. Can I keep a database of journalists to e-mail them your press releases? Can my PR agency keep a database? These are thorny questions and there is no definitive answer to them yet, as many edge cases will be decided by the judiciary.

The main basis for lawful processing is legitimate interest. To successfully rely on this to justify keeping all the data bases and e-mailing contacts is that the specific interest in question must be identified for the data subject.

So, what is the specific interest? A fair and reasonable interpretation of GDPR is that public relations agencies and in-house departments would be exercising a ‘legitimate interest’ in storing and processing journalist data and contacting journalists to provide relevant information. Remember, access to the media is important not just for big corporates but small businesses, charities and pressure groups too – organisations of all types and sizes.”

If public relations professionals have to get specific consent from every journalist for every client and every campaign (granularity of consent built into GDPR), then this will be very difficult for public relations and it could be said there is a public interest in good journalism and reporting as necessary for democracy, which is in the public interest.

A public interest case could actually be made for communications with  You can argue that the impact of the media is so great, that it is necessary to monitor what the media are writing and which journalists in particular are following your industry.


There is a good case to be made that companies have a legitimate interest to manage a list of stakeholders.

The corporate communication best practices say that you should have a good overview of your stakeholders.

That means that, at a minimum, you need to have a list of stakeholders and their representatives – as well as some classification and information about their views. You can think of stakeholders like:

  • Federations and associations
  • Policy makers
  • Regulators
  • Local Organisation
  • NGOs and pressure groups
  • Unions

For example,  if you are working for a chemical plant, it makes sense to have a database of contacts in surrounding residential areas, such as local authorities, Gardaí, fire service, residents’ organisations.

But also, perhaps, groups that might have goals that are at odds with your organisation, such as competitors.

Right to Object

However, a scattergun approach to contacting journalists or stakeholders is not likely to be permissible, e.g. sending a press release on a food product to a sports journalist. This may be seen as spam and would not be covered by legitimate interest. In any event, it is also likely to be bad business, as a journalist who keeps getting irrelevant press releases from you is likely to ignore them.

Don’t forget also that a journalist or stakeholder has the right to opt out, and also to request access to the data you hold on them.

Photographs at Events

A picture tells a thousand stories, and that is why photographs are so important for public relations. Where events take place, a few good photos can be the hook to good publicity. However, the taking of images of those present, and what you do with them is a minefield for GDPR.

For example, one large company which sponsored an award for persons with disabilities, kept the pictures on its website for many years. While the award was a stepping stone at the outset, the image became a hindrance as the person had moved into long term employment and wanted more privacy around their particular disability.

The Guidance Note of PRII “GDPR Information for Public Relations Professionals Compiled by the Public Relations Institute of Ireland 2018” is extremely useful and has very good advice.

“Personal data includes photographs and images which do/can identify an individual. PR professionals are used to using photography release forms and this should be continued.

Images also need to be stored in a safe and secure manner. Bear in mind that under GDPR this data is included in the right of individuals to know what data you hold on them and people can request for such data to be deleted.

In crowded situations, for example, at an event it may not be possible to get consent from everyone so consider making it clear by announcement, notice on invitations, and on-site signage that there will be photography or another image recording taking place.”

A Privacy Notice should confirm that an organisation is aware of, and operating in alignment with, the GDPR, that only necessary data is held, that it is held for the legitimate interest of doing business, that the data is secure, that it will not be shared, and that it can be amended or deleted at the request of the individual data subject within one month, on request.

A sample given by PRII is:

Please be advised that [photographs, video, livestreaming] will be [taken, made, taking place] at this event. These materials may be used by [name of company/companies] and included in [publications, media materials, promotional materials, digital platforms and social platforms]. If you do not wish to appear in any images captured, please contact a member of [company] staff on site. [Company] can then take appropriate steps to comply with your wishes.”

Some stories on enforcement

The GDPR and Data Protection Act provide the Data Protection Commissioner with a raft of significant powers, including investigative and corrective powers and the authority to impose administrative fines of up to €20 million or 4% of global turn over, or a maximum of €1m for state bodies. Any fines must be effective, proportionate and dissuasive. The DPC has published very detailed and comprehensive decisions which provide significant clarity on how the DPC considers imposing a fine.

The DPC, as the Lead Supervisory Authority for many of the world’s largest controllers and processors, is placed in a unique and powerful position to enforce the GDPR. However, as many of these controllers and processors are engaged in cross-border processing of personal data, the one-stop-shop mechanism often comes into play.

The mechanism means that any draft decision the DPC comes to in Ireland needs to be sent to the Concerned Supervisory Authorities in other countries, and the same is true for the equivalent of the DPC in other countries. However, there has been controversy over the fines of our Irish DPC – that they are too lenient, and we have been receiving recommendations from the EU body.

WhatsApp Fine

One example in Autumn 2021 is the fine imposed on WhatsApp where European regulators directed the Irish DPC to increase the fine from what was originally proposed. As a result, the DPC, Helen Dixon, has imposed a record €225 million fine on WhatsApp for “severe” breaches of privacy laws.

The breaches found by the DPC in combination with the EU bodies were a failure to abide by transparency obligations that are placed on data controllers by the GDPR in the context of the possible sharing of personal data between WhatsApp and a variety of Facebook companies. In particular that there was

Insufficient detail.

The way in which information was provided was not adequate, the report noted that it was piecemeal and needed a link through to different screens.

The DPC found that WhatsApp had failed to comply with its obligations pursuant to Article 13(1) (d) of GDPR. WhatsApp was criticised for a “very significant information deficit” in particular that the company provided only 41 per cent of the prescribed information to users of its service and none to non-users. The impact was “particularly severe” on non-users of WhatsApp, who were denied the right to exercise control over their personal data.

Disputed and appealed by WhatsApp

WhatsApp has disputed the fine. “We disagree with the decision today regarding the transparency we provided to people in 2018 and the penalties are entirely disproportionate. We will appeal this decision,” the company said. It has appealed.

It is certainly true that privacy regulators have taken a more aggressive position on enforcement. On July 30 2021 Inc (AMZN.O)was fined with a record €746 million for processing personal data in violation of the EU’s GDPR rules. The original complaint was that Amazon’s advertising system was not based on free consent.  However, little is known about what Amazon has been fined for.

DPC Prosecutions for sending unsolicited marketing emails and contacts

Another enforcement power which the DPC has is to bring criminal prosecutions against companies who breach GDPR. It has been doing a lot of these.

One example of the type of breach is in relation to the Prosecution on 7th September 2021 in the Dublin Metropolitan District Court against two prominent telecommunications companies in relation to marketing offences under S.I. 336 of 2011.

Three Ireland (Hutchison) Limited pleaded guilty to two charges of sending unsolicited marketing emails to one customer who had not consented to his email address being used by the company for marketing purposes. The complainant opted-out of receiving marketing emails in mid-February 2021. When Three Ireland (Hutchison) Limited attempted to execute the opt-out request an issue arose from a scenario of two records getting sent simultaneously and losing sequence, resulting in its system not being updated correctly. As a result, three further marketing emails were sent to the complainant in the following weeks. The Dublin Metropolitan District Court applied the Probation of Offenders Act in this case on the basis that the company will donate €3,000 to charity.

Vodafone Ireland Limited pleaded guilty to a total of seven charges of sending unsolicited marketing text messages, emails and telephone calls without consent. One case concerned a former customer who had called Vodafone on seven separate occasions to try to opt-out of receiving marketing phone calls to his mobile phone. On each occasion the agent he spoke to did not follow proper procedures and this resulted in him not being opted-out of marketing and receiving further marketing calls. The complainant closed his account with Vodafone Ireland Limited and switched to a different operator due to the marketing phone calls he received.

The Learnings

From these stories on enforcement, PR professionals can see that keeping in line with GDPR is very important for them and their company. While it might seem complex, the basic touchstone is to be aware of peoples’ privacy and their right to be left alone – even if a company wants to contact them. After that, if you have databases and contacts, keep them safe and secure and only accessible on a need to know basis.

Also, from the WhatsApp case we can learn that taking care of data is not enough, a company also has to communicate its policies and be transparent. Thankfully this is something that PR professionals should already be very good at


For further advice:

Mandatory Vaccinations

Mandatory Vaccinations

Mandatory Vaccinations in the Workplace

 Clíona Kimber SC Barrister

Jennifer Cashman Ronan Daly Jermyn Solicitors

1st July 2021

Covid 19 has highlighted the importance in the workplace of Health and Safety and hygiene and disease prevention.  There has been a huge increase in infection control technology that used to be confined to hospitals and is now increasingly being deployed in the workplace to make it safe. And now, along with all of the measures which have already been implemented by employers, to address the risk of Covid-19 in the workplace, the question arises as to what involvement, if any, employers can and/or should have in the country’s vaccination programme which has commenced.  In particular, questions arise around whether or not employers can mandate vaccination amongst their workforce.

For business who want to get back to work, and open up, much of the push for mandatory vaccination will come from their employees, who may view vaccination of the workforce as a pre-requisite to returning to the workplace .

As things currently stand, vaccination is voluntary for every individual – there is currently no Government regulation compelling individuals to be vaccinated against Covid 19.

This article therefore considers the question, can an employer require all staff to be mandatorily vaccinated?

  1. Balancing Priorities

Employers have a legal obligation under the Safety, Health and Welfare at Work Act 2005 (“the 2005 Act”) to do all that is reasonable to protect the health of their employees and maintain a safe place of work.

Employees themselves also have legal duties and responsibilities under the 2005 Act to do their best to protect their own health and safety, and that of their co-workers.

Mandatory vaccination, as a health and safety measure on the part of the employer, however, may interfere with personal rights, such a right to bodily integrity under the Constitution and right to respect for private life under the ECHR and EU Charter.  There may also be legitimate reasons why an individual may refuse to be vaccinated, such as medical or religious issues, which in turn give rise to potential discrimination issues under Employment Equality legislation.

As with all rights a person possesses, these have to balanced against the rights of others in their society.  In relation to the Covid-19 vaccine, the law has to balance the right to life and health of society as against right to respect for private life.  How should this balance be weighed?

As legal guidance, we can look to the European Court of Human Rights, which has considered the justifications for mandatory vaccinations in the broader context of state justification for compulsory public vaccination against traditional infectious diseases such as diphtheria and Hepatitis B.

  1. Rights at Issue

As a beginning, we look to the rights at issue. Article 8(1) of the ECHR provides that

  1. Everyone has the right to respect for his private and family life, his home and his correspondence.

As against that, Article 8(2) allows this right to be limited in certain circumstances

  1. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

Turning to decided cases on vaccinations and medical treatment, we can see that as early as 1984, the EComHR stated as its view that ‘a requirement to undergo medical treatment or a vaccination, on pain of a penalty, may amount to interference with the right to respect for private life’ (Acmanne and others v. Belgium, pp 251, 255). However, the question is whether such an interference could be justified by one of the Article 8(2).  In the context of the Covid-19 pandemic, one of those justifications would be the protection of health and the protection of rights of others.

More recently in Solomakhin v Ukraine,[1] where the applicant was involuntarily vaccinated against diphtheria while in hospital for another illness during an epidemic of diphtheria in the Ukraine,  the ECtHR reiterated that compulsory vaccination, as with any forced medical treatment, interfered with private life.  It noted as follows

The Court reiterates that according to its case-law, the physical integrity of a person is covered by the concept of “private life” protected by Article 8 of the Convention (see X and Y v. the Netherlands, 26 March 1985, § 22, Series A no. 91). The Court has emphasised that a person’s bodily integrity concerns the most intimate aspects of one’s private life, and that compulsory medical intervention, even if it is of a minor importance, constitutes an interference with this right (see Y.F. v. Turkey, no. 24209/94, § 33, ECHR 2003‑IX, with further references). Compulsory vaccination – as an involuntary medical treatment – amounts to an interference with the right to respect for one’s private life, which includes a person’s physical and psychological integrity, as guaranteed by Article 8 § 1 (see Salvetti v. Italy (dec.), no. 42197/98, 9 July 2002, and Matter v. Slovakia, no. 31534/96, § 64, 5 July 1999).

However, while the ECtHR found that there had been an interference with the applicant’s private life by the compulsory vaccination of Mr Solomakhin, the interference did pursue the legitimate aim of the protection of health.

In another example, Boffa and others v San Marino[2], the EComHR acknowledged that the interference arising from the compulsory vaccination of the applicants’ children against hepatitis B was justified by one of the legitimate aims enlisted in ECHR Article 8(2), namely the need to protect the health of the public and of the persons concerned (p 34).

In the case of Jehovah’s Witnesses of Moscow v. Russia,[3] the ECtHR specifically referred to mandatory vaccination during a pandemic as a potential justification for limiting personal rights.  This case concerned the banning of the Jehovah’s Witnesses in Russia, including on the basis that they prevented their members from receiving blood transfusions. The Court held that the freedom to accept or refuse specific medical treatment is vital to the principles of self-determination and personal autonomy.  Therefore

absent any indication of the need to protect third parties,-  for example, mandatory vaccination during an epidemic,- the State must abstain from interfering with the individual freedom of choice in the sphere of health care, for such interference can only lessen and not enhance the value of life’ (para 136).

The Court indicated therefore that the right to private life could in principle be limited for the protection of third parties.

  1. Proportionality

Simply to have a justification for the interference is not enough however and the way in which the interference is carried out must be proportional to the aim to be achieved.

The case law of the ECtHR has repeatedly ruled that any interference with a right, even if justified by a legitimate aim, must be proportionate to the aim pursued. Dudgeon v. the United Kingdom[4], paras 51-53).

We can see however in Solomakhin v Ukraine that the court will give very strong weight to measures to public health and to deal with the need to control infectious diseases

“6.  In the Court’s opinion the interference with the applicant’s physical integrity could be said to be justified by the public health considerations and necessity to control the spreading of infectious diseases in the region. Furthermore, according to the domestic court’s findings, the medical staff had checked his suitability for vaccination prior to carrying out the vaccination, which suggest that necessary precautions had been taken to ensure that the medical intervention would not be to the applicant’s detriment to the extent that would upset the balance of interests between the applicant’s personal integrity and the public interest of protection health of the population.

Indeed, the Court paid attention to the fact that the medical staff had checked the suitability of the applicant for vaccination prior to carrying out the vaccination and to the fact that necessary precautions had been taken to ensure that the medical intervention would not be to the applicant’s detriment to the extent that there would be an imbalance of interests between the applicant’s personal integrity and the public interest of the protecting the population’s health (para 36).

It is also notable that the Court remarked that the applicant did not give any explanation for refusing the vaccination.

“37.  Furthermore, the applicant himself failed to explain what had prevented him from objecting to the vaccination, when previously he had objected on several occasions.”

In the Irish context, it is notable one of the judges on that case, Ms Justice Ann Power- Forde, is currently a judge of the Irish Court of Appeal.  There is likely therefore to be some institutional understanding of the issues in question in the Irish Courts

A similar approach to Solomakhin was taken by the EComHR in Boffa and others v San Marino in which the compulsory vaccination of the applicants’ children against hepatitis B was deemed permissible.

The ECtHR can be said therefore to have identified three basis to justify compulsory vaccination:

1) public health considerations that necessitate the control of the spreading of infectious diseases; and

2) the assessment of whether necessary precautions had been taken with regard to the suitability of vaccination for the individual case at hand.

3) the need for an explanation from the individual refusing to be vaccinated

In summary, a State can therefore oblige individuals not to endanger the health of others where their own life is not at risk. However, States should try to strike a fair balance between the right to private life on one hand and the protection of public health on the other.

For over 70 years, every vaccination initiative in Ireland has been operated on a voluntary basis. The Covid 19 vaccine is no different – no individual, even those working on the frontline in the healthcare setting, is obligated to accept vaccination. The World Health Organisation has also cautioned governments against pursuing mandatory vaccination strategies. In the absence of the Government mandating the Covid-19 vaccine, it is difficult to see how employers could establish a legal basis for insisting that employees are vaccinated and if they do so, it is likely to be met with legal challenge.

The position has been most recently addressed by the ECtHR, in the case of Vavřička and others v the Czech Republic, decided on the 8th April 2021.  While the complaints had been referred to it in 2013 and 2015, there is no doubt that the Court was answering the questions posed  as against the background of the Covid-19 pandemic. The facts were that parents in the Czech Republic had refused to comply with the statutory obligation to vaccinate their children against childhood diseases, including polio. The parents considered that a vaccination was against the interest of their children. In the Czech Republic, failure to comply is a minor criminal offence. As a result of the failure to comply, the parents were fined, denied permission to set up a privately run school, and their children were denied enrolment in a public nursery school.  The parents complained that there had been a breach of Article 8 of the ECHR, which guarantees the right to respect for private life, which right can only be interfered with by a public authority in accordance with law and as necessary among other things, for public safety, for the protection of health or for the protection of rights and freedoms of others. They argued that their right to personal autonomy had been breached in making decision concerning their health or the health of their children, and the right to care for their children in accordance with their own opinions and conscience.

A number of EU countries made interventions to support the Czech government and several other organisations intervened to support the parents, such as the European Forum for Vaccine Vigilance. The German government submissions were especially interesting, and the rationale applies to the Covid-19 debate

“The German Government observed that compulsory vaccination aimed to protect not only those vaccinated but also society as a whole and, in particular, vulnerable persons who cannot be vaccinated themselves on account of their age or state of health. If the vaccination rate is sufficiently high, the threshold for measles being 95% of the population, a given disease can be eliminated. Despite efforts to raise awareness, the rate of voluntary vaccinations achieved in Germany never reached more than 93%. This was the challenge faced by the legislature when adopting the legislation.”

The ECtHR ruled that compulsory vaccination constituted an interference with the right to respect for private life. Therefore, it was only justified under Article 8 if the interference was for the purpose of a legitimate aim, a pressing social need and in line the principle of proportionality. The Court held that countries are under an obligation to protect the life and health of all who live in the country, and that the Czech Republic. It referred to the fact that protection for all arises from a full schedule of vaccination and that “those to whom such treatment cannot be administered are indirectly protected against contagious diseases as long as the requisite level of vaccination coverage is maintained in their community, i.e. their protection comes from herd immunity.” (para 288)

It concluded that where a policy of voluntary vaccination was sufficient to achieve and maintain herd immunity countries may reasonably introduce a compulsory vaccination policy in order to achieve an appropriate level of protection against serious diseases. The Czech Republic had also, the Court concluded, gone about its policy in a proportionate manner – the sanctions were reasonable compared with the risk. The exclusion of a non-vaccinated child from attending a nursery school was reasonable.

In other words, compulsory vaccination could be required to achieve herd immunity.

The decision in Vavřička is a very important legal support in Ireland for employers who do not wish to allow employees in the workplace who are not vaccinated.

In reality cannot force an employee to undergo a vaccination for the reasons outlined above.  However, they may wish to impose a sanction on employees who are not vaccinated, from exclusion from the workplace, removal from certain areas of work or projects where their non- vaccinated states might endanger others, or even dismissal.

Looked at this way, we can get some guidance from cases in which employers have required employees to dress in a certain way as a condition of keeping their jobs., Perhaps one of the most widely known cases is that of Eweida v United Kingdom[5] in which a member of British Airway’s check-in staff complained that its uniform policy, which banned visible jewellery, prevented her from wearing a plain silver cross as an expression of her Christian faith. This case  attracted controversy in 2013 when the ECHR declared that BA’s uniform policy was incompatible with Ms Eweida’s freedom of religion and, in particular, her right to manifest her religion through the wearing of a crucifix.

Conversely, at the same time, the ECHR rejected a similar complaint by Mrs Chaplin, a nurse employed by Royal Devon & Exeter NHS Foundation Trust. Whilst the court also recognised Chaplin’s right to manifest her religion, the key distinction in the case was that the trust’s policy was justified for health and safety reasons.

The decision in Vavřička and others v the Czech Republic will be delivered this year.  In the meantime, where does that leave employers?

  1. Employers and Compulsory Vaccination

Employers are of course in reality in a different position to State Governments, which can weigh up the position from the perspective of an entire population.  However, the duties on the employer under the 2005 Act, and corresponding duties on the employees to their co-workers, can be analysed on the same lines.

It would seem sound in law for an employer to oblige individuals not to endanger the health and safety of others where their own life is not at risk. However, employers must strike a fair balance between the right to private life on one hand and the protection of the health and safety of co-workers on the other.

More practically, this means that employers would have to look very specifically at what is needed to preserve health and safety in their workplace and at all other options, before laying down a rule that its employees had to be vaccinated or be dismissed.

Of note, the HSE has not mandated vaccination for their workers so it is hard to see how other employers could justify seeking to mandate it – even where they have a risk assessment to back it up.  In any event, even if they could mandate it, there are issues and considerations in terms of data privacy, the constitutional right to bodily integrity, as outlined above, together with potential equality discrimination issues, also referenced above.

Furthermore, there is a question over whether employers are even entitled to ask employees if they have been vaccinated as there may not be a legitimate basis for this under data protection legislation.

It is worth noting that, when assessing the health and safety risk from a non-vaccinated employee, it is not currently clear whether someone who has received the vaccine can still be infectious to other people.  Accordingly, if the vaccine does not eliminate the threat of transmission of the Covid-19 contagion, then it would be difficult to argue that a requirement for mandatory vaccination in the workplace is a valid justification.

  1. Risk Assessment Emphasis in the obligation on doing what is reasonable and proportionate

Covid-19 in the workplace context is primarily a health and safety issue.  Therefore, in looking at mitigating against the risk of Covid-19 in the workplace, employers should be liaising with their health and safety experts and assessing the risk in the context of the specific workplace. So, it is advisable to begin with a risk assessment to  assess appropriate measures to address the Covid 19 risks – there may be some workplaces e.g. nursing homes, where the risk is so high that an employer has to insist on vaccination if a person wants to continue  with certain work and re-deployment may have to be considered otherwise.  Employers and their health and safety advisors should also review the obligations set out in the Government’s Work Safely Protocol when preparing and/or updating their risk assessment.

The obligation on employers to provide a safe place of work is not, however, a one size fits all.  Acting disproportionately and dismissing the employee if it is not justified could lead to a successful claim against the employer.

For this reason, an employer would be best advised to consider and offer alternatives if possible before dismissing the employee for refusal of a vaccination, and certainly should not harass or victimise for not taking the vaccination.

The Health and Safety Authority has recently updated its Regulations on “biological agents” to include Covid-19.  The Safety, Health and Welfare at Work (Biological Agents) Regulations 2013 and 2020 ( S.I. No. 572 of 2013 as amended by S.I. No.539 of 2020) and the related Code of Practice set down the minimum requirements for the protection of workers from the health risks associated with biological agents in the workplace.  These Regulations require that particular attention must be given to managing the risk from infections which will include hazard identification, assessment of the level of risk (taking account of who could be harmed and how), identification and implementation of control measures to eliminate the risk where possible, and if not, to reduce the risk to ensure a safe working environment.

The Regulations require that employees receive appropriate training and information on a number of matters, to include the benefits and drawbacks of vaccination and non-vaccination (where effective vaccines are applicable and available). The Regulations also provide that, where there is an effective vaccine available, the employer must offer vaccination, free of charge to employees. However, the difficulty in relation to the Covid 19 vaccination programme is that employers are not in a position to offer vaccination to employees, in circumstances where the vaccination programme is being managed and administered as a public health vaccination programme. Therefore, employers do not have access to the vaccine for Covid 19 and have no involvement in the vaccination programme. It is unlike the flu vaccine, for example, where employers can make that vaccine available in the workplace to employees.

Therefore, in considering how employers can meet their health and safety obligations in relation to vaccination, it seems that, at a minimum, employers should provide information and education to employees around the vaccine and encourage their employees to be vaccinated to protect themselves and to help keep the workplace safe.  After that, employers should consider all other appropriate health and safety measures in the workplace to mitigate against the risk of Covid-19, such as mask wearing, social distancing and hand sanitisation.

  1. Alternatives to mandatory vaccination – Offer Other options

 Depending on what the employer’s health and safety experts advise in terms of the specific workplace risk assessment, there are additional measures which employers can consider in order to mitigate against the risk of Covid 19 in the workplace, as follows;

  • Mandatory testing– this raises GDPR and data protection issues so employers would need to look at conducting a Data Privacy Impact Assessment around mandatory testing, but it can be introduced provided appropriate advice is taken on the legal requirements.

Other workplace technology might be appropriate – for example, technology which puts a scanner on a name badge and alerts if an employee is not social distancing.

  • Air testing of air quality and/or air sanitation devices which can decontaminate a room in 45 minutes. There are systems licensed by Department of Agriculture Food and Marine and used by HSE. There are also decontamination solutions, cleaning robots that use UV light to kill viruses.  There is of course a cost to such hospital grade sanitation solutions, and whether or not they were reasonable would depend on the workplace and whether the employer is large or small.


It seems that, for now at least, employers cannot mandate vaccination amongst the workforce.  However, employers can, and should, be proactive around the vaccination conversation in the workplace and make information available to employees about the vaccines.

Employers will also need to update their risk assessments and Work Safely protocols to reflect the availability of the vaccine. However, although the provisions of the 2005 Act oblige employers to take steps to remove or minimise any risks identified arising from their workplace risk assessments, employers cannot mandate vaccination, for all the reasons outlined above, and the vaccine is just one piece of the jigsaw in dealing with the Covid-19 threat.  Employers must continue all their existing health and safety measures around Covid-19, including social distancing, masks etc for the foreseeable future.

Clíona Kimber SC Barrister

Jennifer Cashman Ronan Daly Jermyn Solicitors


[1] (Application no. 24429/03) 15th March 2012

[2] Application no.26536/95 15 January 1998

[3] Application no. 302/02 10 June 2020

[4] Application no 7525/76, [1981] ECHR 5, (1982) 4 EHRR 149, IHRL 31 (ECHR 1981), 22nd October 1981,

[5] Applications nos. 48420/10, 59842/10, 51671/10 and 36516/10) 15 January 2013