Appearance and validation
Applicable businesses
Use for staff
Compliance with data protection law
Staff equality issues
Should using pass be made voluntary or compulsory?
What if it is made compulsory and then someone refuses?
How to identify if individuals are exempt from vaccination or testing
Practical considerations

The new NHS COVID Pass offers businesses an easy way of discovering an individual's covid-19 status but there are legal issues to consider first. This insight considers the key data protection and equalities issues raised by using the pass for staff.


The NHS COVID Pass is available in England to individuals aged 18 or over. The current requirements for obtaining a pass are as follows:

  • two doses of the Moderna, AstraZeneca or Pfizer vaccine or one dose of the Janssen vaccine, with the pass available two weeks after the second dose (Moderna, AstraZeneca and Pfizer), or two weeks after the single-dose Janssen vaccine;

  • a negative PCR test or rapid lateral flow test within the past 48 hours, with the pass available as soon as the test result is available; or

  • a positive PCR test within the past six months, with the pass available after self-isolation has finished and up to 180 days after taking the test.

The NHS COVID Pass is already being used for some large events in England (on a trial basis) and fully vaccinated individuals can use it as evidence for overseas travel. It was made widely available in England from 19 July 2021.

Appearance and validation

The government have provided various examples(1) of valid NHS covid-19 passes. Most users are likely to have obtained a digital version of the passes through the NHS app. This shows a barcode, a green stripe across the bottom of the screen and the date of expiry. The digital NHS COVID Pass is time-limited (even where an individual is fully vaccinated) but can be renewed.

It is possible to verify the barcode by using a separate app released by the Department of Health and Social Care, named the NHS COVID Pass Verifier. The app is freely available to download and allows a camera to scan an individual's barcode on a device or printed out copy.

Used for domestic purposes, the app will either confirm the barcode is valid or expired.(2) The verifier will see the individual's name, and either a green tick to confirm the QR code is valid and the date when the pass expires or a grey box stating the QR code is not recognised or has expired.

Applicable businesses

The government has encouraged use of the pass in England for customers in high risk settings. These are events and other settings where people are likely to be in close proximity to a significant number of people from outside their household for a prolonged period of time. The guidance(3) gives the following examples:

  • crowded, unstructured indoor settings such as nightclubs and music venues;

  • large unstructured outdoor events such as business events and festivals; or

  • very large structured events such as business events, music and spectator sport events.

The guidance is clear that essential services and retailers, in particular businesses that were able to stay open during lockdown, should not be using the NHS COVID Pass.

The government considers that nightclubs should currently be using the NHS COVID Pass as the socially responsible thing to do(4) until late September when evidence of full vaccination will be compulsory.

Use for staff

The emphasis so far has been on using the pass for customers and visitors, not staff. The government position on using the pass for staff is currently unclear. A government press release(5) heralding over ten million downloads of the official NHS app stated the app would help allow people to "start returning to workplaces" as well as travelling and attending large events but, at the same time, government sources are reported to have denied that workplaces will be encouraged to use the NHS COVID Pass for staff.

The working safely guidance, which includes detailed guidance for different types of setting, only specifically mentions the use of the NHS COVID Pass in the guidance for events and attractions(6) and restaurants, pubs, bars, nightclubs and takeaway services (specifically for nightclubs),(7) and only in connection with customers rather than employees.

However, pending further clarity in the guidance, employers could consider introducing use of the NHS COVID Pass as an additional safety measure for staff, especially given that the legal rules on social distancing and mask wearing have been lifted. It may be attractive in a number of situations including:

  • as an extra safety measure in settings where staff have to spend prolonged periods in close proximity to customers;

  • as part of a gradual reopening of the office, where staff could show a pass on arrival or continue working from home if they do not have a valid pass to cover that day; and

  • where employers have decided to implement lateral flow testing for staff and wish to exempt fully vaccinated individuals and those with assumed immunity from any repeat testing policy.

Employers should note, however, that the NHS COVID Pass is designed for use in settings in England. Other parts of the United Kingdom have different arrangements.

Compliance with data protection law

The Information Commissioner's Office (ICO) has recently published data protection guidance(8) on using the NHS COVID Pass.

The ICO guidance explains that it is possible for business to use the NHS COVID Pass to allow access to workplaces without processing any data, by choosing not to scan the barcode and by making sure that none of the information is written down or stored in any way. This approach involves someone simply looking at the pass at the point of entry, without using the scanner and without keeping any records.

If staff are denied access, for example due to an expired NHS COVID Pass, it may be more difficult to avoid record-keeping in roles where the employee cannot return to work from home, although it will be up to the employer to decide how absence is recorded in these circumstances.

If the employer chooses to scan the barcode, or to create any records of any kind about someone's covid status, the employer will be processing special category health data. This means that, to comply with data protection law, the employer would need to do the following:

Identify legal basis for collecting data
The safest legal bases will be compliance with legal obligations and/or "substantial public interest". This means that preventing the spread of the virus and complying with the duty of care to employees need to be at the root of the justification rather than, for example, customer or staff preference or boosting confidence.

Carry out data protection impact assessment
This sets out the proposed ways that data will be processed, the risks to data subjects, and the ways in which such risks will be mitigated (eg, by limiting the number of people who have access to the record, only keeping records for as long as they are necessary and complying with the other GDPR principles).

Respect principles of transparency, proportionality and security
Details must not be kept for longer than necessary. Inform employees why their information is being processed, how the information will be stored, how long it will be retained and who will be able to access it.

Staff equality issues

Using the NHS COVID Pass raises fewer discrimination issues than a compulsory vaccination programme because it provides other routes to demonstrating covid status. Using the pass could nonetheless still indirectly disadvantage individuals with characteristics that are protected under the Equality Act 2010, so the equalities issues need to be considered. The main groups that could be disadvantaged, their potential claims under the Act and the mitigating steps that may be taken to reduce risk are set out below:

Employees who are too young to have been double vaccinated
This is a diminishing group. These employees may regard themselves as being put at a disadvantage because (unless they have previously tested positive using a PCR test and gain the pass through assumed natural immunity) they will have to submit to regular testing in order to obtain a pass. This could therefore be indirect discrimination against younger employees. This could be justifiable as a proportionate means of achieving a legitimate aim if there are workplace safety reasons to use the pass.

Employees who cannot accept vaccine for medical or belief reasons
The numbers falling into these categories are likely to be small.(9) As with employees who are too young to have been double vaccinated, these employees may also regard themselves as being put at a disadvantage because (unless they have previously tested positive using a PCR test and gain the pass through assumed natural immunity) they will have to submit to regular testing. This may be justifiable as a proportionate means of achieving a legitimate aim if there are workplace safety reasons to use the pass. If there are medical reasons why a person cannot submit to testing, employers would need to consider this on case by case basis.

Employees not vaccinated in England
The pass only shows that an individual is double vaccinated if they had both doses in England. Using the pass therefore has the potential to be indirectly discriminatory on grounds of race/nationality, especially for example in relation to employees who have only recently started work in England or are working here temporarily. Employers could easily mitigate this risk by accepting alternative evidence of vaccination.

"Digitally excluded"
It is possible to obtain a paper copy of the NHS COVID Pass, but only once double vaccinated. Paper copies cannot be used to show test results. There may be some arguments about whether this system disadvantages certain groups, especially the very elderly, but they are unlikely to be relevant when using the NHS COVID Pass for staff rather than customers.

Should using pass be voluntary or compulsory?

Employers keen to use the NHS COVID Pass but also to avoid risk could begin by making use of the pass voluntary to begin with, using the same social responsibility angle the government is applying to nightclubs and large events settings.

A voluntary approach reduces the risk of discrimination claims as there is no disadvantage to those who do not volunteer. It also mitigates any data protection risks arising from the creation of records and processing of health data, because individuals volunteering to share information are much less likely to make a data protection complaint and a policy is more likely to be proportionate if there is no mandatory element.

Some workforces may find they have a very high uptake of the vaccination making the ongoing use of the NHS covid pass unnecessary. Some employees who are not vaccinated may agree to voluntary regular testing as a result of wanting to be seen to do the right thing.

If an employer decides that a voluntary approach is not sufficient, then it could consider making the use of the pass compulsory. For employees who are unvaccinated, this will mean compulsory lateral flow testing unless they have already tested positive for covid-19 in a PCR test in the previous six months. Employers will need to consider how staff should obtain the tests, whether they should do the tests at home or as part of an ongoing workplace testing programme, and any national minimum wage issues.(10)

Employers will also need to consider difficult issues about pay if an employee does not take a lateral flow test in time to achieve a valid pass. Any approaches taken, including regarding disciplinary action, should be recorded in a written policy communicated to staff in advance. It would also be advisable to ensure that employers consult with employees about the use of the pass as part of their consultation on health and safety arrangements.

What if it is made compulsory and then someone refuses?

If use of the NHS COVID Pass is mandatory, employers should have a written policy outlining the rationale and how a refusal would be dealt with. For example, a refusal may be classed as a failure to follow a reasonable management instruction, resulting in disciplinary action. In the event that an employer dismisses an employee for refusing to cooperate, employees may bring claims relating to data privacy or discrimination (see above) and employees with more than two years' continuous employment would also be eligible to bring an unfair dismissal claim. It would then be for an Employment Tribunal (ET) to assess the reasonableness of the employer's decision to dismiss.

Before moving to discipline or dismiss an employee, employers would of course need to discuss the problems and look for solutions. For example, an employee may have been advised not to be vaccinated for medical reasons and may be finding repeated testing challenging. Solutions might include allowing an exception, redeployment to another role, or potentially keeping the employee working from home where possible.

How to identify if individuals are exempt from vaccination or testing

In the government's July 2021 review(11) of whether the pass should be mandated, it said that it will also allow individuals to demonstrate their exempt status in exceptional circumstances where a clinician recommends vaccine deferral or that vaccination is not appropriate and where testing is also not recommended on clinical grounds.

The government guidance(12) currently states that individuals with medical reasons precluding vaccination or testing may be asked to self-declare their medical exemption. Further guidance on this position is awaited.

Practical considerations

In summary, practical issues to consider before implementing the NHS COVID Pass for staff are as follows:

  • Consider the possible use of the NHS COVID Pass in the context of a risk assessment. Is a voluntary approach enough alongside other measures, or do the circumstances justify a mandatory approach?

  • Decide if it is necessary to scan barcodes or keep records. Is it feasible to avoid data protection requirements by simply looking at the pass on entry without writing anything down? When using the pass for staff, is it necessary to verify the pass by scanning the barcode?

  • Explain the proposals to staff as part of an ongoing engagement/consultation with staff on health and safety measures. (For further details please see "End of lockdown restrictions – what does new workplace safety guidance say?".)

  • Plan on how staff passes will be checked on entry in a way that minimises disruption to shift times and without putting other aspects of health and safety at risk, for example by creating crowds at entrance barriers.

  • Consider any relevant policies regarding sick pay and absence management, bearing in mind that regular testing could result in more staff needing to isolate.

  • Ensure staff are trained on the different ways an individual can demonstrate their status, for example by having a paper copy of the NHS COVID Pass.

  • Ensure staff are trained on how to deal with an individual claiming to be exempt. Consider any processing of special category health data as a result.

  • Ensure that staff are aware that other health and safety measures remain in place.

  • Keep any policy under review in line with the changing situation with covid-19.

‚ÄčFor further information on this topic please contact Lucy Lewis, Sean Illing or Helen Coombes at Lewis Silkin by telephone (+44 20 7074 8000) or email ([email protected], [email protected] or [email protected]). The Lewis Silkin website can be accessed at www.lewissilkin.com.


(1) Further information is available here.

(2) Further information is available here.

(3) Further information is available here.

(4) Further information is available here.

(5) Further information is available here.

(6) Further information is available here.

(7) Further information is available here.

(8) Further information is available here.

(9) Further information is available here.

(10) Further information is available here.

(11) Further information is available here.

(12) Further information is available here.