Unlawful requests for data on the vaccination status of minors or adults

Manzoni's bacillus psychosis, together with the illusory power conferred on ordinary citizens, has led to the distortion of the concept of privacy with the spread of actions aimed at discriminating against and violating our health data and those of our children. In response to your requests for help, we have tried to summarize the complex legal framework and provide some protection tools, aimed at containing and combating any abuses, especially with requests regarding your or your children's vaccination status and to do so, we must first of all outline the regulatory boundaries to independently identify when a request is to be considered lawful or when it is illegal.

Let's start with the definition of health data commonly valid throughout the European territory and governed by the GDPR - General Data Protection Regulation (EU/2016/679): “personal data relating to the physical or mental health of a natural person, including the provision of health care services, which reveal information relating to his state of health" (GDPR Art. 4, part. 15) and are included in the broader category of data subject to special treatment (GDPR Art. 9), as they are able to reveal very intimate details of the person, and for this reason there is enhanced protection which prohibits “processing personal data revealing… data relating to health” (art. 9 GDPR)

As we have seen, data relating to health enjoy safeguards which guarantee the data subject who can process them, in the rare cases in which it is possible to do so. This point is important, and it's the second thing you need to fully understand: health data can be "processed by or under the responsibility of a professional subject to professional secrecy in accordance with Union or Member State law or with the rules established by the competent national bodies or by another person also subject to the obligation of secrecy in accordance with the law of the Union or of the Member States or with the rules established by the competent national bodies". (GDPR Art. 9, part. 3)

In summary: European legislation establishes that data relating to health, obviously including vaccination status, are a fundamental right of every citizen and enjoy special guarantees that allow their management only in very limited cases and under the responsibility of a health professional subjected to Professional secret. Generally speaking, any request regarding access to information on your and your children's health that comes from subjects who are not a healthcare professional is to be considered illegal... however, things are not always so linear.

Now we come to today and to the various reasons why we decided to provide you with this type of documentation and, as mentioned above, we will list a series of situations that you have reported to us, in which the request for vaccination status has been the subject of unfortunate situations. Alongside the types of situation, we also make available the corresponding letter or form, so that you can easily find the one most suitable for the single situation that divides into a child or an adult and the degree of countermeasures to be adopted, because we know it well, While we would like everyone to act with the utmost vigor against any illegal data requests, unfortunately, sometimes you have to mediate.

PS For each situation we created two or four different modules. The first division is between minors and adults and the second division is between warning and warning with contextual notification to the Privacy Guarantor. In the second case, in addition to sending a warning refusing to provide data relating to health, a simultaneous notification is made to the Privacy Guarantor asking the structure that requested the data to also provide you with all the legal specifications regarding the management of that data, such as the purposes. It's up to you which document to use.

1. The Grest, Scouts, summer camps ask me for a vaccination booklet.

This case is one of the most vile, often accompanied by claims that result in denials of registration or by citing phantom legal obligations, but the issue is very clear at the regulatory level: it is not possible under any circumstances to request data relating to the vaccination status of any participant, nor guests, nor hired personnel and nor volunteers and any request in this sense must be considered illegal. There are no exceptions, there is no legislation to support this request, they simply cannot manage, store, process much less disclose this data, fine. So simple? Let's hope…

As we told you at the beginning of the article, bacillus psychosis and the giving of false power to ordinary citizens has created a series of situations in which sometimes the person who illicitly requests such documentation is viscerally convinced of some postulates, in reality false, but which have nothing to do with the question of treatment health data. Sometimes parents are told that since there is a vaccination obligation that affects the age group of the participants, then the obligation can also be extended to extracurricular structures: this is absolutely not the case! Also because not even schools are authorized to acquire and manage the data, the ASL does so and only under certain conditions, communicating only any irregularities and never the complete vaccination data (e.g. missing 1 dose or the entire cycle? For which diseases is the child vaccinated? The school must not know about it). 

Faced with the absurd request to provide the vaccination status of minors outside of school, therefore outside of any regulatory case, the first advice we could give you is to report the incident to the Privacy Guarantor and spend your money elsewhere , avoiding that structure. Obviously the choice is up to you, you can decide whether to use the document for the formal notice or the one with an attached report to the Privacy Guarantor.

2. The gym, the soccer course, tennis, horse riding or any other sport ask me for a vaccination card

This case is very thorny and requires a premise: the law of 5 March 1963, n. 292, provides for the vaccination obligation only for the anti-tetanus vaccine for all CONI competitive sportsmen and to understand whether the request is "lawful" or "illegal" it must be verified whether the sporting activity is competitive or non-competitive and and if the sporting activity agonistica is or is not a CONI affiliate. We leave you with our exhaustive article on the point that you can consult , promising but in principle the same principles apply, namely that even in the presence of a legal provision, data relating to health are processed only by a "professional subject to professional secrecy in accordance with Union or Member State law" and, therefore, only at the time of the sports suitability visit of a CONI federated sports club, are you asked to show the health document proving that the tetanus vaccination required by law to allow the prescribed verification and eventual annotation.

Having ascertained whether the request is illegal or not, you can use the document that can be modified for formal notice or the one with the simultaneous notification to the Privacy Guarantor. We tend to be quite firm on the point: has the facility collected health data from minors or adults? It must be reported to the Guarantor as well as sending the warning. To you the choice.

3. The employer asks me for my vaccination record 

As often happens in Italy, when you go into detail the issues become more complex. In general, the employer can never become aware of the vaccination status of the employees. There is an obligation to have an anti-tetanus vaccine, which provides for unfitness to work only for some professions and is regulated by the same law of 5 March 1963, n. 292, and subsequent amendments. If your profession falls within those regulated by law, we invite you to read our exhaustive article on the point, you can find it , promising. 

There is also an obligation to obtain an anti-hepatitis B vaccine for the health professions, but in principle the same principles apply, i.e. that even in the presence of a legal provision, data relating to health are only processed by a "professional subject to professional secrecy in accordance with Union or Member State law" therefore, at the time of the work eligibility visit, you may be asked to prove that the visit has been carried out mandatory vaccination by law, but only by the competent doctor who will not be able to disclose your vaccination status to the employer but only the suitability or otherwise to carry out the job.

Faced with a direct request from the employer or other staff to present health documents, you can use the modifiable document for formal notice and in the most extreme cases, assessing the work situation, you also have the one available with simultaneous notification to the Privacy Guarantor . Compared to the previous situations, here you are in the workplace and we understand very well that the issue is much more thorny. Once you understand the rule, you can also explain the situation of the illegal request verbally, without even resorting to our documents and if ever using them in subsequent phases if the situation does not settle by itself.