Introduction to this document

Vaccination policy

If you’ve determined that your staff need or would benefit from particular vaccines, you should develop a suitable policy before beginning your vaccination programme.


The Health and Safety at Work etc. Act 1974 requires you to take all reasonably practicable steps to ensure the health, safety and welfare of all your staff. The benefits of a vaccination programme provided or promoted by you include the control of infection risks in the workplace and protecting staff from diseases they might be exposed to when travelling overseas for work. In addition, encouraging staff to then be vaccinated, where relevant, is likely to be a further reasonable step to take to reduce the risk to their health. You can therefore use our Vaccination Policy to set out your programme and as one of the ways to provide that encouragement. Note, however, that vaccination isn’t a substitute for other health and safety risk control measures.

Policy contents

Our policy covers the purpose and benefits of vaccination, the range of vaccines that may be offered to staff (you can amend our list as appropriate), how individuals will qualify for the vaccination programme (i.e. which roles and workplace locations), appointing a competent vaccination contractor, etc. Importantly, it adopts a voluntary approach. Whilst it encourages vaccination and asks employees to make informed decisions, it acknowledges that some staff may be unable, or unwilling, to have specific or any vaccines for medical or other reasons. Always obtain an individual’s written consent before any vaccine is administered by a contractor on your behalf.

Data protection

Make sure you’ve complied with data protection requirements in relation to retaining vaccination data on staff, taking into account that it constitutes special category personal data. Your privacy notice will need to explain what vaccination data is to be held, who it will be shared with, how it will be used, how long it will be retained for and what decisions (if any) will be made based on the data held. You’ll also need to identify both a lawful basis for processing and an additional condition for processing under the UK GDPR.