The COVID-19 pandemic has forced many organizations to re-evaluate and transform their approach to crisis and risk management in relation to their information governance programs. Since the start of the pandemic, several jurisdictions have introduced temporary legislative measures (e.g., proof of vaccination requirements), amendments to existing legislation (e.g., tax relief measures), imposed new requirements (e.g., remote working), and suspended limitation periods for legal claims and disputes in certain situations. As with any crisis that triggers a need to re-evaluate data management implications, organizations must ensure that they continue to comply with existing statutory recordkeeping requirements as well as any new legislative measures and regulatory guidance related to information management (i.e., creation, storage, transfer, destruction, etc.).

One of the most challenging pandemic-related issues facing organizations is the various vaccine-related requirements which include recordkeeping, reporting, and privacy obligations. Regulatory authorities are constantly issuing temporary vaccine measures and guidance which require ongoing monitoring by organizations for new or updated requirements. For example, the United States Occupational Safety and Health Administration (OSHA) provides guidance and frequently updates information on its website related to the pandemic (i.e., COVID-19 Frequently Asked Questions). OSHA also issued a temporary Emergency Testing Standard (ETS), effective from November 5, 2021, requiring employers with 100 or more employees to ensure employees are either vaccinated or tested weekly for COVID-19 and maintain records and a roster of each employee’s vaccination status. OSHA considers vaccination records to be confidential employee medical records which are to be maintained for the effective duration of the ETS. OSHA does not require vaccination status records to be maintained in accordance with its general standard of 30 years from termination of employment for certain employee medical records.

Organizations inviting visitors to their facilities/premises and customer-facing businesses must also be aware of and comply with regulatory measures related to vaccine passports and health passes. In the context of the current pandemic, these “passports” and “passes” generally serve as evidence that an individual has been vaccinated against COVID-19, has tested negative, or has a level of immunity from infection, and can be provided through physical means (e.g., paper card or printed certificate) or digital means (e.g., phone app, QR code). For example, the French data protection authority (CNIL) released COVID-19: Questions and Answers on the Health Pass and the Vaccination Obligation  (“CNIL Guidance”) providing information on health pass requirements which are mandatory for patrons and employees entering certain businesses. This CNIL Guidance includes detailed recordkeeping and data protection requirements including: (i) subject to certain exceptions, businesses must not retain health passes beyond the end of the verification process in order to prevent subsequent use; (ii) businesses must retain a register of persons authorized to control the health pass for a set period of time; and (iii) employers must retain proof of vaccination of their employees (voluntarily disclosed) in the form of “YES/NO” responses, but not the supporting documentation itself, in a personnel file or dedicated file until either the date that the obligation to present a health pass ends other end of employment, whichever is earlier. Depending upon the jurisdiction, organizations may only be permitted to retain specific types of proof of vaccination documents and in a defined format (e.g., standardized form, facility access logs, vaccination status database, etc.).

In the absence of a defined retention requirement (i.e., retain records for X months/years), organizations should consider retaining vaccination-related records for the duration of local pandemic-related requirements or the formal end of the pandemic as declared by the World Health Organization (WHO), and for an additional applicable limitation period during which an employee, customer, or third-party visitor to the organization’s facilities/premises may bring a claim (e.g., negligence, discrimination, breach of contract, employment claims). Employers should also maintain documentation related to vaccination exemptions granted to employees (e.g., medical, religious) as well as documentation of refusals by employees to comply with any mandatory proof of vaccination or disclosure policies, where exemptions were not granted.

In assessing whether their information governance programs have adequately integrated appropriate pandemic management measures (e.g., proof of vaccination requirements), organizations should consider the following measures: 

  1. Ensure ongoing demonstrated compliance with applicable legislative requirements and the enterprise records retention schedule, as well as compliance with any applicable temporary pandemic-related regulatory measures.
  2. Adhere to personal data protection principles. This includes ensuring that personal data is retained only “as long as necessary” for the purposes for which it was collected or processed. In particular, organizations must also comply with local and regional data protection laws when dealing with vaccination-related records which include material confidential and sensitive personal information.
  3. Assess existing records retention schedules and related policies to determine if there are any gaps related to records required under pandemic-related regulatory measures (e.g., proof of vaccination records, vaccination exemption documentation).
  4. Ensure that vaccination policies and measures are in compliance with local laws and regulations including any records retention and privacy requirements.
  5. Communicate to applicable internal stakeholders that any temporary statutory limitation period suspensions should not require any deviation from an organization’s compliance with its existing retention schedule.
  6. Document compliance with any applicable emergency legislation and retain relevant documents for a reasonable period of time, based on applicable statutory and operational requirements.

Lisa Douglas is a member of Baker McKenzie’s Technology Practice. She currently focuses on information governance, drawing on a rich background in knowledge management, legal research, and library science to provide compliance advice on the enterprise information lifecycle.


Nadia Rauf is a Research Lawyer with the global Information Governance group within Baker McKenzie’s Information Technology & Communications Practice in Canada. She focuses her legal expertise in the areas of information governance, privacy, media/format, cross-border data transfers, and regulatory compliance, among other areas.