Tunisian health and legal requirements around the vaccination program

• Tunisia

• Coronavirus - Data and Cyber Security issues
• Coronavirus - Workforce issues

07-05-2021

This article provides a practical guidance to employers in relation to the coronavirus (COVID-19) vaccine in Tunisia, including whether an employer may require its workforce to be vaccinated for COVID-19 and whether employees can properly avoid being vaccinated.

In addition, it also deals with the legal ways of protecting personal data when the people to be vaccinated submit their personal data on a vaccination platform as the one established in Tunisia called « evax » or when the employer is trying to collect health related data to employees’ vaccination status.

I. Can employers implement a mandatory vaccination program?

Nearly all employers will soon be faced with an important decision—whether to require employees to be vaccinated or instead merely encourage employees to be vaccinated on a purely voluntary basis.

On the one hand, no law provision was enacted to require Tunisians to be vaccinated. The vaccination decision remains free until today.

On the other hand, with respect to business reasons, mandatory vaccinations could reduce lost work time, increase productivity, maximize revenues, and cut down on any COVID-19 related legal risks and liabilities.

However, the current vaccination program seems to be very slow. Only few people are registered on the platform (about 900.000) and the priority is given to seniors and people working in the health sector. At this stage, the program only concerns 60 percent of the population in Tunisia. Therefore, at least in 2021, we do not see how employers can implement a mandatory vaccination program. They can only continue to improve their protection program focusing more on testing or other new tools.

II. Is it allowed to collect data about employees’ vaccination?

1. Collecting data for vaccination 

Before deciding to collect the employees’ vaccination status, the goal must be clearly identified and has to show how it can support the business. Sharing private health information is considered to be a special category data. Therefore, the use of such data has to be fair, necessary and relevant to a specific purpose.

However, it should be recalled that the article 14 of the Organic Law n°2004-63 of July 27th, 2004 regulating the protection of personal data is stating that the processing of personal data that reveals, directly or indirectly, the racial and genetic origins, religious beliefs, political, philosophical and trade union belonging, or health is prohibited.

This prohibition provided for the above shall not apply:

• If the data subject has given his explicit written consent;
• If the processing relates to personal data that has become public; or
• If the processing is necessary for historical or scientific purposes; or
• If the processing is necessary for the protection of the data subject’s vital interests.

Furthermore, article 62 of the same Law, states that personal data related to health may be processed in the following cases:

• When the data subject, his heirs or his tutor has given his consent prior to.
• the processing. The provisions of article 28 of the hereby Act shall apply if the
• data subject is a child.
• When the processing is required for the realization of purposes authorized by law.
• When the processing is necessary for the development and protection of public health, among another research related to illnesses.
• When the processing is salutary for the data subject's health or is required to follow-up on the subject's health condition, for preventive or therapeutic purposes.
• When the processing is carried out for a scientific research concerning health.

2. Data protection and personal data sharing for vaccination program

Data protection law is not a barrier to sharing information where it is necessary and proportionate to do so. In fact, in accordance with the provisions of the organic Law number 63 of July 27, 2004, as amended following the accession of the Republic of Tunisia to convention 108 and Convention 108 by organic law number 42 of May 30, 2017, the responsible for processing must inform the data subject of the following information: 

• The Minister of Health is the data controller.
• The personal data collected through the evax.tn site is for the purpose of registering in the Covid 19 vaccination platform and verifying compliance with the vaccination conditions and organizing the process.
• The data collected includes the following information:
  • The first and last name,
  • National identity card number,
  • Date of birth,
  • Address,
  • Cell phone number,
  • Chronic disease.

The processing is limited to the legitimate purpose indicated, in compliance with the principle of necessity and proportionality, and leads to not processing personal data for other purposes without the prior consent of the person concerned.

• The controller takes all necessary measures to update the personal data he processes.
• The personal information of the person concerned is processed by a specialized team subject to professional secrecy.
• The data controller will not communicate the personal data processed to third parties without the consent of the person concerned or after their anonymization, which will preserve their confidentiality and no longer allow them to be identified.
• The data controller is required to keep personal data on Tunisian territory and not to transfer them abroad.
• The data subject has the right to access this personal data and to obtain an electronic or paper copy thereof.
• The data controller takes all the necessary technical and organizational measures and precautions to maintain the security of the data and prevent anyone from modifying, undermining or accessing them without the authorization of the person concerned.
• The controller is required to keep the personal data processed for a period of time sufficient to achieve the specified purpose, and after that either to anonymize or destroy them.
• The data subject has the right to request the rectification or updating of this personal data and their deletion when they object to the processing.
• The data subject has the right to withdraw consent regarding the processing of such personal data.

The rights provided for are exercised with the data controller by e-mail to droit@evax.tn.

The National Body for the Protection of Personal Data is competent to rule on all disputes in this area, and complaints can be sent by e-mail to inpdp@inpdp.tn.

Therefore, communicating health data can only be permitted if (i) the data subject has given consent, (ii) the data is used for a relevant and acceptable reason, and (iii) the employer proves that he has all the equipment and engage to protect the privacy and the confidentiality of the data.