The Information Commissioner’s Office (the ICO) has published guidance (the Guidance) for employers on how to securely manage their workers’ health data. The Guidance is aimed at helping employers understand their obligations under the Data Protection Act 2018 (DPA 2018) and UK GDPR.
An employer’s guide to understanding UK GDPR and DPA 2018
The Guidance explains the importance of an employer’s compliance with UK GDPR and DPA 2018, particularly in the context of processing a worker’s health information. As a worker’s health data is considered particularly sensitive and is therefore provided a special level of protection under UK GDPR, the Guidance emphasises that there are specific rules an employer is obligated to follow when dealing with such data. The Guidance considers:
- how an employer can use a worker’s health data fairly (in essence, providing valid justifications for gathering and using health information, ensuring transparency in the process when communicating the necessary privacy information to workers and documenting all decisions made throughout the process); and
- how an employer can lawfully process a worker’s health data. In lawfully processing a worker’s health data, the Guidance specifies that a “lawful basis” under Article 6 of UK GDPR must be identified. It further details the additional, stricter requirements needed to process special category data under Article 9 of UK GDPR (which encompasses health information).
To assist employers in navigating the legal sphere surrounding the management of health data, the Guidance helpfully identifies the six lawful bases for handling personal data and provides common examples for when these bases might be applicable. The six lawful bases identified are contract, legal obligations, legitimate interests, vital interests, public task and consent. However, as mentioned above, the employer must also adhere to the requirements under Article 9 and identify a special category condition for processing health data. The Guidance outlines the 10 conditions which an employer might wish to rely upon and any additional conditions required to satisfy Article 9. The typical workplace scenarios identified revolve around the lawful and good practice procedures an employer should apply when it comes to sharing a worker’s health data, administering sickness absence documentation and managing information concerning a worker’s impairment or disability. The Guidance is helpful in that it directly answers key questions an employer may have in the context of health data, such as “How do we handle sickness and injury records?” and “What if we use medical examinations and drugs and alcohol testing?”. The Guidance clearly outlines the relevant legal requirements and provides good practice advice for each of these common questions.
To assist employers further in ensuring compliance with data protection rules in the context of a worker’s health data, the ICO has also provided several checklists which can be easily accessed by employers whenever they are required to process such information. The checklists can be found here and relate to circumstances involving genetic testing, occupational health schemes, health monitoring, sickness and injury records, and sharing a worker’s health information.
The Guidance should provide greater certainty for employers about their legal obligations when handling a worker’s health information and will hopefully protect a worker’s data protection rights in doing so. It is clear that this new guidance for employers ties into the ICO’s strategic plan (the ICO25) to encourage businesses to handle personal information responsibly and build the public’s trust in how their personal information is handled by their employers.