At the end of August, the Information Commissioner’s Office (ICO) released new guidance for employers on their data protection obligations when processing health data about their workers.

This is part of the ICO’s plan to update its Employment Practices Data Protection Code and provide new resources for employers.

It follows recent guidance from the ICO on other matters of interest to employers, including monitoring employees and data subject access requests.

There is nothing new in the guidance and employers who are already complying with their obligations in respect of employees’ health data should not have to make any changes to their existing practice.

It does, however, provide an accessible resource for organisations, and it includes a number of helpful practical examples, which make it user-friendly for those employers who do have questions about the right thing to do.

Health information is amongst the most sensitive personal data that employers are likely to process about their workers. It is ‘special category’ data for the purposes of data protection legislation and is therefore afforded the highest level of protection.

Despite this sensitivity, the ICO acknowledges that there are many circumstances in which employers will need to process information about their employees’ health. These include holding information to enable the payment of sickness pay, and the implementation of reasonable adjustments under the Equality Act 2010. With this in mind, the ICO has a dedicated section explaining which of the lawful bases for processing employers are most likely to be able to rely on under the UK GDPR and the Data Protection Act 2018.

First, there should be a lawful basis for processing under Article 6 of the UK GDPR. The ICO advises that the most likely are:

  • performance of a contract;
  • legal obligation;
  • legitimate interests; and
  • (rarely) vital interests.

For health data, employers need to couple one of the above grounds with a ground under Article 9 of the UK GDPR (and potentially Schedule 1 of the Data Protection Act 2018); for example:

  • employment, social security and social protection law;
  • the defence of legal claims; and
  • substantial public interest.

The ICO reiterates the difficulty of relying on consent in an employer/employee situation. It explains: ‘This is because, as an employer, you will generally be in a position of power over your workers. They may fear adverse consequences and might feel they have no choice but to agree to the collection of their health information. Therefore, they cannot freely give their consent. If the worker has no genuine choice over how you use their information, you cannot rely on consent as a lawful basis.’

It also advises that: ‘You should avoid relying on consent unless you are confident you can demonstrate it is freely given. This means that a worker must be able to refuse without fear of a penalty being imposed. They must also be able to withdraw their consent at any time. If you think it will be difficult for you to show that your workers’ consent is freely given, you should consider relying on a different lawful basis, such as legitimate interests.’

The guidance also covers:

  • The data minimisation principle – that employers should collect as little health information about as few workers as possible.
  • Security and the importance of having sufficiently robust systems in place for storing health information.
  • Access controls, including that access should only be given to managers to the extent necessary to undertake their management responsibilities.
  • The use of data protection impact assessments, which is encouraged.
  • Record keeping and the use of ‘sickness’, ‘injury’ and ‘absence’ records. Following the data minimisation principle, if employers can use absence records as an alternative to sickness records, that is encouraged.
  • The use of occupational health schemes and the importance of transparency about how information will be used and shared.
  • Testing, including drug and alcohol testing, in the workplace and the need for this to be necessary and justified; for example, by limiting it to those performing safety critical roles.
  • The use of genetic testing and health monitoring.
  • Sharing health data about employees, including when it is likely to be appropriate (in an emergency situation where it is shared with health professionals) and also where it is unlikely to be appropriate (for example, sharing health information amongst co-workers).

The ICO has also published a series of helpful checklists to help employers navigate their data protection obligations in respect of health information.