The ICO recently launched a consultation on their draft guidance about workers’ health information. Employers are likely to process a lot of information about workers and their health, such as occupational health reports or sickness absences. It’s vital, for both employers and workers, that employers know how to look after this sensitive information. This consultation is open until 26 January 2023.
These consultations are the first part of an ongoing project to replace the ICO’s employment code of practice with new, UK GDPR-focused guidance. This will help organisations understand their responsibilities under data protection law by creating helpful, easy-to-understand guidance.
The guidance’s core message is that health information is some of the most sensitive personal information that an employer will process about its workers. Although workers can reasonably be expected to share health data with their employer, to allow employers to manage sickness absence, make occupational health referrals, ensure that employees are receiving sick pay and other entitlements and enforce internal rules and standards, the amount of data shared should be proportionate. A “one size fits all” approach to collecting and processing health-related data is unlikely to be appropriate.
Some key points from the guidance include:
- The importance of thinking carefully about how much health information an employer needs to collect. This is likely to vary between job roles, with it being legitimate to collect more detailed health information from those working in hazardous environments or whose roles require a high level of physical fitness.
- The fact that high levels of security should apply to health data, which may mean that it needs to be kept separate from general employee records.
- A distinction is drawn between absence records that do not contain information about a worker’s health conditions and sickness records that do. As far as possible the guidance recommends the use of absence records instead of sickness records, as this is less intrusive to a worker’s privacy.
- Recognition that it would normally be good practice to carry out a data protection impact assessment (DPIA) before processing health related information. A DPIA is likely to be particularly important if an employer is conducting medical testing.
This provides summary information and comment on the subject areas covered. Where employment tribunal and appellate court cases are reported, the information does not set out all of the facts, the legal arguments presented and the judgments made in every aspect of the case. Employment law is subject to constant change either by statute or by interpretation by the courts. While every care has been taken in compiling this information, we cannot be held responsible for any errors or omissions. Specialist legal advice must be taken on any legal issues that may arise before embarking upon any formal course of action.
