Employment: ICO issues guidance on workers’ health data

Although the handling of workers’ health information by employers is highly sensitive, it is necessary to ensure a safe and healthy working environment and to manage working relationships. The Information Commissioner’s Office (“ICO”) has recently published comprehensive guidance for employers on processing workers’ health data. The purpose of the guidance is to provide greater regulatory certainty, protect workers’ data and help employers to build trust with their workers.

Health data

Health data is amongst the most sensitive personal information under UK GDPR and Data Protection Act 2018 (“DPA”). It is classified as special category data, requiring an extra level of protection due to its sensitive nature. It includes a wide range of information, such as sickness absence forms, information about impairment and disability, any questionnaires completed by workers to determine their health problems, the results of various medical tests (such as blood or eye tests) and records of vaccination and immunisation status. 

Who is protected under the guidance?

The ICO recognises that working relationships are no longer as straightforward as they were 10 or more years ago. To that end, it decided not to limit the scope of the guidance to data relating to employees and workers but to extend it to cover anyone who “performs work for an organisation”.

Processing health data

The guidance is divided into two parts. Part 1 provides an overview and general information about data processing. Part 2 is more practical, and contains advice on the legal requirements, good practice and examples
of employment practices.

It emphasises that there are specific rules an employer is obligated to follow when dealing with health data, including using it fairly and lawfully.

(a) Fair processing

To process sensitive health data fairly, employers must have “justifiable reasons” and be transparent about the purpose of processing (for example, to monitor sickness absence or to consider reasonable adjustments). Employers must effectively communicate what they are doing to their workers to allow them to understand what data is being collected, how it is used and how it affects their privacy.

The rationale for collecting and using the data must be well documented and specified in a privacy information document. Employers may be required to complete data protection impact assessments (“DPIAs”) to identify potential risks associated with processing health data at an early stage. By maintaining clear and comprehensive records, employers should be able to confidently demonstrate their commitment to fair and responsible data handling practices.

(b) Lawful processing

Lawful processing requires identifying a “lawful basis” for processing data under article 6 of UK GDPR. The ICO provides a list of six lawful bases, namely: (1) for a contract with a worker (for example, to process sick pay); (2) obligations to comply with the law (for example, to report accidents at work); (3) legitimate interests of the employer or a third party (for example, vetting process for certain types of roles); (4) vital interests to protect a worker’s or other person’s life; (5) public tasks (for example, for statutory and government purposes, or the safeguarding of children and individuals at risk); and (6) the consent of the worker to process their data for a specific purpose.

Practical aspects of the guidance

The guidance is helpful in that it directly answers key questions employers and workers might have about processing health data. For instance, it provides example responses to questions like “How do we handle sickness and injury records?”, or “What if we use medical examinations and drugs and alcohol testing?” It not only provides clear explanations of the legal requirements relevant to these questions, but also offers practical advice for best practices in each scenario. 

The ICO has also provided several checklists for employers to help them to assess the requirements whenever they need to process health information, to include circumstances involving health monitoring, occupational health schemes, and sickness and injury records.

Comments

Unsurprisingly, the guidance is in line with the more general guidance on processing data produced by the ICO. However, it provides greater clarification for employers about their legal obligations when handling a worker’s health information. It is also a reminder that employers must respect their workers’ privacy rights while ensuring workplace safety and legal compliance. The guide serves as an invaluable resource for organisations striving to maintain legal compliance while fostering trust by responsibly managing workers’ health information.