The UK Information Commissioner’s Office (“ICO”) is producing guidance on a series of topics relating to employment and data protection. As part of this initiative, on 27 October 2022, the ICO has issued its draft guidance on workers’ health information for consultation (“Guidance”). The Guidance aims to provide practical tips about handling health information in accordance with data protection legislation and to promote good practice. This Guidance follows the ICO’s other recent consultation on its draft monitoring at work guidance which offers practical advice about monitoring workers in line with data protection legislation. These consultations are the first part of an ongoing project for the ICO to replace its employment code of practice with new guidance based on the UK General Data Protection Regulation and UK Data Protection Act 2018 (“UK Law”). The Guidance is relevant to all employers which process health information about its workers and their health, which will inevitably apply to most employers.
Key takeaways
The headline message of the Guidance is that health information is among the most sensitive personal information an employer will process about its workers.
In many respects, the Guidance reaffirms the position under UK Law on processing workers health data, in that it:
- Sets out principles for the collection and use of health information.
- Defines health data as personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
- Reiterates that gathering information about workers’ health is intrusive, and is highly intrusive where the information is particularly sensitive. If employers want to collect and use information regarding its workers’ health, they need to be clear about why they are doing so. Organisations need to be satisfied that they have justified reasons for collecting health data. The ICO notes that, while workers will reasonably expect to share a proportionate amount of health data, they can legitimately expect that their employers will respect their privacy when doing so.
- Encourages organisations to consider whether there are more targeted ways of collecting health data which would deliver more acceptable outcomes for the workers.
- Reminds organisations to be clear about the purposes for processing health data and make such information available to workers.
- Notes that organisations should also be aware of their obligations under employment law, health and safety law and other legislation, as well as any applicable industry standards.
- Reminds organisations that consent is one of the lawful bases for the processing of personal data. The ICO warns that UK Law sets a high standard for consent, and people must have a genuine choice over how their data is used. As such, it may be difficult for organisations to rely upon consent to process health data about its workers. This is because of the imbalance of power between an employer and a worker; particularly a worker who may fear adverse consequences if they do not agree to the collection of their health data.
- Recognises that it would be good practice to carry out a data protection impact assessment (“DPIA”) before processing health data. This, however, may only be applicable to employers who intend to process health data that is likely to pose a high risk to workers (such as conducting medical tests).
- Reminds organisations to ensure that appropriate security measures are in place to protect workers’ health information, and that access to such information should be restricted as appropriate on a need to know basis
The Guidance also includes sections that relate to technological advances that have not previously been addressed in any ICO guidance, including but not limited to:
- Health monitoring technologies: This topic is particularly relevant to organisations that may want to use health tracking technologies such as tracking apps and wearables to help monitor the health of its workers. The ICO recommends that organisations first consider what they are trying to achieve and whether there is a less privacy-intrusive way to do this. A DPIA is recommended (and in some instances may be required) before any processing is started, particularly as some technologies rely on automated decision making or artificial intelligence.
- Genetic testing: The ICO acknowledges that organisations may want to use genetic testing to predict the future health of its workers; or to gather information about their genetic susceptibility to occupational diseases. However, as genetic testing is still developing and is rarely, if ever, used in an employment context, the ICO suggests that genetic testing should only be introduced after very careful consideration, if at all. Similarly, workers should not be asked to disclose the results of a previous genetic test. Organisations are therefore limited to asking for information that is relevant to health and safety or other legal duties.
- Occupational health schemes: Organisations must be transparent about the use of occupational health schemes and provide clear information about how the information workers supply will be used in the context of an occupational health scheme, who it might be made available to and why. Medical details about workers should only be made available to managers to allow them to discharge their management responsibilities. Any access should be kept to a minimum. Organisations should consider whether they need to comply with any guidance from relevant professional bodies and regulators and whether to consider the Access to Medical Reports Act 1988.
What’s next?
The ICO intends to produce additional practical tools alongside the Guidance to support employers. Ultimately, the ICO aims to create a one-stop shop for employers and workers alike where they can find the answers to their questions easily. This all goes towards the ICO’s three-year strategy where they aimed to help organisations understand their responsibilities under data protection law. In the meantime, the Guidance remains open for consultation until 26 January 2023. Comments may be submitted through an online survey or by downloading and filling in a response document and sending it to [email protected].
Client Alert 2022-371