The headline message of the Guidance is that health information is among the most sensitive personal information an employer will process about its workers.
In many respects, the Guidance reaffirms the position under UK Law on processing workers health data, in that it:
- Sets out principles for the collection and use of health information.
- Defines health data as personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
- Reiterates that gathering information about workers’ health is intrusive, and is highly intrusive where the information is particularly sensitive. If employers want to collect and use information regarding its workers’ health, they need to be clear about why they are doing so. Organisations need to be satisfied that they have justified reasons for collecting health data. The ICO notes that, while workers will reasonably expect to share a proportionate amount of health data, they can legitimately expect that their employers will respect their privacy when doing so.
- Encourages organisations to consider whether there are more targeted ways of collecting health data which would deliver more acceptable outcomes for the workers.
- Reminds organisations to be clear about the purposes for processing health data and make such information available to workers.
- Notes that organisations should also be aware of their obligations under employment law, health and safety law and other legislation, as well as any applicable industry standards.
- Reminds organisations that consent is one of the lawful bases for the processing of personal data. The ICO warns that UK Law sets a high standard for consent, and people must have a genuine choice over how their data is used. As such, it may be difficult for organisations to rely upon consent to process health data about its workers. This is because of the imbalance of power between an employer and a worker; particularly a worker who may fear adverse consequences if they do not agree to the collection of their health data.
- Recognises that it would be good practice to carry out a data protection impact assessment (“DPIA”) before processing health data. This, however, may only be applicable to employers who intend to process health data that is likely to pose a high risk to workers (such as conducting medical tests).
- Reminds organisations to ensure that appropriate security measures are in place to protect workers’ health information, and that access to such information should be restricted as appropriate on a need to know basis