The UK Information Commissioner’s Office (“ICO”) is producing guidance on a series of topics relating to employment and data protection. As part of this initiative, on 27 October 2022, the ICO has issued its draft guidance on workers’ health information for consultation (“Guidance”). The Guidance aims to provide practical tips about handling health information in accordance with data protection legislation and to promote good practice. This Guidance follows the ICO’s other recent consultation on its draft monitoring at work guidance which offers practical advice about monitoring workers in line with data protection legislation. These consultations are the first part of an ongoing project for the ICO to replace its employment code of practice with new guidance based on the UK General Data Protection Regulation and UK Data Protection Act 2018 (“UK Law”). The Guidance is relevant to all employers which process health information about its workers and their health, which will inevitably apply to most employers.
Key takeaways
The headline message of the Guidance is that health information is among the most sensitive personal information an employer will process about its workers.
In many respects, the Guidance reaffirms the position under UK Law on processing workers health data, in that it:
- Sets out principles for the collection and use of health information.
- Defines health data as personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
- Reiterates that gathering information about workers’ health is intrusive, and is highly intrusive where the information is particularly sensitive. If employers want to collect and use information regarding its workers’ health, they need to be clear about why they are doing so. Organisations need to be satisfied that they have justified reasons for collecting health data. The ICO notes that, while workers will reasonably expect to share a proportionate amount of health data, they can legitimately expect that their employers will respect their privacy when doing so.
- Encourages organisations to consider whether there are more targeted ways of collecting health data which would deliver more acceptable outcomes for the workers.
- Reminds organisations to be clear about the purposes for processing health data and make such information available to workers.
- Notes that organisations should also be aware of their obligations under employment law, health and safety law and other legislation, as well as any applicable industry standards.
- Reminds organisations that consent is one of the lawful bases for the processing of personal data. The ICO warns that UK Law sets a high standard for consent, and people must have a genuine choice over how their data is used. As such, it may be difficult for organisations to rely upon consent to process health data about its workers. This is because of the imbalance of power between an employer and a worker; particularly a worker who may fear adverse consequences if they do not agree to the collection of their health data.
- Recognises that it would be good practice to carry out a data protection impact assessment (“DPIA”) before processing health data. This, however, may only be applicable to employers who intend to process health data that is likely to pose a high risk to workers (such as conducting medical tests).
- Reminds organisations to ensure that appropriate security measures are in place to protect workers’ health information, and that access to such information should be restricted as appropriate on a need to know basis