Posted: 21/09/2023
At the end of August, the Information Commissioner’s Office (ICO) released new guidance for employers on their data protection obligations when processing health data about their workers.
This is part of the ICO’s plan to update its Employment Practices Data Protection Code and provide new resources for employers.
It follows recent guidance from the ICO on other matters of interest to employers, including monitoring employees and data subject access requests.
There is nothing new in the guidance and employers who are already complying with their obligations in respect of employees’ health data should not have to make any changes to their existing practice.
It does, however, provide an accessible resource for organisations, and it includes a number of helpful practical examples, which make it user-friendly for those employers who do have questions about the right thing to do.
Health information is amongst the most sensitive personal data that employers are likely to process about their workers. It is ‘special category’ data for the purposes of data protection legislation and is therefore afforded the highest level of protection.
Despite this sensitivity, the ICO acknowledges that there are many circumstances in which employers will need to process information about their employees’ health. These include holding information to enable the payment of sickness pay, and the implementation of reasonable adjustments under the Equality Act 2010. With this in mind, the ICO has a dedicated section explaining which of the lawful bases for processing employers are most likely to be able to rely on under the UK GDPR and the Data Protection Act 2018.
First, there should be a lawful basis for processing under Article 6 of the UK GDPR. The ICO advises that the most likely are:
For health data, employers need to couple one of the above grounds with a ground under Article 9 of the UK GDPR (and potentially Schedule 1 of the Data Protection Act 2018); for example:
The ICO reiterates the difficulty of relying on consent in an employer/employee situation. It explains: ‘This is because, as an employer, you will generally be in a position of power over your workers. They may fear adverse consequences and might feel they have no choice but to agree to the collection of their health information. Therefore, they cannot freely give their consent. If the worker has no genuine choice over how you use their information, you cannot rely on consent as a lawful basis.’
It also advises that: ‘You should avoid relying on consent unless you are confident you can demonstrate it is freely given. This means that a worker must be able to refuse without fear of a penalty being imposed. They must also be able to withdraw their consent at any time. If you think it will be difficult for you to show that your workers’ consent is freely given, you should consider relying on a different lawful basis, such as legitimate interests.’
The guidance also covers:
The ICO has also published a series of helpful checklists to help employers navigate their data protection obligations in respect of health information.
If you are considering putting a new system or process in place in respect of employee health data, or you are reviewing existing practices – whether in relation to record keeping or occupational health – the ICO’s new guidance provides an excellent and accessible starting point. If you have any questions, please contact our employment team.