What’s this all about?
The UK data protection regulator the Information Commissioner’s Office (“the ICO”) recently updated its guidance for employers about handling their employee health personal data, entitled “Information about workers’ health” (“the guidance”). This article looks at this in brief.
Why the need for guidance?
According to the ICO, the guidance is aimed at employers to help them understand their data protection obligations under UK GDPR and the UK Data Protection Act 2018 (“DPA 2018”) when handling the health information of the people who work for them.
What does the guidance aim to do?
According to the ICO, the guidance aims to:
- Help provide greater regulatory certainty;
- Protect workers’ data protection rights; and,
- Help employers to build trust with workers.
The guidance in a bit more detail
Edited highlights of the guidance include the following:
- “How do we ensure we use workers’ health information fairly?
[…] you should handle health information in ways that workers would reasonably expect and not use it in ways that have unjustified adverse effects on them. You must be clear and transparent about your purposes for processing health information from the start. You should carefully consider not only how you can use their health information, but also the reasons why you need to use their information.
You must record your purposes as part of your documentation obligations and specify them in your privacy information for individuals”;
- “How do we lawfully process workers’ health information?
To lawfully process health information, you must first identify a lawful basis under Article 6 of the UK GDPR. As health information is special category data, it needs a greater level of protection. There are rules covering the use of special category data. You cannot process this type of information unless you meet some additional requirements. This means that, in addition to a lawful basis, you must also identify a special category condition for processing under Article 9 of the UK GDPR;”
- “What lawful bases might apply if we want to process workers’ health information?
There are six lawful bases for processing personal information. At least one of these must apply whenever you process health information. No one basis is better, safer or more important than the others. How you decide which lawful basis applies depends on your specific purposes and the context of the processing of workers’ health information. Remember, you must determine your lawful basis for processing your workers’ health information before you begin this processing. You must document it.
[…] as well as identifying a lawful basis under Article 6, you must also identify a special category condition under Article 9. There are 10 conditions for processing special category data. For five of these conditions, you must meet additional conditions and safeguards set out in schedule 1 of the DPA 2018. If you are relying on a schedule 1 condition, many of these also require you to have an ‘appropriate policy document’ in place. This acts as part of the additional safeguards that are necessary for the processing to take place;”
- “Can we rely on a worker’s consent?
[…] consent provides certain challenges in an employment context. Consent is one of the lawful bases for processing personal information. Data protection law sets a high standard for consent, and people must have a genuine choice over how you use their information. Consent must be unambiguous and involve a clear affirmative action (i.e. using an opt-in). You must also allow people to withdraw their consent as easily as they give it.
However, you may find it difficult to rely on consent to process health information about your workers. This is because, as an employer, you will generally be in a position of power over your workers. They may fear adverse consequences and might feel they have no choice but to agree to the collection of their health information. Therefore, they cannot freely give their consent. If the worker has no genuine choice over how you use their information, you cannot rely on consent as a lawful basis.
You should avoid relying on consent unless you are confident you can demonstrate it is freely given. This means that a worker must be able to refuse without fear of a penalty being imposed. They must also be able to withdraw their consent at any time.
If you think it will be difficult for you to show that your workers’ consent is freely given, you should consider relying on a different lawful basis, such as legitimate interests.
[…] However, this does not mean that you can never use consent as a lawful basis. Even where you are in a position of power, there may be situations where you can still show that workers have freely given their consent.
[…] Explicit consent is one of the conditions that you can use to process special category data, including health information. Data protection law does not define explicit consent. However, it is not likely to differ much from the usual high standard of consent. The key difference is that a person must expressly confirm their explicit consent in a clear statement (whether oral or written). You cannot infer explicit consent from someone’s actions.
Explicit consent is the only special category condition that can apply to a wide range of circumstances. In some cases, it may be the only appropriate condition, depending what you want to do with the health information;”
- “How do we limit how much health information we collect?
In general, you should collect as little health information about as few workers as possible. It’s likely employers will need to obtain at least some health information about their workers during the normal course of their employment.
[…] You should only collect more detailed health information in areas of highest risk;”
- “What do we need to tell workers when processing their health information?
You must let your workers know that information about their health is being collected and why, who will have access to it and in what circumstances. You’re unlikely to ever be able to justify gathering information about workers’ health covertly.
You must include specific information about your processing of health information in your privacy information for your workers;”
- “How do we keep workers’ health information accurate and up to date?
Data protection law requires you to ensure personal information is accurate and, where necessary, kept up to date (the accuracy principle). You must take all reasonable steps to ensure your workers’ health information is not incorrect or misleading as to any matter of fact;”
- “How do we keep workers’ health information secure?
Data protection law requires that you must have appropriate security measures in place to protect your workers’ health information.
You must ensure the level of security you apply is appropriate to the nature of the information you are protecting and harm that might result from misuse or loss. Given that health information is special category data, you must have a high level of security. Unless you apply a particularly high level of security to all employment records, it is likely that you would need to single out health information about your workers for special treatment. This means you must keep information about workers’ health particularly secure.
Depending on the nature of your organisation, you could keep information about your workers’ health on a separate database or system, or subject to separate access controls. For example, limiting access to only those who need to see it, such as using password protection. If you use physical records, you could separate health information from the other contents of a worker’s personnel file (such as by putting it in a sealed envelope) and keeping it in a locked cabinet.
You should also consider who has access to workers’ health information. You should apply the principle of ‘need to know’. As far as possible, you should limit access to information on medical conditions to health professionals, such as doctors and nurses.
Managers should only have access where it is necessary for them to undertake their management responsibilities. You should limit this to only the information they need to meet their obligations. It’s likely you can limit this to information about a worker’s current or likely future fitness to work. It may be less information than a doctor or nurse needs to make an assessment of the worker. In some cases, a manager may need to know more about a worker’s state of health to protect that worker or others;”
- “Do we need to do a data protection impact assessment?
A data protection impact assessment (DPIA) is a process to help you identify and minimise data protection risks. An effective DPIA allows you to identify and fix problems at an early stage, bringing broader benefits for both workers and your organisation.
Under data protection law you must do a DPIA before you begin any type of processing that is “likely to result in a high risk”. This includes some specified types of processing. There are also other circumstances where you must do a DPIA, and in some cases you must consult the ICO before you can begin processing.
You should carry out a DPIA given the sensitive and potentially intrusive nature of processing workers’ health information. As noted above, it may be a requirement depending on the processing you want to do. A DPIA also provides you with the opportunity to involve your workers before you start any new processing of their health information;”
- “Can we process sickness and injury records?
Data protection law does not prevent you from keeping sickness and injury records about your workers. Clearly, these types of records are necessary for you to review your workers’ ability to undertake their work. They are necessary for other purposes, such as identifying health and safety hazards at work and for paying health-related benefits to workers.
However, you should make sure that you do not use sickness and injury records in a way workers would not expect. It is important to make it clear to those who have access to sickness records what they can and cannot do with them. You also need to consider whether full access to the record is appropriate. This links with your fairness and transparency obligations.
- “How do we lawfully process sickness and injury records?
Sickness and injury records include information about workers’ physical or mental health. Holding sickness or injury records therefore involves processing special category data.
It is part of your accountability obligations to identify a suitable lawful basis and condition for processing. However, for sickness and injury records, you can likely rely on legitimate interests or legal obligation as your lawful basis and the employment law condition for processing.
It’s unlikely that consent as a lawful basis and explicit consent as a condition for processing would ever be appropriate as a basis for processing sickness records. This is because a worker is unlikely to have the ability to freely consent to the processing, especially in cases where an employer may use sickness absences in potential disciplinary proceedings. […] employers also have obligations under employment law which means the worker won’t have any real choice to consent;”
- “How do we store sickness and injury records?
Where possible, you should keep sickness and injury records containing details of a worker’s illness or medical condition separate from other less sensitive information, for example a simple record of absence.
[…] It is a good idea to review how you currently keep your sickness and accident records. If necessary, you should change the way you keep information on sickness and accidents.
You must ensure you take appropriate measures to keep sickness and injury records secure, especially given the sensitive nature of the information. You could do this by keeping the sickness record in a specially protected computer file, perhaps using encryption. If you use physical records, you could keep it in a sealed envelope, stored in a locked filing cabinet;”
- “Can we share information from sickness or injury records?
You should only share information from sickness or injury records about an identifiable worker’s illness, medical condition or injury with third parties where it is necessary and proportionate to do so. This might include where: there is a legal obligation to do so; it is necessary for legal proceedings; or the worker has given explicit consent to the sharing. This is not an exhaustive list. There may be other situations that you can justify.
You should make sure that all those who deal with workers’ sickness or injury records are aware of the circumstances where there may be a legal obligation to share the information;”
- “What do we tell workers when using an occupational health scheme?
[…] workers have a right to be informed how you use their personal information and why. You must make this clear from the outset, as part of your transparency obligations. This includes when you may share their information with external occupational health providers and what information you may get back from them.
[…] You must clearly set out to workers, preferably in writing, how you intend to use information they supply in the context of an occupational health scheme, who you might make it available to and why. It is particularly important to inform workers of the circumstances, if any, when their line manager can access to the information they supply to a health professional. You must also be transparent about what data protection rights workers have around the use of their information and the reports that are produced;”
- “What do we need to consider if we want to introduce medical examinations and testing?
You must record the purpose of your proposed programme of examination or testing of workers. You must identify your lawful basis and special category condition for processing. You may wish to do this as part of your data protection impact assessment (DPIA).
You should also document: who you are going to test or examine; what precisely you are testing or examining them for; the frequency of testing or examinations; and the consequences of a positive or negative test or the result of an examination.
You should consider whether there are any less intrusive ways of meeting your objectives as an employer, unless you are legally required to carry out a test or examination. This might mean, for example, collecting information via a health questionnaire either as a first stage or as an alternative to a medical examination, if this is appropriate given the nature of the role;”
- “Can we use medical examinations and testing as part of our recruitment process?
Medical examination and testing are, even if needed for the role, inherently intrusive. You should only use them to obtain information where this is necessary to meet your purposes;”
- “What do we tell workers about examinations and testing?
You must ensure that workers are fully aware when testing is taking place or where you require medical examinations, as part of your fairness and transparency obligations.
You should not conduct testing on samples collected without the worker’s knowledge. It would be deceptive and misleading to workers if you attempted to obtain information by collecting samples covertly, or by testing existing samples in a manner that you had not told workers about. Where this type of testing involves the processing of personal information, it is unlikely to comply with data protection law as it would be unfair to the worker concerned. You are unlikely to ever justify covert medical testing and it is difficult to envisage circumstances arising without the police being involved;”
- “How do we ensure drugs and alcohol testing is appropriate?
You should make sure that the information you collect from drugs and alcohol testing is designed to ensure safety at work rather than just to reveal the illegal use of substances in a worker’s private life. […] In other roles, you may not need to conduct testing. Instead, you may be able to handle performance or behavioural issues potentially related to drug or alcohol usage through staff conduct policies rather than through testing.
This is because testing workers for drugs or alcohol is intrusive and very few employers can justify testing to detect illegal use rather than on safety grounds. However, testing to detect illegal use may, exceptionally, be justified where illegal use would: breach the worker’s contract of employment, conditions of employment or disciplinary rules; or cause serious damage to the employer’s business, for example by substantially undermining public confidence in the integrity of a law enforcement agency;”
- “How much personal information can we collect from drugs and alcohol testing?
You must minimise the amount of personal information you obtain from testing for the presence of drugs and alcohol in your workers;”
- “Can we use random testing?
You cannot justify collecting personal information by testing all workers in your organisation if, in fact, it is only workers engaged in particular activities or roles that pose a risk.
You should instead limit the collection of information through random testing to those workers who are involved in safety-critical roles that you consider require testing.
Even in safety-critical businesses such as public transport or heavy industry, workers in different jobs will pose different safety risks through their use of alcohol or drugs, depending on the type of work they carry out. Therefore, you can rarely justify collecting information through the random testing of all workers;”
- “Can we use genetic testing on our workers?
Genetic testing is likely to result in the processing of genetic data about workers. Genetic data is a type of special category data and so all the usual considerations about processing this category of personal information would apply.
Genetic testing has the potential to provide employers with information: predictive of the likely future general health of workers; or about workers’ genetic susceptibility to occupational diseases.
However, genetic testing is still under development and in most cases has an uncertain predictive value. It is rarely, if ever, used in an employment context. It is difficult for employers to justify demanding that a person needs to take a genetic test as a condition of employment.
You should not use genetic testing to collect information that is predictive of a worker’s future general health. To collect information this way is too intrusive. The predictive value of the information is also insufficiently certain to be relied on to provide information about a worker’s future health;”
- “Are there any circumstances we can use information from genetic testing?
You should avoid using genetic testing to obtain information unless, as a last resort, it is: clear that a worker with a particular detectable genetic condition is likely to pose a serious safety risk to others; or known that a specific working environment or practice might pose specific risk to workers with particular genetic variations; and this is the only reasonable method to collect the required information.
[…] You should carry out a data protection impact assessment (DPIA) for any processing of genetic data, other than that processed by an individual GP or health professional for the provision of health care direct to the worker. However, a DPIA is required where this processing is combined with certain other criteria;”
- “What do we need to consider if we want to monitor the health of workers?
You must first consider what you are trying to achieve and whether there is a less privacy intrusive way to do this. You should carry out a data protection impact assessment (DPIA) before you start any processing. In some cases, you must carry out a DPIA.
You must identify a lawful basis and a special category condition for processing. Which lawful basis and special category condition are appropriate depends on your purpose(s) for the processing;”
- “Can we ask workers to agree to the use of health monitoring technologies?
Consent as a lawful basis under data protection law is rarely appropriate in an employment setting, given the imbalance of power between the employer and the worker. This is because it is difficult to demonstrate consent to be ‘freely given’ in these circumstances.
If you are required by law to actively monitor a worker’s health, then consent would not be appropriate. You should consider another lawful basis, such as legal obligation.
However, if you are offering a real choice for workers to participate in the use of health monitoring technologies, such as part of a worker wellness program, and there is no risk of negative consequences for not doing so, then you may consider using consent.
Remember, as health information is special category data, you must also meet a special category condition for processing. If you are offering genuine choice to your workers and seek to rely on consent as your lawful basis, then explicit consent may be appropriate as your condition for processing;”
- “Can we share health information of our workers?
Sometimes you may need to share health information about your workers. Data protection law does not prevent this, where it is appropriate to do so. This might be, for instance, as part of an occupational health referral, as part of a legal claim, or under some other legal obligation. There may also be urgent or emergency situations in which you need to share information about a worker’s health to help safeguard them.
Whenever you want to share health information of workers you must: consider your purpose and ensure that it is reasonable and proportionate; treat your workers fairly and not use their health information in ways that would have unjustified adverse effects on them; tell workers about why and how you propose to share their health information before or at the time you share if this is not possible; and identify at least one lawful basis and a condition for processing before you start sharing any health information;”
- How do we ensure the lawfulness of sharing?
Before sharing any health information of a worker, you must identify at least one lawful basis. You must also identify a special category condition for processing. Which lawful basis and condition for processing are appropriate depends on your purpose for sharing the information.
[…] For most information sharing, it is better not to rely on consent as the lawful basis, or explicit consent as the special category condition for processing. If you cannot offer a genuine choice, consent is not appropriate. Employers are often in a position of power over workers and therefore it’s best to avoid relying on consent unless they are confident they can demonstrate it is freely given.
[…] Depending why you need to share a worker’s health information, other lawful bases such as legitimate interests or legal obligation are more likely to be appropriate. Similarly, the employment, social security and social protection law condition may be more appropriate as a special category condition for processing;”
- “Can we share a worker’s health information in an emergency?
Yes. Data protection law allows organisations to share personal information in an urgent or emergency situation, including to help them prevent loss of life or serious physical, emotional or mental harm. In an emergency you should go ahead and share health information as is necessary and proportionate.”
What are the takeaways?
Health data is very important to individuals and the risks of mishandling it are too great for an organisation to get wrong. Organisations should consider doing the following:
- Train staff such as those in HR on how to handle employee health data, including in the context of Subject Access Requests.
Bear in mind that the guidance is by no means exhaustive of all possible issues, and guidance is only guidance – only a court has the final say on what the law means.
We report about data protection and privacy issues here: https://www.corderycompliance.com/category/data-protection-privacy/.
The ICO guidance can be found here: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/employment-information/information-about-workers-health/.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 347 2365|