The Information Commissioner’s Office (ICO) has published draft guidance on handling information about workers’ health which is open for consultation until early next year. Although titled “Employment practices”, the guidance applies to a much wider range of relationships including employees, workers and contractors, and considers lawful bases for processing health-related information and doing so transparently. Such data is highly sensitive, and it is crucial that employers handle it properly.
As a result of the COVID-19 pandemic, which accelerated the pace of change of the workplace, there has been an increasing use of monitoring technologies as more employees work remotely. The ICO emphasises that data protection should not be a barrier to the use of new technologies to improve and develop employment practices. Instead, it should enable innovation to happen responsibly whilst building trust between employers and workers.
What kind of information?
The GDPR states that “‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.”Examples include:
- sickness absence records;
- occupational health reports;
- disability information;
- alcohol/drug test results;
- benefit-related information; and
- vaccination information.
Handling workers’ health information
Due to the sensitivity of health information, there are extra rules that limit the circumstances in which data processing can take place. If employers want to process workers’ health information, they must:
- be clear about why they are doing it (six lawful bases); and
- be satisfied that they have a justified condition for processing it (five conditions).
The principle of “accountability” under data protection law requires the processor of the data to take responsibility for what they do with the information. A data protection assessment may help employers identify and minimise data protection risks. This assessment could identify issues at an early stage and prevent breaches of data protection law. This is especially important when the purpose for processing the information is likely to result in high risk to workers. It is therefore best practice to carry out such an assessment prior to collecting the data. Having a data protection officer can assist in monitoring compliance and is mandatory for employers carrying out certain processing activities.
Other key principles are fairness and transparency. Workers have a right to be informed about how their information is being used and why. Employers should therefore be transparent with their workers when processing health information – they must let workers know that the information is being collected and set out the reason(s) why, who will have access to it and in what circumstances. This may be set out in a data privacy notice, a data protection policy or a specific communication to the worker.
Employers may only use health information for a new purpose if it is compatible with the original purpose, specific consent is obtained from the worker or there is a clear obligation set out in law. Workers should feel confident that their data is being handled properly, is not being used for an undisclosed purpose and is being treated confidentially.
Crucially, employers must not collect more information than is required for the stated purpose. Employers should collect as little health information as possible. They should think about whether there is a way to collect information in a targeted way, rather than a catch-all approach that captures more information than required. Employers should handle information in a way that workers would reasonably expect and not process it in a way that may have unjustified adverse effects on them.
Workers have the right to erasure of information when it is no longer required. Employers must not keep the information for longer than is necessary, should review the information held periodically and safely dispose of or anonymise information that is no longer required.
It is paramount that employers have appropriate security measures in place to protect the information in line with the “integrity and confidentiality” principle under the GDPR. The level of security to safeguard it should reflect the sensitivity of the information. Physical records should be sealed or kept in locked cabinets and electronic records should be accessible only to those who genuinely need to see it.
Employers must be clear about why they are processing health information and be transparent about this with the worker before they begin processing it. The most common lawful bases include:
- Consent – The worker has given consent for the information to be processed for a specific purpose. Employers should exercise caution when using this basis due to the natural imbalance between employers and workers, and the question of whether consent is therefore genuinely given. To be valid, an employee must also be able to withdraw consent at will.
- Contract – This applies when employers need to process workers’ health information to fulfil obligations under contract (for example, under their employment contract), such as taking an on-site drug test or paying sick pay.
- Legal obligation – This applies when employers need to process information to comply with the law, such as reporting “specific injuries” to the Health and Safety Executive.
- Legitimate interests – This applies when employers need to process information for their own legitimate interests, or those of a third party, such as processing a disabled worker’s information to make their work environment more accessible. However, this will not apply if there is a good reason to protect such data which outweighs such legitimate interests.
The ICO has developed a useful tool to help employers decide which lawful basis applies.
Conditions for processing
In addition to having a lawful basis, employers must satisfy one of the 10 conditions for processing the information. The most common relevant conditions include:
- Employment, social security and social protection law – This is relevant for seeking to ensure the health, safety and welfare of workers, or records of statutory sick pay and maternity leave.
- Legal claims or judicial acts – This is relevant for establishing, exercising or defending legal claims, such as a worker suing their employer for a work-related incident affecting their health.
- Substantial public interest – This is relevant for processing information for reasons of substantial public interest (for example, safeguarding children).
Due to the highly sensitive nature of the information and the fairly onerous requirements set out in the GDPR, it is crucial that employers know what to consider when processing workers’ health information. To find out more about processing workers’ health information, please contact a member of our team.