Information Commissioner’s Office publishes guidance for employers on processing workers’ health data

Employers are familiar with their obligations when handling a wide range of personal data relating to their employees. The latest guidance from the Information Commissioner’s Office (ICO) focuses on health-related data, and reminds employers about governance, information provisions and deletion obligations.

On 31 August 2023, the ICO published detailed guidance to help employers understand their data protection obligations under the UK GDPR and Data Protection Act 2018 (DPA 2018) (“data protection law”) when processing their workers’ health data. The guidance is aimed to capture all circumstances where there is an employee and employer type relationship, regardless of the nature of the contract between the parties, capturing recruitment candidates; agency and temporary workers as well as some consultants.

Article 4(15) of the UK GDPR defines health data as ‘personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status‘. Employers process this information about their workers in a range of circumstances, such as:

• a questionnaire completed by workers regarding their health;
• sickness absence forms;
• information about any impairment or disability;
• results of eye-tests in relation to display screen use;
• records of blood tests to ensure workers have not been exposed to hazardous substances;
• results of an alcohol or drugs test;
• results of fitness to work assessments; and
• records of vaccination and immunisation.

The UK GDPR and the DPA 2018 applies whenever employers process health information about their workers. The employer is a controller, and therefore needs to establish the lawful basis for its processing of health data; have appropriate governance and measures to secure and protect the confidentiality and integrity of health data and ensure that it complies with the data subject rights.

Reasons for collecting and using health data

Employers must be clear and have justifiable reasons for collecting and using their employees’ health data, because of its intrinsic confidentiality. Many workers may be sensitive about sharing health data with their employers and work colleagues. There are many legal and operational reasons why an employer may need to process health data – for example supporting reasonable adjustments where an individual has a disability as defined by the Equality Act 2010, equal access or improving health and safety for their workers and Equality, Diversity and Inclusion (EDI) monitoring.

It is also reasonable to expect workers to share some health data in certain situations, such as sickness absence or occupational health referrals. However, employers must handle their workers’ health data in the way their workers expect, respecting their privacy and only collecting the level of data necessary for the specific purposes, and not using it in a way that will cause unjustified adverse effects on their workers.

Employers must identify a lawful basis under both Article 6 and satisfy a condition under Article 9 of the UK GDPR (as health information is ‘special category data’). There are 10 conditions for processing special category data and five of these conditions require additional conditions and safeguards as set out in schedule 1 of the DPA 2018 to be satisfied.

The Article 6 lawful basis that are most likely to apply to the processing of workers’ health data in an employment context are as follows:

• Contract – when processing health data is necessary for the performance of the contract with the worker. For example, an employer may provide occupational sick pay and this provision is set out in the contract of employment. In order to pay it, the employer will need to process details of the worker’s sickness absence;
• Legal obligation – processing health data in order to comply with the law (such as Health & Safety or EDI monitoring);
• Legitimate interests – i.e. for the employers’ legitimate interests or the legitimate interests of a third party. The employer should carry out a legitimate interests assessment to determine if this lawful basis applies. Examples are given in the guidance. For instance, following an accident at work, the employer is being sued and it wants to share details of the accident (which includes information about the injuries sustained) with its solicitors to obtain legal advice. Another example is carrying out recruitment. An individual’s health and fitness is integral to the performance of the role and the job offer is conditional on the shortlisted candidate having a medical examination as a result of which their health information is collected; and
• Vital interests – processing health data may be necessary to protect a worker’s life or the life of another person such as in an emergency situation.

Processing health data

Employers will also need to satisfy one or more conditions in Article 9 of the UK GDPR to process health data. The Article 9 conditions that are most likely to apply to processing of workers’ health data are as follows:

• Employment, social security and social protection law – performing or exercising obligations or rights which are imposed or conferred by law on the employer or the employee in connection with employment, social security or social protection. This could include, for example to ensure the health, safety and welfare of workers or to maintain records of employee statutory sick pay or maternity pay. Note that the employer will also need to have an appropriate policy document in place to rely on this condition;
• Vital interests – processing health data may be necessary to protect a worker’s life or the life of another person such as in an emergency situation;
• Legal claims or judicial acts – when necessary to establish, exercise or defend legal claims;
• When necessary for reasons of substantial public interest. In order to rely on this condition employers will also need to satisfy one of the conditions set out in part 2 of Schedule 1 of the Data Protection Act 2018 and that the employer will also need to have an appropriate policy document in place to rely on this condition; and
• Explicit consent – when the worker expressly confirms consent to the use of specific information for a clearly defined purposes.

Workers also have the right to be informed about how their employer is using their health data and why. Therefore, employers must be clear, open and honest with their workers and must inform them about what health data is being collected and why, who will have access to it and in what circumstances. In addition, employers must include specific information about processing health data in their privacy information, for example their privacy notice, general data protection policy or by simply sending a letter or email to workers. Note that the guidance has very helpful sections on some of the workplace scenarios where workers’ health information is processed. These include handling sickness absence records, conducting drugs and alcohol testing and considerations when using occupational health schemes.

Employers must have appropriate technical and organisational security measures in place to protect their workers’ health data. As health data is special category data, employers must ensure that they apply a high level of security in order to protect the information and prevent any harm that may arise from misuse or loss.

Finally, under data protection law, employers must do a data protection impact assessment (“DPIA”) before they begin processing data that is “likely to result in a high risk”. Given the sensitive nature of their workers’ health data, employers should carry out a DPIA. A DPIA also allows employers and workers the opportunity to work together before their health data is processed.

If you need legal advice on the impact of this guidance, please contact our specialist commercial or employment lawyers.