4 min read

Data protection: ICO publishes draft guidance on handling information about workers’ health

Read more

By Hilary Larter and Ceri Fuller


Published 13 December 2022


The ICO has published draft guidance on handling information about workers’ health which is open for consultation until 26 January 2023.


As part of its wider initiative to update the Employment Practices Data Protection Code, the Information Commissioner’s Office has released draft guidance on handling information about workers’ health. The guidance, when finalised, will form part of the topic specific online resource which the ICO is putting together with the aim of providing practical guidance on compliance with data protection legislation and of promoting good practice. This follows the draft guidance for monitoring at work, which was published by the ICO in October this year, which is open for consultation until 11 January 2023.

The draft guidance on handling information about workers’ health emphasises that health information is some of the most sensitive personal information that employers are likely to process, and that in many cases processing such information may be highly intrusive. In that context, the guidance acknowledges that there are many circumstances under which employers need to process information about their employees’ health and explains the special rules that must be followed when processing special category data, focussing on data about health.

In particular, the guidance discusses:

  • The need to limit the processing of data about workers’ health to the information needed by the employer. The guidance comments that “In general, you should collect as little health information about as few workers as possible”, while acknowledging that in some circumstances (for example, where a particular role requires a high level of fitness) it may be necessary for an employer to process more detailed information.
  • The particular need for data security in relation to health information. It suggests that employers may be able to keep information about workers’ health on a separate database or system, or (where physical records are kept) that these could be kept separate from the rest of the worker’s personnel file. Access should only be given to managers to the extent necessary to undertake management responsibilities.
  • That it is good practice to carry out data protection impact assessments given the sensitive and potentially intrusive nature of processing health information and that, in some circumstances, an assessment will be a requirement.
  • The difference between “sickness” records, “injury records” and “absence records”, the latter only recording that the worker has been absent because of sickness or injury, without providing details. As far as possible, the guidance recommends the use of absence records instead of sickness records, while recognising that employers may need to process sickness records, for example, to comply with duties to make reasonable adjustments.
  • The use of occupational health schemes, including the need to be clear with employees when, what and why information will be shared with occupational health providers.
  • Employers who use medical testing, or are considering doing so, may find the guidance particularly interesting. It emphasises the need for testing to be necessary and justified, the need to limit random testing to workers performing safety critical roles, and that less intrusive ways of meeting the employer’s objectives should first be considered.


The guidance does not introduce new legal requirements, but provides user-friendly, practical guidance for employers, including links to further reading and interactive tools. In the run up to the guidance being finalised in the early part of next year, employers should consider their practices for handling health information with a particular focus on purging information which is no longer needed for both current and former workers (noting that significant additional data was collected by some employers during the period of the pandemic).   

The consultation closes on 26 January 2023.

Employers who wish to contribute to the consultation can find further information here: ICO consultation on draft employment practices guidance – information about workers’ health

The draft guidance can be found here: Employment practices and data protection: information about workers' health | 27 October 2022