The guidance is wide ranging and explains the lawful basis on which an employer can collect and use the health information of their employees and any other individuals performing work or services on their behalf, such as hourly paid workers and independent contractors, and the conditions which apply to the processing of this information. The guidance also addresses some of the trickier areas for employers, including drugs and alcohol testing, genetic testing and ongoing health monitoring.
Status of the guidance
The guidance replaces Part 4 of the Employment Practices Code, which was published in 2011, and represents the ICO's up-to-date view on the compliance requirements and best practice when handling health information under the UK General Data Protection Regulation (679/2016/EU) (GDPR) and the Data Protection Act 2018. The guidance distinguishes between the steps that are legally required, the steps that reflect the ICO's expectations and the steps which are mere guidance on how to comply, and where compliance could be achieved through other measures. In the event of a complaint relating to the processing of health information, the ICO will now have regard to whether the employer has followed the provisions of the guidance.
The guidance recognises that there are a wide range of reasons for an employer to process health information relating to its workers, in particular, in connection with managing sickness absence, complying with obligations owed to disabled workers and ensuring the health, safety and wellbeing of its workers. It considers how this processing can meet the conditions set out in the GDPR.
The "special category data" status of health information is underlined throughout the guidance. There is significant emphasis on limiting the collection of this information, treating this information as confidential and deleting this information promptly. It is clear that the ICO expects employers to give careful attention to their processing of health information given the intrusive nature of this information and the workers' legitimate expectations of privacy.
Notably, the guidance distinguishes between:
- Sickness records, which include details of the medical condition.
- Injury records, which contain details of the injury.
- Absence records, which simply record the fact of absence and the period.
This suggests that employers should consider using absence records where possible, and maintain sickness and injury records separately.
Occupational health referrals
The guidance contains a useful section on employers' use of occupational health providers which specialise in giving employers advice on fitness to work and potential modifications to the working arrangements in line with an employee's individual medical condition. Workers should be given clear information about the purposes of the occupational health referral and how the information received in response will be shared and used within the employer. In sensitive cases, the worker may request that the occupational health report is shared only with HR and the immediate line manager.
To the extent that it is necessary to ask the worker to provide access to their medical records for the purposes of the referral, the request should be targeted to the condition in question and blanket requests for all records must be avoided. The guidance only makes a brief reference to the employer entering into a data sharing agreement with the provider. Therefore, employers would be well advised to have a comprehensive agreement in place that identifies whether the provider is a "data controller" in its own right, sets out the responsibilities of each party and addresses practical issues such as responding to data subject access requests.
Drugs and alcohol testing
The guidance acknowledges that there may be circumstances in which an employer can ask a worker to undergo a medical examination, or a drugs and alcohol test, but this should only follow a careful assessment of the purpose of the test, the consequences of a particular result and any less intrusive measures to achieve the same objective. Commonly, these factors will be considered as part of a data protection impact assessment (DPIA). In particular, drug and alcohol testing should be restricted to ensuring health and safety at work, rather than to reveal the use of substances in an individual's private life.
Genetic testing is referenced in the context of its potential use in informing employers of the likely future general health of workers or workers' genetic susceptibility to occupational diseases. However, the guidance highlights that genetic testing is still under development and notes that its predictive value is uncertain to say the least. Against this background, the ICO gives a clear steer that genetic testing of workers will rarely, if ever, be justified.
The guidance covers ongoing monitoring of workers' health, noting the development of health tracking technologies in the form of apps and wearables, and suggesting that this monitoring has increased as a result of the COVID-19 pandemic The guidance distinguishes between the limited cases where this monitoring takes place for health and safety purposes, in which case the employer should complete a DPIA to balance the benefits against the impact on workers' privacy, and monitoring as part of employers' wellbeing initiatives, in which case participation should be entirely voluntary and the employer can rely on consent.
What does this mean for employers?
Overall, the guidance is a welcome tool for employers seeking to understand how they can lawfully handle their workers' health information.
A similar version of this article first appeared in the October 2023 issue of PLC Magazine.