Do you need to update the way you collect employee health data?
Late last month, the Information Commissioner’s Office (ICO) published new guidance on the processing of health data for workers.
As almost all businesses will process data concerning the heath of their staff, all employers are well advised to review this new guidance. The consequences of failing to comply with data protection requirements in respect of such information can be significant from both a financial and reputational perspective.
The new guidance can be accessed at the following link:
Who is the guidance aimed at?
The guidance is aimed at employers to help them understand their data protection obligations when handling information about the health of their staff.
The ICO explained that the guidance aims to help provide greater regulatory certainty, protect workers’ data protection rights and help employers to build trust with workers.
The ICO specifically states that it applies to workers, not just employees, recognising that health data will also be collected and processed in casual working relationships.
What is health data?
Data concerning health means “personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status”.
A key message of the guidance is that health information is among the most sensitive personal information an employer will process about its workers. It is therefore classified as special category personal data and is granted enhanced protection under the UK data protection laws. Employers cannot process health data without meeting specific requirements, which are set out in the guidance.
What does the guidance say?
The guidance is split into two parts. To assist employers, the guidance explains what employers must do to meet their legal obligations and what they could and should do in order to comply with standards of good practice
The first part of the guidance covers the legal requirements in this area to include:
- Compliance with the stricter statutory requirements for processing special category personal data;
- Providing workers with relevant information about how their health data is processed by employers;
- Whether the employer should carry out data protection impact assessments before processing any worker’s health data, suggesting that this will be needed for particularly intrusive processing such as medical testing; and
- Data minimisation and security strengthening.
The second part of the guidance considers practical situations and how employers can address these to include:
- Managing sick absence records;
- Occupational health schemes;
- Conducting drugs and alcohol testing; and
- Relying on consent to processing in the employment context.
The guidance also provides a set of checklists to provide employers with a quick overview guide to review their data protection considerations whenever they need to process workers’ health information.
Do you need to update your approach?
The guide is useful in that it explains the data protection principles that apply to heath data in an employment context by reference to practical examples. This can assist employers in identifying where they may need to amend their practices and documents such as privacy notices and data protection policies.
How can Taylor Walton help you?
If you are concerned about your organisation’s compliance with the above requirements please contact the Taylor Walton Employment Team for tailored advice here.
Disclaimer: General Information Provided Only
Please note that the contents of this article are intended solely for general information purposes and should not be considered as legal advice. We cannot be held responsible for any loss resulting from actions or inactions taken based on this article.
Request a call back
We’ll arrange a no-obligation call back at a time to suit you.