In August 2023, the UK Information Commissioner’s Office (ICO) published guidance for employers on the handling of worker health data with the objective of providing best practice advice on how employers should comply with data protection legislation when collecting and processing worker health data.
The points of guidance are;
- Transparency: Given that health data (defined as personal data related to the physical or mental health of a natural person), is amongst the most sensitive personal data that an employer will process about its workers, the ICO Guidance reminds that the collection of information about workers’ health is “intrusive”, and is “highly intrusive” if the information is sensitive.
- Consent: it states the importance of consent as a legal basis for processing data in an employment context. Consent must not be ambiguous and must involve clear affirmative action (e.g., using an opt-in). Workers must also be provided with the ability to easily withdraw their consent.
- Security: The ICO Guidance reminds organisations to ensure that they have high levels of technical and organisational security measures in place to keep workers’ health data secure. Employers should also know who in the organisation has access to workers’ health data and ensure that access to that data is restricted on a need-to-know-only basis.
- Lawfulness: Organisations must be clear about the applicable legal basis for processing health data e.g. for compliance with a legal obligation.
- UK GDPR: UK organisations must ensure that personal data, including health data, is processed in accordance with UK GDPR principles i.e. the principles of lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation; integrity and confidentiality; and accountability.
In summary, where employers collect and use information regarding their workers’ health, the ICO has emphasised that an employer must (a) be clear about why they are doing so and (b) have justified reasons for collecting such data.