Processing of worker health information – Lexology
The Information Commissioner’s Office (ICO) has published draft guidelines on the handling of workers’ health information which are open for consultation until early next year. Although titled “Employment Practices”, the guide applies to a much wider range of relationships, including employees, workers and contractors, and considers the legal bases for processing information relating to health and do so transparently. This data is very sensitive and it is crucial that employers handle it correctly.
Due to the COVID-19 pandemic, which has accelerated the pace of change in the workplace, there has been an increasing use of surveillance technologies as more employees work remotely. The ICO stresses that data protection should not be an obstacle to using new technologies to improve and develop employment practices. Instead, it should allow innovation to happen responsibly while building trust between employers and workers.
What kind of information?
The GDPR states that ““data concerning health” means personal data relating to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her state of health.“Examples include:
- sickness absence records;
- occupational health reports;
- disability information;
- alcohol/drug test results;
- information relating to benefits; and
- vaccination information.
Processing of worker health information
Due to the sensitivity of health information, there are additional rules that limit the circumstances in which data processing can take place. If employers wish to process workers’ health information, they must:
- be clear about Why they do (six legal bases); and
- be convinced that they have a justified condition to treat it (five conditions).
The principle of ‘responsibility’ under data protection law requires that the data processor takes responsibility for what it does with the information. A data protection assessment can help employers identify and minimize data protection risks. This assessment could identify problems at an early stage and prevent breaches of data protection legislation. This is particularly important where the purpose of processing the information is likely to result in a high risk to workers. It is therefore recommended to carry out such an assessment before collecting the data. The presence of a data protection officer can help monitor compliance and is mandatory for employers who carry out certain processing activities.
Other key principles are fairness and transparency. Workers have the right to be informed of how their information is used and why. Employers must therefore be transparent with their workers when dealing with health information – they must inform workers that the information is being collected and state the reason(s) why, who will have access to it and under what circumstances. This may be set out in a data privacy notice, data protection policy or worker-specific communication.
Employers may only use health information for a new purpose if it is compatible with the original purpose, if specific consent is obtained from the worker, or if there is a clear legal obligation. Workers must be assured that their data is handled correctly, that it is not used for undisclosed purposes and that it is treated confidentially.
Basically, employers should not collect more information than necessary for the stated purpose. Employers should collect as little health information as possible. They should consider whether there is a way to collect information in a targeted way, rather than a catch-all approach that captures more information than necessary. Employers should handle information in a way that workers could reasonably expect and not handle it in a way that could have undue negative effects on them.
Workers have the right to erase information when it is no longer needed. Employers should not retain information longer than necessary, should periodically review information held, and securely dispose of or anonymize information that is no longer needed.
It is essential that employers put in place appropriate security measures to protect information in accordance with the “integrity and confidentiality” principle of the GDPR. The level of security to back it up should reflect the sensitivity of the information. Physical records should be sealed or kept in locked cabinets and electronic records should only be accessible to those who actually need them.
Employers should clearly explain why they are processing health information and be transparent about it with the worker before they start processing it. The most common legal bases include:
- Consent – The worker has given consent for the information to be processed for a specific purpose. Employers should exercise caution when using this basis because of the natural imbalance between employers and workers and whether consent is therefore actually given. To be valid, an employee must also be able to withdraw consent at will.
- Contract – This applies where employers need to process workers’ health information to fulfill contractual obligations (for example, under their employment contract), such as taking an on-site drug test or paying sickness.
- Legal obligation – This applies where employers need to process information to comply with the law, such as reporting “specific injuries” to the Health and Safety Executive.
- Legitimate interests – This applies where employers need to process information for their own legitimate interests or those of a third party, such as processing a worker with a disability’s information to make their working environment more accessible. However, this will not apply if there is a good reason to protect this data which outweighs these legitimate interests.
The ICO has developed a useful tool to help employers decide which legal basis applies.
In addition to having a legal basis, employers must meet one of 10 conditions for the processing of information. The most common relevant conditions include:
- Labor law, social security and social protection – This is relevant to seek to ensure the health, safety and welfare of workers, or records of statutory sick pay and maternity leave.
- Legal claims or legal acts – This is relevant to establishing, exercising or defending legal claims, such as a worker suing their employer for a work-related incident affecting their health.
- Substantial public interest – This is relevant to the processing of information for reasons of substantial public interest (eg child protection).
Due to the highly sensitive nature of the information and the rather onerous requirements set out in the GDPR, it is crucial that employers know what to consider when handling worker health information.