Employers have welcomed the latest updated guidance just released from The Information Commissioner’s Office (ICO) on how employers should process health data about their workers.
It is a notoriously sensitive subject to manage, and although the latest guidance does not propose any radical changes in the way companies fulfil their obligations in respect of data management, it does provide some very helpful examples about how to deal with this ‘special category’ data to help ensure that there can be no room for error.
‘Special category data’ is afforded the highest level of protection under data protection legislation (UK GDPR and the Data Protection Act 2018). Medical information is personal and sensitive and understandably employees will not always want private details shared with their employer. Yet employers are required to process information about the health of their employees for many different reasons such as paying sick pay or maternity pay or making reasonable adjustments for disabled employees as required under the Equality Act 2010. The latest guidance includes a section detailing the various lawful grounds which may be relied on for processing this type of data including:
- performance of a contract;
- complying with a legal obligation;
- legitimate interests; and
- (rarely) vital interests.
As we are dealing with ‘special category data’ employers will also need to demonstrate that processing the data is also necessary for the purposes of one or more of the additional grounds under Article 9 of the UK GDPR (and potentially Schedule 1 of the Data Protection Act 2018) which include:
- complying with employment, social security and social protection law;
- the defence of legal claims; and
- substantial public interest.
The guidance warns against employers relying on consent as a legitimate ground to process data explaining that:
‘This is because, as an employer, you will generally be in a position of power over your workers. They may fear adverse consequences and might feel they have no choice but to agree to the collection of their health information. Therefore, they cannot freely give their consent. If the worker has no genuine choice over how you use their information, you cannot rely on consent as a lawful basis.’
The second part of the updated guidance focuses on various workplace scenarios where processing health data may be an issue. It looks at the handling of data comprising of sickness and injury records, occupational health schemes, medical examinations and testing for drug and alcohol use as well as providing examples of when workers’ health information will need to be shared. There are also a number of useful checklists to help employers understand their obligations in respect of health information which can be found here.
This revised guidance is part of a wider campaign by the ICO to update its Employment Practices Data Protection Code to provide greater information and resources for employers. In doing so it’s aim is to promote greater certainty for businesses and organisations about compliance and data protection rights.
We recommend employers review the guidance and consider their current practices. The ICO are really pushing companies to take more responsibility for compliant data management. If you have any concerns about the way in which you process the medical data of staff then please do not hesitate to contact a member of our team.