Data protection and best employment practice: Understanding the ICO's worker health guidance
Welcome back to our series on data protection and best employment practice.
The Information Commissioner’s Office (ICO) is building a resource of topic-specific guidance documents on employment practices regarding data protection.
These draft guidance documents will reflect different topic areas and will be released in stages, with the resource building over time.
In this article Sean Garmory, solicitor in our employment team, explains the latest employer guidance on handling information about workers’ health, and what it could mean for employers.
About the ICO’s worker health guidance
The ICO has released draft guidance on handling “information about worker health”, and began a consultation which closed on 26 January 2023.
The draft document, titled “Employment practices and data protection: information about workers’ health”, advises when employers may find themselves processing worker health information and how to ensure that they do so lawfully in line with data protection legislation.
There are also practical examples of situations where data protection legislation may impact employee management processes.
When might you need to process information about a worker’s health?
First and foremost, any employment lawyer or human resources/employee relations expert will notice the use of the word worker throughout the ICO’s guidance.
To clarify at the outset, this is not a “worker” in an employment status context.
For the purpose of the ICO’s guidance (and this article), the term worker refers to any staff whether they are employees, volunteers, contractors, workers or other gig workers.
As many of us know from practice, there are numerous scenarios where processing worker health information is a necessity for employee management. These include:
- sickness absence and injury records;
- recruitment questionnaires (identifying disabilities/reasonable adjustments);
- occupational health reports;
- medical examinations of staff;
- return to work interviews; and
- fitness for work assessments.
Ultimately any data an employer holds that concerns or reveals information regarding a person’s health will be within the scope of worker health data and this guidance will be applicable.
How can employers ensure they are lawfully processing data about worker health?
When considering processing personal data, an employer must ensure that they have a valid lawful basis under Article 6 UK GDPR.
The lawful bases likely to apply in processing worker health information are as described below:
Consent
Consent is a very common lawful basis. The difficulty in using consent to process worker health information is that it must be freely given and data subjects must also be able to freely withdraw it. If the fact that data subjects may not consent to the processing (or may withdraw it at any time) is incompatible with the employer’s purpose for processing, then this lawful basis is probably unsuitable.
Contract
In an employee/employer situation, the reliance on the employment contract will be very common for processing worker health information.
Public task
If you are instructed to collect information relating to employer health by an official authority, you can rely on the ‘public task’ lawful basis. For example, the Government instructed employers to collect health data relating to COVID-19 to manage the overall spread across the country.
Legal obligation
As employers have numerous responsibilities under health and safety legislation regarding the workplace, their legal obligations provide a lawful basis for the worker health processing they are required to do.
Legitimate interest
When undertaking capability processes, sickness absence management or otherwise considering reasonable adjustments, the relevant lawful basis is likely to be legitimate interests.
Vital interests
In a life or death scenario, an employer may use this as a legal basis to process personal data. However, the ICO is insistent that if there is a less intrusive method than processing the data, then the employer would be expected to use this alternative approach.
Data concerning health is defined under UK GDPR as special category data.
This means, alongside the usual requirement of a lawful basis as above, you must meet a specific condition under Article 9 to process this data. The conditions are as follows:
- explicit consent;
- employment, social security and social protection (if authorised by law);
- vital interest;
- not-for-profit bodies;
- made public by the data subject;
- legal claims or judicial acts;
- reasons of substantial public interest (with a basis in law);
- health or social care (with a basis in law);
- public health (with a basis in law); and
- archiving, research and statistics (with a basis in law).
In processing special category data using the ‘reasons of substantial public interest’ specific condition, you will likely be required to have appropriate policy documentation in place.
This document should demonstrate that the processing of the worker health information is compliant with the UK GDPR principles (lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, security and accountability).
Specifically, in relation to storage limitation, you should outline any retention policies with respect to the data ad the purpose for processing.
As processing worker health information is undoubtedly intrusive and high risk, an employer would also be required to undertake a data protection impact assessment (DPIA).
Purpose and transparency
To ensure you’ve complied with the ‘data minimisation’ principle, it is particularly important to make sure you collect and retain only the minimum amount of special category data and can justify why you need this specific type of data.
In order to assess whether you are holding the right amount of personal data, you must first be clear about why you need it.
The DPIA can help hold you to account, as these assessments set out a clear purpose. For health data, it is particularly important to make sure you collect and retain only the minimum amount of information.
An employer should therefore only collect and process the data specifically needed for their purpose. This accountability to the DPIA avoids “function creep”.
For example, where you are specifically considering the capability of a single employee, you will only need to process particular information about that specific individual.
If you collect the same level of information for all staff, it is likely to be excessive and irrelevant.
However, if you run an industrial facility and need to track any potential hearing issues of your staff, then processing the same level of information for a large part of your workforce (subject to potential anonymisation and acting in line with your DPIA) is more likely to be appropriate and justifiable.
Furthermore, you must not collect personal data on the off-chance that it might be useful in the future.
If your purposes change over time or you want to use data for a new purpose which you did not originally anticipate, you can only go ahead if:
- the new purpose is compatible with the original purpose;
- you get the individual’s specific consent for the new purpose; or
- you can point to a clear legal provision requiring or allowing the new processing in the public interest – for example, a new function for a public authority.
The original lawful basis you used to collect the data may not always be appropriate for your new use of that data.
You need to make sure that you update your privacy information to ensure that your processing is transparent.
What steps should employers take next?
The key takeaway from the ICO’s draft guidance for employers on processing worker health information is that employers need to ensure they constantly ensure that they are collecting data for a consistent and transparent purpose.
The type of information processed may develop and change during the worker’s time with the employer, and employers must remain adaptable and accountable to ensure they do not fall foul of “function creep”.
Employers should not be afraid to maintain their DPIAs as “living documents”.
We recommend DPIAs are constantly created, undertaken and updated regarding the worker health information that employers process.
At the outset, the worker health data collected from a recruitment questionnaire serves a specific process, but should a worker develop a specific health need during employment, the employer must ensure a DPIA accounts for this new purpose and maintains the employer’s compliance with the UK GDPR principles.
Data protection advice
Our Data Protection team can support with bespoke advice regarding your processing of worker health information should you require support in completing relevant data privacy impact assessments or you require practical advice in your employee management processes.
For more information on data protection issues, contact our data protection team. For advice on employment issues, get in touch with our employment team.
Alternatively, contact Alex Craig, partner and key contact for data protection, using [email protected] or 0191 211 7911.