Guide to managing employee health data
This article was first written in January 2023 and updated in September 2023, following a recent important update from the Office of the Information Commissioner.
The updated guidance indicates:
- An email from an employee saying “yes, I’ll go” is unlikely to be reliable consent to participate in an occupational health assessment
- Occupational health reports should not be shared beyond those who explicitly need to see the report and HR should consider only sharing relevant parts (e.g. guidance on possible ‘reasonable adjustments’) with managers
- Businesses should not hold health data about employees without very clear reasons to do so and sufficient controls in place
Health data is special category data and attracts a number of special duties and responsibilities under data protection laws. This article is designed for employers and covers:
- Health data and recruitment
- Managing sickness absence records
- Referral to occupational health
- The limits of consent
- How health data should be stored
- Controlling access to health data
Managing employee health data
Data protection laws apply whenever you process information about your workers’ health.
This may happen when you:
- Use questionnaires to discover problems with a workers’ health
- Provide eye tests (e.g. for DSE usage)
- Use sickness absence forms or absence tracking tools
- Seek or hold occupational health reports
- Test employees for alcohol or drugs use
- Have involvement in vaccinations (e.g. annual flu vaccinations)
Health data falls within a specialist category of data in law, which means there are limited circumstances in which the data can be
processed. Data protection laws say that you must have clear and justified reasons for collecting and processing health data (for example, managing sickness absence or occupational health assessments).
This means employers will generally need a lawful basis to process workers’ health data under Article 6 and Article 9 of UK GDPR.
Notice. Many employers include these within staff handbooks or within the Terms and Conditions of an employment.
The Office of the Information Commissioner (ICO) has a detailed guide to lawful and fair usage of data.
Can we process information about workers’ health?
Yes. Businesses are allowed to process health information about workers, but you must identify (and record) a legal basis for doing so.
Under GDPR, there are six bases for processing data:
- You have consent to do so
- You need to do so to fulfil a contract
- You need to do so to comply with the law
- It’s vitally necessary (e.g. to protect someone’s life)
- It’s necessary to fulfil a public task/acting in the public interest
- You have a legitimate interest in doing so (e.g. accommodating a disability)
It is always good practice to consider whether you may need to conduct a Data Protection Impact Assessment.
Health data and recruitment
The Equality Act 2010 prohibited making job offers conditional on satisfactory medical clearance and many employers have since ceased using “pre-employment questionnaires”.
However, it is still possible to make conditional job offers and then seek medical clarification of fitness for role. This is to assess health risks and ensure compliance with the Act, for example, to understand whether reasonable adjustments may need to be made.
If medical questionnaires are used to assess health risks the questions asked should be limited and relevant. The ICO advises “it should be left to medical professionals to have access to and interpret detailed medical information for you”. Furthermore, the ICO also says “…interpretation of medical information should be left to a suitably qualified health professional”. Completed medical questionnaires should not generally be held by the employer.
You must not obtain or use more health information than you need, collecting as little information as you need from as few workers as possible. You should not collect health information purely in case it might be useful in the future.
Some roles, such as those working in hazardous environments or with environmental risks, may require you to obtain and process more information.
Physical medical examination and testing are intrusive and should only be used to obtain information where this is necessary to meet your purposes for carrying these out (e.g. managing a health and safety risk).
Less intrusive ways of assessing medical risk, such as using questionnaires, must be considered first before commencing with any physical testing.
It is generally legitimate to process health data for health and safety purposes, as long as it is reasonable and proportionate.
How should we manage sickness absence records?
There is an important distinction between sickness, injury and absence records:
- Sickness records often contain details about the illness or condition driving an absence from work
- Absence records may give a reason for absence such as “sickness” but do not usually include specific condition
- Injury records are distinct from accident records if they include the details of any injury caused by an accident
Data protection law does not prevent businesses from keeping sickness and injury records. This is because they are necessary to review the ability of workers to undertake their work, or for identifying health and safety hazards, or related to the payment of health-related benefits.
The ICO says “No ‘league tables’ of sickness absences of individual workers should be published where everyone can see a person’s
sickness, injury or absences. This would be intrusive to workers’ privacy and disproportionate to any managerial benefit.”
To process sickness and injury records, you can rely on legitimate interests or legal obligation as your lawful basis and the employment law condition for processing.
An employer is reasonably likely to need to process sickness records to meet legal obligations, such as health and safety and disability obligations, or to avoid unfair dismissal on the grounds of absence.
What about referring to occupational health?
Workers must be told, preferably in writing, how an employer will use their personal information, who it may be available to and why.
It is especially important to let workers know if their line manager will have access to the information they supply to a health
professional (or any report arising from the referral).
Medical information about individual workers should only be shared with managers where it is necessary to do so, so they can fulfil their management duties.
The ICO also say “…as far as possible, an occupational health advisor should hold the medical information about a worker…”.
Sharing medical information given by a worker to an occupational health practitioner is restricted by data protection law, as well
as a duty of confidence. Generally, you should obtain explicit consent for the release of such information to non-medical personnel, such as managers.
Employers must not compromise any confidentiality of communications between workers and health professionals. If workers are using work email accounts or phones to liaise with occupational health practitioner, these must not be monitored or compromised in any way.
You should not ask workers to consent to sharing or disclosing their entire medical record (or other records e.g. hospital records), as you are highly unlikely to need to see their entire record.
What do we have to tell workers?
If you’re going to process health information about a worker, you must be fair and transparent about what you’re doing and why.
You must tell workers who will have access to their information and in what circumstances it may be used. You must use clear and plain language when you communicate with workers.
You should never attempt to collect health data from workers covertly.
You could advise workers of how and why you’re processing health data via:
- Individual letter or email
- Within your staff handbook
- In a Privacy Notice on your intranet
Essentially, you must explain “what, why and how much” information will be collected. You must advise workers what rights they have under data protection law.
If they are referred to an occupational health doctor or nurse, you should let them know what sort of information you will receive as a result (we also cover this element on behalf of employers in our
The limits of consent
Although you may ask a worker to give consent to processing their health data, the ICO has published guidance which suggests it may be difficult to solely rely on employee consent as a legal basis for processing health data.
This is because employers will generally be in a position of power over workers. The worker may be concerned about negative consequences if they do not agree to the collection of their health information. Therefore, their consent may not be considered as freely given.
The ICO suggest you should avoid relying on consent unless you are confident you can demonstrate it is freely given. Workers must be able to say ‘no’ without fear of negative consequences. They must also be able to withdraw their consent at any time.
Consent can be a complex topic, but the ICO has a handy bullet point guide to consent available.
The ICO advises that considering relying on the ‘legitimate interest’ basis may be better if you cannot demonstrate consent has been freely given.
Our free ‘Consent, GDPR & Occupational Health’ leaflet has a suggested template you can use when seeking consent from employees, which covers the legal basis for engaging occupational health.
How should we store health data?
GDPR requires businesses to have appropriate security measures in place to protect employee data. This is called the ‘security
Information about workers’ health must be kept extra securely. The ICO suggests that:
- Access should be limited to only those who need to see it
- Information should be password protected wherever possible
- Electronic files should be encrypted if possible
- If a hard copy exists, it should be kept in a sealed envelope in a locked cabinet
- If you can, keep health information on a separate database or system, or subject to separate access
Furthermore, the ICO suggest “Given that health information is special category data, the level of security required is a high one. Unless you apply a particularly high level of security to all employment records, it is likely that health information about your workers will need to be singled out for special treatment.”
Sickness and injury records with details of a worker’s illness or medical condition should be kept separately from other less
sensitive information, such as basic absence records.
Who can access health data?
You must consider who has access to worker health information. The principle of ‘need to know’ should be strictly applied.
The ICO suggest “As far as possible, access to information on medical conditions should be limited to health professionals, such as
doctors and nurses.
Managers should only have access where it is necessary for them to undertake their management responsibilities and this should be limited to only the information they need to meet their obligations.” This is likely to be limited to information about a worker’s current or likely future fitness to work.
Employers must not make the sickness, injury or absence records of individual workers available to other workers, unless it is
necessary for them to do their jobs.
It is the employer’s responsibility to make sure that managers are aware that sickness and injury records are highly sensitive data
and how they should be handled.
How long can we store health data?
You should not keep personal information longer than you need it. It is good practice to identify the data you’re holding and create a
retention schedule, which specifies how long you will need to keep the data.
The ICO advises periodically reviewing the health information you hold and erasing or anonymising it when you no longer need it.
Workers also have a right to erasure if you no longer need the information for the purposes for which it was collected.
Some health data (e.g. COSHH, Control of Lead, Control of Asbestos) must be kept for 40 years and Ionising Radiation Regulations data for 30 years.
If you keep health information to comply with health and safety requirement, you are unlikely to be considered to have kept the
information for longer than necessary.
If you discover that health information is incorrect at any time, you must take reasonable steps to correct or erase it as soon as
Employers have legal duties and responsibilities and the key steps for any business to remember are:
- Health data is highly sensitive and is a special category of data under GDPR, including sickness and injury records
- You must have a legal basis for processing any health data of any worker which must be communicated to employees
- The worker must be told what is being processed, by whom, why, how and who will have access to the information
- Ideally only medical professionals should hold or process medical information, employers should not hold medical questionnaire results
- Health data must be stored securely, under controlled access conditions, ideally encrypted and segregated
- The ICO ‘Information on Worker’s Health‘ site has extensive guidance and resources available for employers