Guide to managing employee health data
Health data is special category data and attracts a number
of special duties and responsibilities under data protection laws. This article
is designed for employers and covers:
- Health data and recruitment
- Managing sickness absence records
- Referral to occupational health
- The limits of consent
- How health data should be stored
- Controlling access to health data
Managing employee health data
Data protection laws apply whenever you process information
about your workers’ health.
This may happen when you:
- Use questionnaires to discover problems with a workers’ health
- Provide eye tests (e.g. for DSE usage)
- Use sickness absence forms or absence tracking tools
- Seek or hold occupational health reports
- Test employees for alcohol or drugs use
- Have involvement in vaccinations (e.g. annual flu vaccinations)
Health data falls within a specialist category of data in
law, which means there are limited circumstances in which the data can be
processed. Data protection laws say that you must have clear and justified
reasons for collecting and processing health data (for example, managing
sickness absence or occupational health assessments).
This means employers will generally need a lawful basis to
process workers’ health data under Article 6 and Article 9 of UK GDPR.
The law requires you to record the purposes of any data
processing in writing, which is usually done via a Privacy Policy or Privacy
Notice. Many employers include these within staff handbooks or within the Terms
and Conditions of an employment.
The Office of the Information Commissioner (ICO) has a
detailed guide to lawful
and fair usage of data.
Can we process information about workers’ health?
Yes. Businesses are allowed to process health information
about workers, but you must identify (and record) a legal basis for doing so.
Under GDPR, there are six bases for processing data:
- You have consent to do so
- You need to do so to fulfil a contract
- You need to do so to comply with the law
- It’s vitally necessary (e.g. to protect someone’s life)
- It’s necessary to fulfil a public task/acting in the public interest
- You have a legitimate interest in doing so (e.g. accommodating a disability)
You can read more about these legal justifications for
processing data on the ICO
website and the ICO also has an online tool to help you identify
the correct basis for processing data.
It is always good practice to consider whether you may need
to conduct a Data
Protection Impact Assessment.
Health data and recruitment
The Equality Act 2010 prohibited making job offers conditional on satisfactory medical clearance and
many employers have since ceased using “pre-employment questionnaires”.
However, it is still possible to make conditional job offers and then seek
medical clarification of fitness for role. This is to assess health risks and
ensure compliance with the Act, for example, to understand whether reasonable
adjustments may need to be made.
If medical questionnaires are used to assess health risks the
questions asked should be limited and relevant. The ICO advises “it should be
left to medical professionals to have access to and interpret detailed medical
information for you”. Furthermore, the ICO also says “…interpretation of
medical information should be left to a suitably qualified health
professional”. Completed medical questionnaires should not generally be held by
the employer.
You must not obtain or use more health information than you
need, collecting as little information as you need from as few workers as
possible. You should not collect health information purely in case it might be
useful in the future.
Some roles, such as those working in hazardous environments
or with environmental risks, may require you to obtain and process more
information.
Physical medical examination and testing are intrusive and
should only be used to obtain information where this is necessary to meet your
purposes for carrying these out (e.g. managing a health and safety risk).
Less intrusive ways of assessing medical risk, such as using
questionnaires, must be considered first before commencing with any physical
testing.
It is generally legitimate to process health data for health
and safety purposes, as long as it is reasonable and proportionate.
How should we manage sickness absence records?
There is an important distinction between sickness, injury
and absence records:
- Sickness records often contain details about the illness or condition driving an absence from work
- Absence records may give a reason for absence such as “sickness” but do not usually include specific condition related details
- Injury records are distinct from accident records if they include the details of any injury caused by an accident
Data protection law does not prevent businesses from keeping
sickness and injury records. This is because they are necessary to review the
ability of workers to undertake their work, or for identifying health and
safety hazards, or related to the payment of health-related benefits.
The ICO says “No ‘league tables’ of sickness absences of
individual workers should be published where everyone can see a person’s
sickness, injury or absences. This would be intrusive to workers’ privacy and
disproportionate to any managerial benefit.”
To process sickness and injury records, you can rely on legitimate interests or legal obligation as
your lawful basis and the employment law condition for processing.
An employer is reasonably likely to need to process sickness
records to meet legal obligations, such as health and safety and disability
obligations, or to avoid unfair dismissal on the grounds of absence.
What about referring to occupational health?
Workers must be told, preferably in writing, how an employer
will use their personal information, who it may be available to and why.
It is especially important to let workers know if their line
manager will have access to the information they supply to a health
professional (or any report arising from the referral).
Medical information about individual workers should only be
shared with managers where it is necessary to do so, so they can fulfil their
management duties.
The ICO also say “…as far as possible, an occupational
health advisor should hold the medical information about a worker…”.
Sharing medical information given by a worker to an
occupational health practitioner is restricted by data protection law, as well
as a duty of confidence. Generally, you should obtain explicit consent for the
release of such information to non-medical personnel, such as managers.
Employers must not compromise any confidentiality of
communications between workers and health professionals. If workers are using
work email accounts or phones to liaise with occupational health practitioner,
these must not be monitored or compromised in any way.
You should not ask workers to consent to sharing or
disclosing their entire medical record (or other records e.g. hospital
records), as you are highly unlikely to need to see their entire record.
What do we have to tell workers?
If you’re going to process health information about a
worker, you must be fair and transparent about what you’re doing and why. You
must tell workers who will have access to their information and in what circumstances
it may be used. You must use clear and plain language when you communicate with
workers.
You should never attempt to collect health data from workers
covertly.
You could advise workers of how and why you’re processing
health data via:
- Individual letter or email
- Within a Privacy Notice, Privacy Policy or Data Protection Policy
- Within your staff handbook
- In a Privacy Notice on your intranet
Essentially, you must explain “what, why and how much”
information will be collected. You must advise workers what rights they have
under data protection law. If they are referred to an occupational health
doctor or nurse, you should let them know what sort of information you will
receive as a result (we also cover this element on behalf of employers in our
consent process).
The limits of consent
Although you may ask a worker to give consent to processing
their health data, the ICO has published
guidance which suggests it may be difficult to solely rely on employee
consent as a legal basis for processing health data.
This is because employers will generally be in a position of
power over workers. The worker may be concerned about negative consequences if
they do not agree to the collection of their health information. Therefore,
their consent may not be considered as freely given.
The ICO suggest you should avoid relying on consent unless
you are confident you can demonstrate it is freely given. Workers must be able
to say ‘no’ without fear of negative consequences. They must also be able to
withdraw their consent at any time.
Consent can be a complex topic, but the ICO has a handy bullet
point guide
to consent available.
The ICO advises that considering relying on the ‘legitimate
interest’ basis may be better if you cannot demonstrate consent has been freely
given.
Our free ‘Consent,
GDPR & Occupational Health’ leaflet has a suggested template you can
use when seeking consent from employees, which covers the legal basis for
engaging occupational health.
How should we store health data?
GDPR requires businesses to have appropriate security
measures in place to protect employee data. This is called the ‘security
principle’.
Information about workers’ health must be kept extra
securely. The ICO suggests that:
- Access should be limited to only those who need to see it
- Information should be password protected wherever possible
- Electronic files should be encrypted if possible
- If a hard copy exists, it should be kept in a sealed envelope in a locked cabinet
- If you can, keep health information on a separate database or system, or subject to separate access controls
Furthermore, the ICO suggest “Given that health information
is special category data, the level of security required is a high one. Unless
you apply a particularly high level of security to all employment records, it
is likely that health information about your workers will need to be singled
out for special treatment.”
Sickness and injury records with details of a worker’s
illness or medical condition should be kept separately from other less
sensitive information, such as basic absence records.
Who can access health data?
You must consider who has access to worker health
information. The principle of ‘need to know’ should be strictly applied.
The ICO suggest “As far as possible, access to information
on medical conditions should be limited to health professionals, such as
doctors and nurses.
Managers should only have access where it is necessary for
them to undertake their management responsibilities and this should be limited
to only the information they need to meet their obligations.” This is likely to
be limited to information about a worker’s current or likely future fitness to
work.
Employers must not make the sickness, injury or absence
records of individual workers available to other workers, unless it is
necessary for them to do their jobs.
It is the employer’s responsibility to make sure that
managers are aware that sickness and injury records are highly sensitive data
and how they should be handled.
How long can we store health data?
You should not keep personal information longer than you
need it. It is good practice to identify the data you’re holding and create a
retention schedule, which specifies how long you will need to keep the data.
The ICO advises periodically reviewing the health
information you hold and erasing or anonymising it when you no longer need it.
Workers also have a right to erasure if you no longer need the information for
the purposes for which it was collected.
Some health data (e.g. COSHH, Control of Lead, Control of
Asbestos) must be kept for 40 years and Ionising Radiation Regulations data for
30 years.
If you keep health information to comply with health and
safety requirement, you are unlikely to be considered to have kept the
information for longer than necessary.
If you discover that health information is incorrect at any
time, you must take reasonable steps to correct or erase it as soon as
possible.
Summary
Employers have legal duties and responsibilities and the key
steps for any business to remember are:
- Health data is highly sensitive and is a special category of data under GDPR, including sickness and injury records
- You must have a legal basis for processing any health data of any worker which must be communicated to employees
- The worker must be told what is being processed, by whom, why, how and who will have access to the information
- Ideally only medical professionals should hold or process medical information, employers should not hold medical questionnaire results
- Health data must be stored securely, under controlled access conditions, ideally encrypted and segregated
About Occupational Health Assessment Ltd – A Nationwide Occupational Health Provider
Occupational Health Assessment Ltd provides rapid access to expert occupational health support for businesses across
the United Kingdom. Appointments are available nationwide within two
days.
With a unique occupational health assessment service, night worker health assessments, fitness certifications and access to clinics in Belfast, Birmingham, Bradford, Brighton, Bristol, Cardiff, Coventry, Derby, Edinburgh, Glasgow, Hull, Leeds, Leicester, Liverpool, London, Manchester, Newcastle, Northampton, Nottingham, Plymouth, Portsmouth, Reading, Sheffield, Southampton, Stoke, Surrey and more, the business provides high quality, expert medical advice.
Please contact us for further information or assistance.