Under the UK’s data protection law regime, health data is considered particularly sensitive. UK employers often process health data about staff (e.g. information about sickness leave). However, doing so gives rise to various legal rules.
The UK ICO (the data protection regulator) has recently published detailed guidance to help employers comply with their legal obligations under data protection law when processing health data.
In this legal update, we’ll explore what the guidance entails and some key tips for employers.
You can find the ICO’s guidance here.
You may also wish to consider our guidance on data protection challenges for HR here, which touches upon certain topics covered in the ICO’s guidance.
Why Is Health Data So Important Under UK GDPR?
Let’s start with the basics. Data about an individual’s health is extremely sensitive. Often, employers will use this data during the employment relationship.
For example, the ICO mentions health data being used in the form of:
- Sickness absence forms.
- Results of alcohol or blood tests.
- Information about impairment or disability.
The UK GDPR and Data Protection Act 2018 set out stringent rules about processing health data. Health data is classed as ‘special category personal data’.
Special category data means:
- Any personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership.
- Data concerning health or a natural person's sex life or sexual orientation.
- Genetic or biometric data processed for the purpose of uniquely identifying a natural person.
The UK GDPR defines ‘health data’ as: ‘personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status’.
Special category data has enhanced rights under the UK GDPR, given how sensitive it is. Since health data is a form of special category data, employers must follow various rules when using it – this is a mandatory legal requirement.
The ICO notes that in an employment context, the rules to follow cover the collection and use of information about a worker’s physical or mental health or condition. Its new guidance sets out various issues for employers to consider.
The ICO’s Guidance For Employers
The ICO’s guidance is extremely detailed. It explains the legal rules for employers to follow and best practice suggestions. Employers should consult the guidance and may find the ICO’s checklists helpful to review and work through internally.
The ICO notes that the new guidance aims to:
- Provide greater regulatory certainty.
- Protect workers’ data protection rights.
- Help employers to build trust with workers.
The ICO’s guidance sets out various information, including:
- How the UK GDPR and Data Protection Act 2018 apply in the context of health data.
- The background to complying with legal rules on processing special category data, giving employees information about how their data will be processed and performing data protection impact assessments before health data is processed.
- Guidance on issues such as data minimisation and security.
- Further, the guidance covers specific workplace scenarios and how health data rules apply. For example, the issues to consider around managing sickness records and occupational health schemes, drugs and alcohol testing and sharing employee health data.
Key Issues For Employers
Whilst some of the guidance explores niche issues that may not be relevant to all employers, here are some key themes which will be common for most employers:
Know The Rules Apply To All Staff, Not Just Employees
Organisations should note that the rules on health data don’t just apply to employees. They apply to anyone who performs work for an organisation. So, you’ll need to comply with the rules not just for your employees, but all staff (e.g. freelancers, volunteers and any other staff too). It’s important not to forget this or drop the ball if you collect health data from freelancers who work with you irregularly.
Ensure You Are Transparent With Workers
If you’re processing health information about workers, you need to make sure you’re transparent about it. You need to ensure you tell workers exactly why you’ll use their health data, along with various other information. Commonly, employers give staff a Privacy Notice telling them how the employer will use their data. The ICO also notes other ways employers could provide this information, for example in its data protection policy, or as a notice on staff notice board. This is a critical point for data protection compliance.
Keep Health Data Secure
Under UK GDPR, there is a legal obligation to keep personal data secure. Because health data is deemed ‘special category’ data, it is particularly sensitive. Therefore, you must have a high level of security when processing that data. The ICO notes that organisations could keep health data on separate databases or apply separate access controls to it (e.g. limiting access to health data). Employers must remember the data protection principle of ‘privacy by design and default’ and make sure that the protection of personal data is built into their systems right at the outset. The ICO recommends that managers should only access health data where it’s necessary for their management responsibilities. In practice, a policy around health data and who can access it may be beneficial for employers.
Limit How Much Health Data You Process And Only Keep It For As Long As You Need It
You should think extremely carefully about how much health data you really need to collect for your purposes. Data minimisation is a key principle under the UK GDPR. You must ensure that that you don’t collect more health data than what is strictly needed by your organisation. The ICO advises that employers collect as little health information about as few workers as possible. How much information is needed will depend on what’s necessary for particular job roles. Further, health information must not be kept for longer than necessary. Employers have to justify how long health information is kept – you must record the retention periods in your data retention schedules.
Consider The Need For A Data Protection Impact Assessment
A data protection impact assessment (DPIA) is a risk assessment under data protection law. It aims to help organisations identify risks to personal data and minimise them. It is mandatory for a DPIA to be carried out when the type of data processing is likely to result in ‘high risk’. The ICO advises that organisations should carry out a DPIA due to the sensitive and potentially intrusive nature of processing heath information. They also note that a DPIA may be mandatory when processing health information, depending on what the employer wants to do with it. For example, you’re likely to need a DPIA when your processing of health data will cause risks to your staff (e.g. if you are carrying out health testing).
Remember You Need Both A Lawful Ground And Special Category Condition For Processing
Where processing health data, organisations need:
- A lawful basis to process health information under Article 6 of the UK GDPR; and
- A special category condition to process health information under Article 9 of the UK GDPR and a condition in schedule 1 of the Data Protection Act 2018.
In short, employers need to consider, justify, and document which legal grounds they are relying on to use health data. This is a complicated point and employers should take legal advice on this if they are unsure which grounds apply to their processing activities.
There are problems with relying upon ‘consent’ in an employment context (due to the imbalance in bargaining power between employer and employee).
When using special category data, an employer must also have an appropriate policy document in place. An appropriate policy document is a document which explains the employer’s procedures for complying with the data protection principles in connection with the processing of such data.
These are complex points, so please contact us if you would like advice on them.
As well as information which will apply to most employers, the ICO’s guidance also includes practical guidance on other relevant and certain niche areas such as:
- Sharing worker’s health information.
- Occupational health services.
- Genetic testing and health monitoring.
- Handling sickness and injury records.
- Medical examinations and testing.
If these topics apply to your organisation, you should carefully review the relevant guidance and make sure you follow it. Some of this guidance will be particularly relevant after he Covid-19 pandemic, where employee health testing became more common.
Next Steps For Employers
It is vital that employers review and understand the ICO’s guidance. In particular, employers may find new guidance on niche issues (e.g. about genetic testing and health monitoring) particularly useful.
Now is a good time for employers to review their policies and procedures around collecting health information and ensure they are complying with the rules set out in the new guidance. Compliance with UK GDPR is not a tick box exercise. There is an obligation to continuously review how you are using personal data and make sure your policies are procedures are updated in line with any changes in your data practices.
If you would like advice on the collection of health data or UK GDPR compliance for employers, please contact our data protection law team.