Information about employees’ health – what obligations should employers be aware of?
The ICO (Information Commissioner’s Office) has published guidance for employers to help them to understand their obligations when handling information about their employees’ health.
Employers may process information about their employees’ health including sickness absence records, Occupational Health reports, and health questionnaires. Information relating to employees’ health is ‘special category data’ under data protection legislation. This means that there are additional obligations on employers when processing that information.
The guidance – handling information about employees’ health
The guidance is in two main parts. The first section provides an overview of how data protection obligations apply to the processing of employees’ health information. This includes, for example:
- How employers can lawfully process employee health information
- What lawful basis might apply for the processing of that information
- Whether employers can rely on employee consent
- What information should be given to employees about the processing of their information
- How to keep the information up to date and secure
- Carrying out data protection impact assessments.
The second section provides guidance on some common scenarios where employers may process employee health information. This includes, for example:
- Handling sickness and injury records
- Using Occupational Health schemes
- Medical examinations and drugs and alcohol testing
- Genetic testing
- Health monitoring
- Sharing employee health data.
The guidance includes examples and checklists, with links to further reading.
As the guidance notes, ‘gathering information about your workers’ health is intrusive and in some cases it may be highly intrusive, depending on the sensitivity of the information.’ Employers should ensure that they are aware of their obligations when processing information about employees’ health. That includes ensuring that they have a lawful basis for the processing and complying with the conditions for the processing under data protection legislation.
The ICO has recently also published guidance for employers on responding to data subject access requests. Our separate post on that guidance can be found here.
21 September 2023
If you would like to receive monthly employment law updates and news of our events, sign up for our email alerts.
©2023 SCRASE LAW LTD. THIS POST IS FOR GENERAL INFORMATION ONLY AND IS NOT ADVICE. YOU ARE RECOMMENDED TO SEEK PROFESSIONAL ADVICE BEFORE TAKING ANY ACTION ON THE BASIS OF THIS POST