The ICO has released an extensive guide clarifying employers' responsibilities regarding the processing of their employees' health data. This guidance comes as a result of the ICO's analysis of feedback received during a consultation on an earlier version of the document. Health data, considered a special category of personal data, enjoys heightened protection under the UK GDPR.
Processing health information is among the most delicate forms of personal data concerning an organisation's employees. Whenever handling information related to workers' health, employers must adhere to the UK GDPR and the Data Protection Act 2018 (DPA 2018). Employers will likely encounter various situations that require the processing of an employee's health information.
To legally handle health information, employers must initially establish a legitimate foundation according to Article 6 of the UK GDPR (lawfulness of processing). Since health data falls into the special category, there are specific regulations governing its use. Processing this type of data also requires meeting additional criteria. This entails not only identifying a lawful basis but also determining a special category condition in compliance with Article 9 of the UK GDPR (conditions for processing).
The ICO guidance accordingly delves into the application of UK GDPR and the DPA 2018 for employers. It provides essential insights into adhering to the stricter legal requirements when handling special category data, ensuring employees are informed about data processing, conducting data protection impact assessments, and maintaining data minimisation and security.
It also focuses on the practical aspects of data protection in specific workplace scenarios, including managing sick leave records, occupational health programs, drug and alcohol testing, and sharing employee health data. The ICO outlines both legal obligations and recommended best practices for each area of employment practice. Additionally, the guide offers a set of practical checklists to help employers quickly navigate their data protection considerations when dealing with workers' health information.
This guidance aligns with ICO25, the ICO's strategic plan, which aims to empower organisations to responsibly utilise personal data, foster innovation, and enhance public trust in data sharing and technology adoption, with a view to ultimately contributing to the growth of the UK economy.
The ICO guidance can be accessed here.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.