The ICO has published detailed guidance on the obligations of employers who are processing their workers' health data. This follows a consultation with employers and other interested parties on the draft guidance.

Health data is categorised as special category personal data and is granted enhanced protection under the UK GDPR.

The first part of the guidance explains how the UK GDPR and Data Protection Act 2018 (DPA 2018) applies to the employer. It addresses some tricky areas including:

  • The stricter statutory requirements that apply to processing special category data.
  • The requirements for providing employees with information about the employer's processing of their data.
  • How to carry out a data protection impact assessment before processing health data.
  • Data minimisation and security.

The second part of the guidance considers the application of data protection law to matters such as managing sick absence records and occupational health schemes, conducting drugs and alcohol testing, and the sharing of employee health data. It sets out the relevant legal requirements alongside good practice standards and a set of checklists for various kinds of health data processing.

The guidance forms part ofICO25, the ICO's strategic plan for enabling organisations to use personal data responsibly and confidently.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.