On 23 August 2023, the Information Commissioner’s Office (ICO) published new guidance to assist employers in understanding their obligations when handling any information about the health of their workers (the guidance).

The guidance is wide ranging and explains the lawful basis on which an employer can collect and use the health information of their employees and any other individuals performing work or services on their behalf, such as hourly paid workers and independent contractors, and the conditions that apply to the processing of this information. The guidance also addresses some of the trickier areas for employers, including drugs and alcohol testing, genetic testing and ongoing health monitoring.

The guidance replaces Part 4 of the Employment Practices Code, which was published in 2011, and represents the ICO’s up-to-date view on the compliance requirements and best practice when handling health information under the retained EU law version of the General Data Protection Regulation (679/2016/EU) (GDPR) and the Data Protection Act 2018 (see feature articles “Employee monitoring: the value of being prepared”, and “GDPR one year on: taking stock”). The guidance distinguishes between the steps that are legally required, the steps that reflect the ICO’s expectations and the steps that are mere guidance on how to comply, and where compliance could be achieved through other measures. In the event of a complaint relating to the processing of health information, the ICO will now have regard to whether the employer has followed the guidance.

The guidance recognises that there are a wide range of reasons for an employer to process health information relating to its workers, in particular, in connection with managing sickness absence, complying with obligations owed to disabled workers and ensuring the health, safety and wellbeing of its workers (see feature article “Long-term sickness absence: managing the challenges”). It considers how this processing can meet the conditions set out in the GDPR.

The “special category data” status of health information is underlined throughout the guidance. There is significant emphasis on limiting the collection of this information, treating this information as confidential and deleting it promptly. It is clear that the ICO expects employers to give careful attention to their processing of health information given the intrusive nature of this information and workers’ legitimate expectations of privacy.

Notably, the guidance distinguishes between:

This suggests that employers should consider using absence records where possible, and maintain sickness and injury records separately.

The guidance contains a useful section on employers’ use of occupational health providers that specialise in giving employers advice on fitness to work and potential modifications to the working arrangements in line with an employee’s individual medical condition. Workers should be given clear information about the purposes of the occupational health referral and how the information received in response will be shared and used by the employer. In sensitive cases, the worker may request that the occupational health report is shared only with HR and their immediate line manager.

To the extent that it is necessary to ask the worker to provide access to their medical records for the purposes of the referral, the request should be targeted to the condition in question and blanket requests for all records must be avoided. The guidance only makes a brief reference to the employer entering into a data-sharing agreement with the provider. Therefore, employers would be well advised to have a comprehensive agreement in place that identifies whether the provider is a data controller in its own right, sets out the responsibilities of each party and addresses practical issues such as responding to data subject access requests.

The guidance acknowledges that there may be circumstances in which an employer can ask a worker to undergo a medical examination, or a drugs and alcohol test, but this should only follow a careful assessment of the purpose of the test, the consequences of a particular result and any less intrusive measures to achieve the same objective. Commonly, these factors will be considered as part of a data protection impact assessment (DPIA). In particular, drug and alcohol testing should be restricted to ensuring health and safety at work, rather than to reveal the use of substances in an individual’s private life.

Genetic testing is referenced in the context of its potential use in informing employers of the likely future general health of workers or workers’ genetic susceptibility to occupational diseases. However, the guidance highlights that genetic testing is still under development and notes that its predictive value is uncertain to say the least. Against this background, the ICO gives a clear steer that genetic testing of workers will rarely, if ever, be justified.

The guidance covers the ongoing monitoring of workers’ health, noting the development of health-tracking technologies in the form of apps and wearables, and suggesting that this monitoring has increased as a result of the COVID-19 pandemic (see feature article “Homeworking in the wake of COVID-19: issues for employers”). The guidance distinguishes between the limited cases where this monitoring takes place for health and safety purposes, in which case the employer should complete a DPIA to balance the benefits against the impact on workers’ privacy, and monitoring as part of employers’ wellbeing initiatives, in which case participation should be entirely voluntary and the employer can rely on consent.

Overall, the guidance is a welcome tool for employers that are seeking to understand how they can lawfully handle their workers’ health information.

The guidance is available at https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/employment-information/information-about-workers-health/.