About Part 4 of the Code

Data protection and information about workers’ health

The Data Protection Act’s sensitive data rules come into play whenever an employer wishes to process information about workers’ health. These rules do not prevent the processing of such information but limit the circumstances in which it can take place. The processing must also be consistent with the other requirements of the Act. Employers, especially in the public sector, need to bear in mind Article 8 of the European Convention on Human Rights which creates a right to respect for private and family life.

What does this part of the Code cover?

This part of the Code addresses the collection and subsequent use of information about a worker’s physical or mental health or condition. Collection will often be done by some form of medical examination or test, but may involve other means such as health questionnaires.

The issues addressed in this part of the Code will arise typically from the carrying out of medical examination and testing or from the operation of an occupational health scheme. This part of the Code is therefore most likely to be of relevance to larger organisations and those with specific health and safety obligations.

Examples of information about workers’ health

This part of the Code applies to information such as:

• a questionnaire completed by workers to detect problems with their health
• information about a worker’s disabilities or special needs
• the results of an eye-test taken by a worker using display screens
• records of blood tests carried out to ensure a worker has not been exposed to hazardous substances
• the results of a test carried out to check a worker’s exposure to alcohol or drugs
• the results of genetic tests carried out on workers
• an assessment of fitness for work to determine entitlement to benefits or suitability for continued
  employment
• records of vaccination and immunisation status and history.

Outside the Code

The Data Protection Act only comes into play when personal information is or will be held electronically or recorded in a structured filing system. This will often be the case but sometimes it may not, for example where a line-manager enquires about a worker’s health but does not keep, or intend to keep, any record of the conversation, or only keeps a note in a general notebook.

Where samples are taken, as might be the case with drug or alcohol testing, the Code only applies from the point at which samples yield personal information about a worker. This Code does not address consent for any physical intervention involved in taking a sample from a worker in the course of medical testing.

Sensitive data rules

Where information about workers’ health is to be processed, one of the Act’s sensitive data conditions must be satisfied. There are various conditions. Below we have listed the ones likely to be of most relevance to employers. Employers holding information about workers’ health ought to be able to answer ‘yes’ to one or more of these questions:

• Is the processing necessary to enable the employer to meet its legal obligations, for example to ensure health and safety at work, or to comply with the requirement not to discriminate against workers on the grounds of sex, age, race or disability?
• Is the processing for medical purposes, e.g. the provision of care or treatment, and undertaken by
  a health professional or someone working under an equivalent duty of confidentiality, e.g. an
  occupational health doctor?
• Is the processing in connection with actual or prospective legal proceedings?
• Has the worker given consent explicitly to the processing of his or her medical information?

This is not an exhaustive list of all the conditions.

See Supplementary Guidance for more information on these and other sensitive data conditions. (Clicking this link opens a new window)

Relying on the worker’s consent

There are limitations as to how far consent can be relied on as a basis for the processing of information about workers’ health. To be valid, consent must be:

• explicit. This means the worker must have been told clearly what personal data are involved and have been properly informed about the use that will be made of them. The worker must have given a positive indication of agreement, e.g. a signature.
• freely given. This means the worker must have a real choice whether or not to consent and there must be no penalty imposed for refusing to give consent.

See Supplementary Guidance for further explanation of what this means in practice. (Clicking this link opens a new window)

Impact assessments

Once a sensitive data condition is satisfied, an employer then needs to be clear that either:

• it is under a legal duty to process information about workers’ health, e.g. the duty to monitor workers’ possible exposure to hazardous materials under the Control of Substances Hazardous to Health Regulations 2002, or
• the benefits gained from processing information about workers’ health justify the privacy intrusion or any other adverse impact on them. In other words, the collection and use of information about
  workers’ health must be a proportionate response to a particular problem.

An ‘impact assessment’ is a useful tool for employers to use to help them to judge whether the second of the above options applies.

Particularly where medical testing is involved, employers are likely to find it helpful to carry out a formal or informal ‘impact assessment’ to decide how or whether to collect information about workers’ health.

This Code does not prejudge the outcome of the impact assessment. Each will necessarily depend on the particular circumstances of the employer. Nor does the Code attempt to set out for employers the benefits they might gain from holding information about workers’ health. What it does do is assist employers in identifying and giving appropriate weight to the other factors they should take into account.

Purpose(s)

It is important that a realistic assessment is made of the extent to which the collection of health information will actually address the risks it is directed at. Decisions based on, for example, the effect of particular medical conditions on a worker’s future employability or the effect of particular drugs on safety should be based on relevant and reputable scientific evidence.

Adverse impact

Identifying any likely adverse impact means taking into account the consequences of collecting and holding health information, not only for workers, but also for others who might be affected by it, such as a worker’s family. Consider:

• how extensive will the intrusion into the private lives of workers and others be as a result of collecting information about their health?
• whether health information will be seen by those who do not have a business need to know, e.g. IT workers involved in maintaining electronic files about workers
• what impact, if any, will the collection of health information have on the relationship of mutual trust and confidence that should exist between workers and their employer?
• whether the collection of health information will be oppressive or demeaning.

Alternatives

Considering whether it is necessary to collect information about workers’ health, and if so how to do this in the least intrusive manner, means asking questions such as:

• can health questionnaires rather than tests be used to obtain the information the employer requires?
• can changes in the workplace, for example eliminating exposure to a hazardous substance, remove the need to obtain information through testing?
• can medical testing be targeted at individuals who have exhibited behavioural problems that may be drink or drug related, rather than at all workers?
• can the collection of health information be confined to areas of highest risk, e.g. can it be directed at a few individuals the nature of whose jobs mean they pose a particular risk rather than at everyone?
• can medical testing be designed to reveal only a narrow range of information that is directly relevant to the purpose for which it is undertaken?
• can access to health information be limited so that it will only be seen by medically qualified staff or those working under specific confidentiality agreements?

Obligations

Taking into account the obligations that arise from collecting information about workers’ health means considering such matters as:

• whether and how workers will be notified about the collection of their health information
• how information about workers’ health will be kept securely and handled in accordance with the Act.

See Part 2 – Employment Records for more information on security requirements.

• the implications of the rights that individuals have to obtain a copy of information that has been
  collected about their health.

See Part 2 – Employment Records which explains more about rights to access.

Is health information justified?

Making a conscious decision as to whether the current or proposed collection and use of health information is justified involves:

• establishing the benefits the collection and use of health information will bring
• considering any alternative method of obtaining these benefits and/or the information needed
• weighing these benefits against the adverse impact
• placing particular emphasis on the need to be fair to individual workers
• ensuring that the intrusion is no more than absolutely necessary
• bearing in mind that health information can be particularly sensitive, that its obtaining can be particularly intrusive and that significant intrusion will not normally be justified unless the employer’s business is at real risk of serious damage
• taking into account the results of consultation with trade unions or other representatives, if any, or with workers themselves.

Making an impact assessment need not be a complicated or onerous process. Even in the context of health information it may sometimes be enough for an employer to make a simple mental evaluation of the risks faced by his or her business and to assess whether the collection and use of information about workers’ health would reduce or eradicate those risks or would bring particular benefits. In other cases the impact assessment will be more complicated, for example where an employer faces a number of different risks of varying degrees of seriousness. In such cases appropriate documentation would be advisable.