Good Practice Recommendations –
Part 4: Notes and Examples

4.1 Information about workers’ health:
general considerations

4.1.1 There are risks that the Act will be breached if, for example, line managers institute testing of their workers without authority and without taking into account the provisions of this Code. Anyone authorising testing should have received the necessary training. Business practices should be designed to ensure that testing or other collection of health information does not take place without careful consideration of the requirements of the Act and the recommendations in the Code.

Managers and human resources staff are not generally qualified to interpret medical details. Medical diagnosis and the interpretation of the effect of particular medical conditions on a worker should be left to doctors, nurses or other appropriate health professionals. For this reason those who are not health professionals are unlikely to need access to the details of medical conditions as opposed to information on the impact of those conditions on a worker’s ability to work.

4.1.2 Other circumstances in which a sensitive data condition may be satisfied include: l where the collection of health information is necessary to defend a tribunal claim or for other legal proceedings.

• where a public sector body needs to collect health information to discharge its statutory functions.
• where the collection of health information is undertaken by a confidential occupational health service and is necessary for preventative medicine, diagnosis or care and treatment
• where the collection of health information is necessary for important, non-intrusive research.
• where the worker has deliberately made information about his or her health public.
  See Conditions for Processing Sensitive Data for more details.

4.1.3 No further guidance on this recommendation.

4.1.4 The level of security applied to personal data must be ‘appropriate’ to the nature of the data to be protected and the harm that might result from misuse or loss. Given that health information is ‘sensitive data’, the ‘appropriate’ level of security is a high one. Unless a particularly high level of security is applied to all employment records it is likely that health information will need to be singled out for special treatment. Depending on the nature of the organisation, it may be possible to keep information about workers’ health on a separate database or subject to separate access controls. In other cases it may be possible to separate health information from the other contents of a worker’s personnel file by putting it in a sealed envelope.

The principle of ‘need to know’ access should be applied strictly. As far as practicable, access to information on medical conditions should be confined to health professionals, such as doctors and nurses. Managers should only have access to information that is necessary for them to undertake their management responsibilities. Very often this can be limited to information about a worker’s current or likely future fitness to work. In some cases it may be necessary for managers to know more about a worker’s state of health in order to protect that worker or others. If it is necessary for others to have access they should be subject to contractual conditions of confidentiality equivalent to those imposed on a health professional by their professional standards.

Safety representatives have a legal right of access to information that they need to fulfil their functions. However the employer should not provide information identifying an individual worker unless that worker has consented to this. The law does not prevent an employer from providing anonymised information to a safety representative. Where the disclosure of identifiable information is required by law, (such as might be the case under the Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 1995), the Data Protection Act 1998 does not prevent the disclosure taking place.

Where an employer offers a private medical insurance scheme, only in exceptional circumstances should it be necessary for the employer to have access to medical information about a particular worker or about family members and others included in the cover. In general medical information should be kept in confidence by the hospital or clinic responsible for providing the healthcare. It should normally be sufficient for the employer to be provided with information about the financial and other administrative aspects of the scheme.

See Part 2 – Employment Records for more information on security requirements.

See Part 2 – Employment Records for more information on insurance schemes.

4.1.5 Health questionnaires should be designed to ensure they only elicit information that is relevant and necessary. This implies they should be designed by health professionals. It also implies that they should be interpreted by those who are qualified to draw meaningful conclusions from the information supplied. Questionnaires need to be checked to ensure they do not lead to discrimination in contravention of the Disability Discrimination Act 1995.

If it is necessary to commission a medical report on a sick worker, for example to assess his or her suitability for continued employment, only relevant information should be sought. This means that the author of a medical report should not be asked to provide medical details of the worker’s condition. Instead the report’s author should be asked to provide an assessment, for example, of whether or not that worker is fit to return to employment, whether he or she should be redeployed, or whether adjustments need to be made to the workplace to accommodate his or her disability.

The Access to Medical Reports Act 1988 applies when an employer seeks a report from a worker’s general practitioner or any other medical practitioner who is or who has been responsible for the clinical care of the worker. In summary, the obligations on the employer are to:

• Notify the worker of his intention and obtain the worker’s consent to the application for a report
• Inform the worker of his or her right to:withhold consent to the application being made
• access the report before it is supplied to the employer by telling either the employer or the medical practitioner of his / her wish to do so
• withhold consent to supply of the report to the employer once he / she has seen it
• request amendments to the report before it is supplied
• access the report for up to 6 months after it has been supplied by the medical practitioner

Workers should not normally be asked to consent to the disclosure of their entire general practitioner records or other comprehensive care and treatment records such as those held by a hospital. Although on occasions an occupational health physician may need access to the full record, such records contain more information than the employer is ever likely to need. Where it is necessary to seek information the general practitioner should be asked specific relevant questions to elicit the information needed by the employer.

4.2 Occupational health schemes

4.2.1 Information could be provided to workers who are part of the scheme by giving them clear written information about what health information will be collected, who will have access to it and in what circumstances. It is particularly important to ensure that workers are aware of the circumstances, if any, in which their line managers will have access to the information that they supply to a health professional. This should be kept to a minimum.

Employers offering an occupational health scheme should consider carefully what information they need to have access to in order to administer the scheme. In most cases only statistical or anonymised information is needed to administer the scheme.

Medical details about individual workers should only be made available to managers in so far as it is necessary to enable them to discharge their management responsibilities. As far as possible an occupational health advisor should hold the medical information about a worker, only telling the worker’s manager the results of the health assessment, for example whether or not there’s a legitimate reason for a worker’s absence from work. It is difficult to see how the disclosure to an employer of information about the health of a worker’s family members can be justified.

It should be remembered that the disclosure of medical information given by a worker to an occupational health doctor, nurse or other health professional is restricted not just by the Data Protection Act but also by a duty of confidence. Other than in exceptional circumstances consent will be needed for the release of such information to non-medical personnel. It is advisable that such consent is given in writing.

4.2.2 It is important that any monitoring of e-mails, telephone calls, internet usage or similar activities by an employer is designed not to compromise any confidential communications between workers and health professionals or non-clinical counselling staff. If, as part of a general monitoring programme, a confidential conversation or other communication is unintentionally picked up, information relating to that conversation or communication should be deleted at the earliest opportunity and no record should be kept of it.

See Part 3 – Monitoring at Work for more information about monitoring electronic communications.

4.2.3 Understanding and acting in a way that is consistent with the principles set out in the Guidance on Ethics for Occupational Physicians will assist compliance with the Data Protection Act 1998. The Guidance is published by the Faculty of Occupational Medicine – 5th Edition – May 1999 ISBN 1-86016-112-X.

Click here for contact details for the Faculty of Occupational Medicine.

4.3 Information from medical examination and testing

4.3.1 If the obtaining of information through medical testing is to be justified on the basis that it is necessary to enforce the organisation’s rules and standards, these rules and standards must be known and understood by workers. In some cases the standards may be obvious, for example that it is unacceptable to use illegal drugs in the workplace, but in others they may not. Rules and standards, for example in relation to acceptable levels of alcohol use, should be specific and be set out in a policy that is made known to and accessible by all workers affected. Such a policy may address only drug and alcohol use or may be drawn more widely. Either in this policy or separately, the employer should go on to set out the circumstances in which medical testing may take place, the nature of the testing, how information obtained through testing will be used, and the safeguards that are in place for workers who are subject to it.

Workers employed on overseas contracts may be expected to undergo a degree of medical examination and testing that is substantially more intrusive than that carried out on workers in the UK. For example, workers contracted to work in certain countries may be exposed to particular risks or there may be a legal requirement for testing in the country concerned. In such cases employers should make workers aware of any examination or testing that they will be expected to undergo at an early stage.

4.3.2 Medical examination and testing is intrusive. It should only be used to obtain information where necessary. Employers should not subject all applicants for a job or even all those short-listed to examination or testing. Ideally only where there is an intention to appoint, subject to satisfactory examination or test results, should such examination or testing be undertaken. It is though recognised that practical considerations may dictate that medical examination or testing is undertaken in parallel with other pre-employment checks, e.g. the obtaining of a ‘disclosure’ from the Criminal Records Bureau.

4.3.3 An example of “other legal obligations” is the obligation on an employer under the Control of Asbestos of Work Regulations 2002 to keep workers who are exposed to asbestos under adequate medical surveillance.

4.3.4 When obtaining information through the testing of workers, employers must be clear about what substances or conditions the testing is designed to detect and about why the testing is being carried out. An impact assessment should be carried out to determine whether testing is a proportionate response to a particular problem. Testing should be designed to only reveal information relevant to the purpose for which the test is being undertaken. Those being subjected to the test should be made aware of this. If an employer intends to carry out a test on an existing sample that the worker has not been told about and has not consented to, the employer must tell the worker about the intention to carry out additional testing and must obtain the worker’s freely given consent for this. It would be unfair to the worker, for example, to test a blood sample for the presence of alcohol when the worker has only been told the sample would be tested to check for the presence of a particular chemical to which the worker might have been exposed. It would also be unfair to obtain information by performing a drug test on a sample of a worker’s hair without the worker’s knowledge.

4.3.5 Information that is obtained in the course of a medical examination or test that does not have a significant bearing on the purpose for which the testing is conducted should be permanently deleted. For example, information obtained during drug testing that happens to indicate that a worker is pregnant should be neither recorded nor used; tests should be designed, as far as possible, not to detect this in the first place.

4.4 Information from drug and alcohol testing

4.4.1 Take particular care when carrying out an assessment of whether the obtaining of information through drug testing is justified on health and safety grounds. Bear in mind that:-

• the employer’s interest is usually in detecting drug use that puts at risk the safety of those to whom they owe a duty of care. This can arise from drugs that are legal as well as illegal. Employers should not test merely to find evidence of the use of illegal drugs.
• the drug testing used must address the risk. It must be capable of providing real evidence of impairment or of potential impairment at work that is sufficient to put at risk the safety of others.
• other than in the most safety critical areas, regular drug testing is unlikely to be justified unless there is a reasonable suspicion of drug use that has an impact on safety.
• drug testing must provide significantly better evidence of impairment that puts safety at risk than less intrusive alternatives such as a test of cognitive ability.
• drug testing should only be carried out as part of a post-incident investigation where there is evidence that workers’ conduct has had some bearing on the incident.

4.4.2 This can be done by limiting the number of substances being tested for, or by using tests that only detect recent exposure to the substances being tested for. A variety of techniques for carrying out alcohol and drug testing are available to employers. They vary in intrusiveness, depending on the range of substances that can be detected and the time scales involved. For example, some tests are only designed to detect the use of a particular drug within, for example, the previous eight hour period, whilst others are designed to detect the use of a wide range of substances over a much longer period. Employers intending to carry out testing should use the least intrusive methods practicable to deliver the benefits to the business that the testing is intended to bring.

Note that there are tests (assisted performance tests) and equipment that can be used to measure hand-eye coordination and response time. These do not involve any invasive medical procedures and are more justifiable for first instance tests.

Assisted performance tests may be more reliable for the employer in providing evidence of impairment and less intrusive for the worker.

4.4.3 No further guidance on this recommendation.

4.4.4 Even in safety-critical businesses such as public transport or heavy industry, workers will pose a different safety risk through their use of alcohol or drugs depending on the type of work that they carry out. For example, a train driver or signal engineer whose actions are impaired through exposure to alcohol or drugs would generally pose a significantly greater safety risk than would a ticket inspector or rail enquiries clerk. This difference in risk should be reflected in carrying out an impact assessment. Information about ticket inspectors or rail enquiries clerks should not be obtained through testing simply on the basis that ‘fairness’ somehow requires that if drivers or signal engineers are tested, they should be tested as well.

4.4.5 No further guidance on this recommendation.

4.4.6 In some contexts attempts have been made to obtain information by collecting urine or other samples covertly, or by testing existing samples in a manner that workers have not been told about. This is deceptive and misleading to workers, and in so far as such practices involve the processing of personal data, they are likely to lead to a breach of the Data Protection Act. Although covert medical testing may be carried out in exceptional circumstances, it is hard to envisage these arising without the police being involved.

4.4.7 The reliable interpretation of test results can require a high level of technical expertise. In order to satisfy their legal duty to ensure results are adequate for the purpose(s) for which the testing was carried out, employers may need to seek appropriate technical advice and use an approved laboratory to analyse samples, such as one operating to the UK Laboratory Guidelines for Legally Defensible Workplace Drug Testing. It is not though necessary to employ health professionals to undertake tests for alcohol using breath analysis equipment.

Although simple kits that can be used to test for various substances are available over-thecounter, employers should not assume that the tests are infallible and should be able to deal adequately with disputes arising from their use. Some test kits may fail to differentiate between an illegal drug and a legitimate pharmaceutical, or between a pharmaceutical that causes impairment and one that does not.

In order to meet the data protection requirements of adequacy and accuracy in the processing of personal data, for example by ensuring a secure chain of custody for samples, it may be necessary for employers to use a professional service with qualified staff to carry out the testing and interpret its results.

4.5 Information from genetic testing

Note: Most of this supplementary guidance is extracted from an opinion on Ethical Aspects of Genetic Testing in the Workplace by the European Group on Ethics in Science and New Technology, July 2003.

4.5.1 Although there are many diseases with a recognized genetic component resulting from a defect in a single gene (monogenic diseases), as a general rule the incidence of such diseases is low. Monogenic diseases include cystic fibrosis, sickle cell anaemia, Huntington’s Disease and haemophilia.

In contrast to the above examples of diseases resulting from defects in a single gene, other human diseases with a genetic component are thought to result from interactions between several genes (polygenic diseases). The incidence of some polygenic diseases is very high. In most of these cases the genetic basis is incompletely understood and is complicated by influences of environment, diet and lifestyle. Examples of such polygenic diseases are heart disease, several cancers and some allergies.

Even for monogenic diseases, predictive value of genetic testing may be limited. There is always a possibility that the disease in question might not manifest itself during the working life of the individual and it is not always possible to predict the severity of the future disease.

The situation is even more complex where diseases with a polygenic basis are concerned. At the present time it is virtually impossible accurately to predict, using genetic tests, either whether the disease will develop at all or, if it does, its timing and severity. Even if the genetic basis of such diseases becomes fully understood, environmental and lifestyle factors, which may themselves be unpredictable, will limit the predictability of disease development.

4.5.2 No further guidance on this recommendation.

4.5.3 Genetic screening for susceptibility to workplace environmental hazards clearly has some precautionary relevance but in many cases the link between a particular genetic status and susceptibility to a particular hazard has only a theoretical basis at present. The Human Genetics Commission is the statutory body responsible for monitoring and advising on issues to do with genetics.

Click here for contact details for the Human Genetics Commission.

4.5.4 At the present time, very few genetic tests are available that give information to either an employer or a worker which could validly be used in the context of decisions concerning employment. It is likely that this situation may change in the future although it is difficult to predict the pace of such change. Validity of a genetic test would require demonstration of:

1. its relevance to health protection of workers

2. the reliability and reproducibility of the test and

3. the level of predictive value for the test.

In such a sensitive area, it is obviously extremely important that procedures for genetic testing are as reliable as possible, as provision of incorrect information to an employer or a worker could have far reaching consequences. All stages of a scientifically satisfactory testing procedure should have built in negative and positive controls to ensure the reliability of the test result. Good laboratory practice should be observed at all times, including detailed documentation of procedures and results. Even when testing procedures are optimised, false negatives and false positives will emerge and validation procedures for the tests may be required.