Information on worker’s health: draft Data Protection Code

UK Information Commissioner Richard Thomas last week launched a consultation on a draft of the fourth part of the Employment Practices Data Protection Code, entitled Information about worker's health. The draft Code provides guidance for employers on requesting, recording and storing information about the health of their employees.

The Code is based on the Data Protection Act of 1998. The 1998 Act places responsibilities on any organisation to process personal data that it holds in a fair and proper way. Failure to do so can amount to a criminal offence.

The general position is that employers are entitled to obtain, record and store information about an employee's health only if one of the Act's sensitive data conditions is met. These include, for example, when the information is required in order for the employer to comply with health and safety legislation. Employees are entitled to see any of this information held by an employer.

As for the Code itself, while it contains guidance and is not legally binding, it contains the benchmarks that the Commissioner will use when deciding whether or not to enforce the Act. Consequently, organisations should consider its contents very carefully.

In brief, the Code states:

In view of the intrusive nature of information relating to health, its collection must be justified by real benefits. An impact assessment may be necessary.

The information must be collected openly and with freely given consent. Covert collection will only be justified in very exceptional cases.

A sensitive data condition under the Act must be satisfied before collection.

Collect data in the least intrusive way possible possibly by a questionnaire instead of medical testing.

Keep the information very secure, and hold it only for as long as necessary.

The collection of and interpretation of information about health should be left to medical professionals.

The Code also highlights specific problems relating to drug and alcohol testing. In brief:

This is only likely to be permitted if it is justified by the sensitive data condition of health and safety.

The circumstances in which such testing can take place must be clearly laid out for employees, as should the criteria for test selection, material being tested for and the likely disciplinary results.

Only those workers who are likely to be at risk under health and safety grounds because they are using dangerous machinery for example should be tested. Suspected illicit use at home, that has no effect on job performance, is not a reason for testing.

Only professional, quality testing should be used, and a duplicate of any sample given to the employee to enable him to make his own tests if necessary.

The Information Commissioner wants comments on the draft, and the consultation will remain open until 27th February 2004. Supplementary Guidance Notes and a small leaflet offering Guidance for Small Businesses have also been published.

It is expected that a consolidated Code, containing this and three earlier parts of the Code relating to recruitment and selection, employment records and monitoring at work will be published towards the middle of next year.