The Information Commissioner's Office has published new guidance on handling employee health information. The ICO says it is designed to help employers understand how to comply with data protection regulations when collecting and processing employee health data. In their press release they say, ‘health information is some of the most sensitive personal information that employers handle about their workers – so it’s important to get it right.’ And, of course, they are right.
The guidance deals with six areas and offers practical advice in each area. Those areas are:
- handling sickness and injury records;
- occupational health schemes;
- medical examinations and testing, including for drugs and alcohol;
- genetic testing;
- health monitoring; and
- sharing workers' information.
In the employment context, as we all know, employers need to have a lawful basis for processing employees’ personal data and one of the most commonly relied upon grounds is consent. However, the snag with consent is in many cases employees feel they have no choice but to agree to the collection of their health information, regardless of what paperwork they may or may not have signed to that effect. So where does that leave the employer? Harriet Dwyer is a data protection specialist and earlier she joined me by video-link to discuss the guidance generally, and on that issue of consent in particular:
Harriet Dwyer “Yes, so quite often employers come to us where they're processing health information of employees and the automatic response is we need to rely on consent to be able to do this. What the guidance explains, helpfully, is that actually consent is quite tricky to rely on in an employment context because under the data protection legislation consent has to be freely given and unambiguous and employees also need to be able to withdraw consent as easily as they can give it. Now, in an employment context that's quite tricky because of the imbalance of power between the employer and the employee and so relying on consent is probably difficult because an employee might wish to withdraw it at a later stage, or it could be open to challenge. Say, for example, an employee has been absent from work due to being unwell, if they're going through an absence management process and are asked to consent to their sickness absence records being used the consequences of that on an employee could be quite serious, they could end up getting a warning, or could be disciplined for absence, so consent wouldn't be a lawful basis that could be relied on in those situations. That's not to say that consent can never be relied on but the guidance just makes clear how difficult relying on consent can be and, instead, helpfully, sets out some alternative lawful bases that can be relied on such as in accordance with an employment contract with the employee, or in compliance with a legal obligation or, perhaps, to pursue some legitimate interest of the business where those legitimate interests outweigh the rights and freedoms of the individual in a particular situation. As well as setting out the most common lawful bases that can be relied on in an employment context it also helpfully sets out some additional conditions that can be relied on and which needs to be satisfied when processing health information given the fact that it's particularly sensitive personal data.”
Joe Glavina: “The guidance also deals with medical examinations and testing, including for drugs and alcohol. Again, that’s tricky.”
Harriet Dwyer “That's exactly right. So, again, processing health information generally, I think, is quite a tricky area for employers but the guidance specifically deals with using occupational health providers, and health information in the context of drug and alcohol testing. So, to take using occupational health providers in the first instance, what the guidance emphasises, and reminds us about, is the fact that employers need to be transparent about processing health information. So, whether that be making employees aware in a privacy notice that their health information will be shared with an occupational health provider and, likewise, that information shared by the occupational health provider back to the employer is going to be shared, and who that's going to be shared with. In connection with that, the guidance also reminds us of the fact that we should be thinking carefully about who we are sharing that information with and limiting what we do share appropriately. So, for example, an occupational health report might detail the condition that an employee has, perhaps, been off work with, any reasonable adjustments that they recommend or whether, perhaps, the reason for an absence was legitimate or not. Depending on who needs to know that information depends on what information should be shared. So, if perhaps you've got a manager that's dealing with an absence management process all they need to be informed of is the fact that the absence was legitimate. Likewise, a manager who has day to day responsibility for managing a particular employee, they might just need to be informed of the recommendations set out by the occupational health provider, rather than be provided with a copy of the occupational health report in its entirety. The guidance is also particularly helpful in that it comments on what employers should be thinking about where, perhaps, they monitor employee communications, so employee emails or phone calls, and where employees might use their work emails to speak to medical professionals. Obviously, there are additional considerations around confidentiality between an individual and their medical advisor so employers need to be mindful that they aren't inadvertently reviewing emails which are subject to monitoring in accordance with a monitoring policy, which might include health information. So they should inform employees that they should mark those types of emails as private so that emails such as those which refer to medical information aren't inadvertently seen by other people that aren't meant to see it.”
Joe Glavina: “Finally Harriet, you’re advising clients to review internal processes and policies. Is that right?”
Harriet Dwyer: “Yes, so one of the most important principles under the data protection legislation is accuracy. So, by that I mean that the personal data you process about employees is up to date and accurate so employers should be periodically reviewing what health information they keep about employees, who has access to that, and the policies and procedures relating to it. So, I think in light of the guidance now is a really good time, if employers haven't already, to review the health information that they have on record, who has access to it, and consider updating any policies as necessary in light of the guidance, and otherwise ensuring that their data is up to date.”
That guidance by the ICO is called ‘Information about workers’ health’ and was issued on 31 August. We have included a link to it in the transcript of this programme.