What happened

In 2021, the ICO confirmed that it would review the Employment Practices Data Protection Code to reflect legal changes and technological developments since it was issued. Updated guidance would be online and topic-specific. 

Draft guidance on processing workers’ health information is now available, which is open for consultation until 26 January 2023. This is the second piece of topic-specific guidance issued by the ICO, following draft guidance on employee monitoring published earlier in October 2022.

The draft guidance

The guidance's core message is that health information is some of the most sensitive personal information that an employer will process about its workers. Although workers can reasonably be expected to share health data with their employer, to allow employers to manage sickness absence, make occupational health referrals, ensure that employees are receiving sick pay and other entitlements and enforce internal rules and standards, the amount of data shared should be proportionate. A “one size fits all” approach to collecting and processing health-related data is unlikely to be appropriate.

Some key points from the guidance include:

• The importance of thinking carefully about how much health information an employer needs to collect. This is likely to vary between job roles, with it being legitimate to collect more detailed health information from those working in hazardous environments or whose roles require a high level of physical fitness. If an employer is commissioning a medical report on a worker, it will not always be necessary for the report to provide details of the worker’s condition. It may be sufficient for an employer to know whether the worker is fit to return to work or whether adjustments are needed.
• The fact that high levels of security should apply to health data, which may mean that it needs to be kept separate from general employee records. Employers should adopt a “need to know” policy to ensure that information about a worker’s health conditions is only accessible to health professionals and other individuals who need access to that information to meet their own obligations, such as a duty to protect the worker or others.
• A distinction is drawn between absence records that do not contain information about a worker’s health conditions and sickness records that do. As far as possible the guidance recommends the use of absence records instead of sickness records, as this is less intrusive to a worker’s privacy. However, the guidance recognises that employers may need to process sickness records to meet health and safety obligations, comply with duties to make reasonable adjustments for individuals with disabilities or ensure that employees are not unfairly dismissed for capability reasons.
• Recognition that it would normally be good practice to carry out a data protection impact assessment (DPIA) before processing health related information. In some cases this will be a requirement. A DPIA is likely to be particularly important if an employer is conducting medical testing.

Medical testing

The section of the guidance dealing with medical testing is likely to be of particular interest, although to a large extent it confirms the established position.

• It may be possible to test workers, including for drugs and alcohol, in compliance with data protection requirements, but only if testing is necessary and justified. Testing is more likely to be justified as a response to an incident involving a worker’s conduct than on a random basis. If employers carry out testing as part of a recruitment exercise, it should be limited to candidates an employer intends to appoint.
• Testing may be justified if it is designed to prevent a significant risk to health and safety or check a worker’s fitness for work. Less intrusive ways of meeting an employer’s objectives, such as computer tests designed to measure coordination and response times, should normally be used in preference to invasive medical procedures in the first instance. 
• Random drug or alcohol testing should usually be limited to workers performing safety critical roles. Even where a business is in a safety-critical sector, random testing should be restricted to those whose jobs pose a safety risk. Random testing of all workers “will rarely be justified”. To comply with transparency requirements, employers must tell workers what drugs or alcohol testing may take place, what drugs it will test for, the alcohol level that may give rise to disciplinary action and the possible consequences of a breach of a drug and alcohol policy.