Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

UK: ICO publishes guidance on employee health information processing - key insights for GDPR entities and US employers

Odia Kagan, Partner and Chair of GDPR Compliance & International Privacy at Fox Rothschild LLP, explores the recent guidance from the Information Commissioner's Office (ICO) on processing health information and discusses the key principles, such as data minimization, transparency, and security, with implications for both General Data Protection (GDPR) entities and US employers.

polesnoy / Essentials collection / istockphoto.com

General principles

  • If you want to collect and use information on your workers' health, you must be clear about why you are doing so. This is also a requirement under the California Privacy Rights Act (CPRA), which mandates an employee privacy notice.

  • You must also have justifiable reasons for collecting it. This is also a requirement under the CPRA, where data minimization and purpose specification and limitation are required.

  • You should handle health information in ways that workers would reasonably expect and not use it in ways that have unjustified adverse effects on them. Under the CPRA, the compatibility of purposes and disclosure must be judged based on what individuals would reasonably expect.
  • You can only use the health information for a new purpose if it is compatible with your original purpose; you get specific consent from the worker; or you have a clear obligation or function set out in law. This is also a requirement under the CPRA.
  • Remember to consider your obligations under employment law, health and safety law, and other legislation. This is also a requirement under the CPRA.
  • If you rely on consent, you must be able to demonstrate it is freely given. This means that a worker must be able to refuse without fear of a penalty being imposed. They must also be able to withdraw their consent at any time. For example, when participation is genuinely optional and there are no adverse consequences to those who do not want to take part. This is also a requirement under the CPRA.

Data minimization

  • You must not collect more health information than you need for your stated purpose. The information collected must be relevant and adequate to properly fulfill that purpose. This is also a requirement under the CPRA.
  • For example, rather than testing all your workers for a particular role that requires a certain level of fitness, you could, if appropriate to meet your business needs and the role's physical requirements, use a health questionnaire to select the people you are testing.
  • You must not collect health information purely on the possibility that you may find it useful in the future. However, you may hold information for a foreseeable event that might never occur if you can justify it. For example, an employer holds details of the blood groups of some of their workers who do hazardous construction work, but not of the entire workforce.

Transparency

  • You must let your workers know that information about their health is being collected, the reason for doing so, who will have access to it, and under what circumstances. This is also a requirement under the CPRA.
  • The notice must be specific, easily accessible, and easy to understand, using clear and plain language, as under the CPRA. Which method you use as the most effective way of giving private information to your workers depends on the nature of your organization and what fits best with your needs.
  • Options for providing this information include:
    • as part of your staff privacy notice on your organization's intranet;
    • as part of your general data protection policy;
    • as separate privacy information in a worker handbook;
    • using 'just in time' notices if using online workshops, platforms, or tools where you might collect health information or share it with others;
    • as a general notice on a staff notice board; or
    • by sending a letter or email to workers.
  • Where you are taking a specific action, for example, if a worker is undergoing a medical test, you must ensure, prior to the test, that the worker is fully aware of what, why, and how much information you are collecting.

Data retention

  • You must not keep personal information for longer than you need it.

  • When processing health information, you must record your retention schedules to comply with documentation requirements. It is good practice to have a retention policy, wherever possible. The Federal Trade Commission (FTC) has also guided on this matter.

  • You should also periodically review the health information you hold and erase or anonymize it when you no longer need it.
  • You also must carefully consider any challenges to your retention of worker health information. Workers have a right to erasure if you no longer need the information for the purposes for which you collected it, but always consider any legal requirements that may apply.

Accurate and up-to-date

  • You must take all reasonable steps to ensure your workers' health information is not incorrect or misleading in any matter of fact.
  • You must keep health information updated. It is probably worth asking the worker concerned to review and confirm any changes.
  • If you discover that the health information is incorrect or misleading, you must take reasonable steps to correct or erase it as soon as possible.
  • You must carefully consider any challenges by your workers to the accuracy of their health information.

Security

  • You must have appropriate security measures in place to protect your workers' health information. Failing to do so could result in a reportable data breach and the possibility of employees having a private right of action.
  • You must ensure the level of security you apply is appropriate to the nature of the information you are protecting and the potential harm that might result from misuse or loss. Given that health information is special category data, you must have a high level of security.
  • In compliance with California labor laws, consider keeping information about your workers' health on a separate database or system, or subject to separate access controls
  • You should also consider who has access to workers' health information. You should apply the 'need to know' principle.
  • When designing your systems, consider incorporating data protection by design and by default.

Automated decision-making

  • You must allow human intervention In the context of the CPRA draft regulations this will likely require an opt-out mechanism.

  • You must conduct a Data Protection Impact Assessment (DPIA). The CPRA draft regulations also require a DPIA.

Accountability

  • You must have appropriate measures and records in place to demonstrate your compliance with data protection obligations.

Occupational health scheme

  • You must set out to workers, preferably in writing form, how you intend to use the information they provide within the context of an occupational health scheme, who you might make it available to, and why.
  • It is particularly important to inform workers of the circumstances, if any when their line manager can access the information they provide to a health professional.
  • You must also be transparent about what data protection rights workers have around the use of their information and the reports that are produced.

Medical testing

  • You may also want to provide an optional occupational health and well-being program, which may include testing workers' health. However, this should only take place where workers have a free choice to participate.
  • You must clearly explain to workers how you might use their personal information and the potential consequences of participating in the program.
  • Employers should not by default submit all job applicants, or even those shortlisted candidates, to medical examination or testing. You should only obtain information through medical examination or testing of applicants at an appropriate point in the recruitment process. This is, in many cases, going to be where there is a likelihood of appointing them subject to satisfactory examination or test results.
  • Ensure that the testing or examination is a necessary and justified measure to:
    • determine whether the potential worker is fit or likely to remain fit to carry out the job in question;
    • meet any legal requirements for testing or examination; or
    • determine the terms on which a potential worker is eligible to join a pension or insurance scheme.
  • You must record your purpose for introducing the examination or testing, along with your lawful basis and special category condition for processing. You can do this as part of your DPIA.
  • You should make it clear early on in the recruitment process that people may need to undergo a medical examination or testing if you are likely to appoint them.
  • You should design the testing or examination to only reveal information relevant to your purpose for carrying it out. This is also a requirement under California law.
  • You should not use an existing sample, test result, or other information obtained through a medical examination or test for a purpose other than that for which it was originally collected. This is also a requirement under California law.
  • If you want to carry out a different test on an existing sample that you have not told the worker about and that they have not consented to, you must tell the worker about your intention to carry out additional testing. You must also obtain the worker's freely given consent for this different test. This is also a requirement under California law.
  • You must ensure that workers are fully aware when testing is taking place or where you require medical examinations, as part of your fairness and transparency obligations.
  • You should not conduct testing on samples collected without the worker's knowledge.  
  • You must permanently delete information obtained from medical examination or testing that is not relevant to your purpose(s).
  • If you do need to retain medical information obtained from examination and testing, such as for the operation of an occupational health service, you must keep it securely and confidentially in an appropriate storage system.

Drug and alcohol testing

  • Before obtaining any information from drug or alcohol testing, you should ensure the benefits justify any adverse impact on your workers unless the testing is required by law.
  • You should also consider the efficacy of the testing technique you wish to use to ensure the accuracy of the information you collect about your workers. You should do this via a DPIA.
  • Other than in the most safety-critical areas, regular drug testing is unlikely to be justified unless there is a reasonable suspicion of drug use that has an impact on safety.
  • Consider whether drug testing provides significantly better evidence of impairment that puts safety at risk compared to less intrusive alternatives, such as a test of cognitive ability (e.g., tests, computer programs, and equipment that you can use to measure hand-eye coordination and response time)
  • You must minimize the amount of personal information you obtain from testing for the presence of drugs and alcohol in your workers. You could do this by limiting the number of substances being tested for, or by using tests that only detect recent exposure to the substances being tested for.
  • You should instead limit the collection of information through random testing to those workers who are involved in safety-critical roles that you consider require testing.

Genetic testing

  • You should not use genetic testing to collect information that predicts a worker's future general health, as it can be excessively intrusive.
  • You should not insist that a worker discloses the results of a previous genetic test to you.
  • You should avoid using genetic testing to obtain information unless, as a last resort, it is:
    • clear that a worker with a particular detectable genetic condition is likely to pose a serious safety risk to others;
    • known that a specific working environment or practice might pose specific risks to workers with particular genetic variations; and
    • demonstrated as the only reasonable method to collect the required information.
  • You should carry out a DPIA for any processing of genetic data, other than that processed by an individual GP or health professional for the provision of health care directly to the worker.

Health monitoring

  • This might include workers using health and fitness tracking apps and wearables.
  • These technologies may also involve the use of automated decision-making or artificial intelligence (AI).
  • If you want to introduce health monitoring technologies, you must justify this as a proportionate and necessary measure to achieve your purpose, while ensuring they are not used in a way that is unfair or discriminatory to workers.
  • You must first consider what you are trying to achieve and whether there is a less privacy intrusive way to do this.
  • You should carry out a DPIA before you start any processing.
  • if you are offering a real choice for workers to participate in the use of health monitoring technologies, such as part of a worker wellness program, and there is no risk of negative consequences for not doing so, then consent can be appropriate.

Sharing employees' health information

  • Whenever you want to share the health information of workers you must:
    • consider your purpose and ensure that it is reasonable and proportionate;
    • treat your workers fairly and not use their health information in ways that would have unjustified adverse effects on them; and
    • tell workers about why and how you propose to share their health information before or at the time you share if prior notice is not possible.
  • In an emergency, you should share health information as necessary and proportionate.
  • If you are likely to be involved in responding to emergency or critical situations (such as in high-risk industries), you should consider in advance whether you may need to share your workers' health information.
  • You must also consider how you will share the information securely. The best way to do this is through a DPIA.
  • As part of your planning, ensure that your staff have clear guidance and training regarding their roles and responsibilities, which will give them confidence in using and sharing health information appropriately in an emergency.
  • You should not normally need to disclose a worker's health information with other workers, beyond those who genuinely need the information to carry out their roles, for example, your HR department.
  • Whenever possible, you should avoid naming individual workers, but you can still let other people know that they may have been in close contact with a confirmed case.

Odia Kagan Partner and Chair of GDPR Compliance International Privacy
[email protected]
Fox Rothschild LLP, Philadelphia

Feedback