Workers' health information and data protection law

A man clicking on a data protection graphic

Specific principles apply to the collection and use of workers' health information. So what health information can you collect and what can you use it for while still respecting their right to privacy?

It seems straightforward enough to ask job candidates to fill in a health questionnaire. However, under the Equality Act 2010 the circumstances under which you can ask health-related questions before offering a job are limited. Any information you collect legitimately, for example to decide whether an applicant can carry out a function that is essential to the job, is regarded as “special category data” (previously known as sensitive personal data) under the EU General Data Protection Regulation (GDPR),. This means that certain rules apply, limiting the circumstances in which you can process health information.

If an employer wishes to process special category data, at least one of the following must apply:

  • The employee’s consent has been obtained (and is freely given, unambiguous, and takes the form of some kind of affirmative action or statement).
  • The data in question has already been made public by the employee.
  • The processing is necessary:
    • For protecting the employee’s rights or carrying out the employer’s obligations (and the employer has a suitable policy in place);
    • To protect the employee’s vital interests, or those of another person, and the employee is incapable of giving consent;
    • For the conduct of legal claims;
    • For substantial public interest reasons;
    • In order to assess the employee’s working capacity either on the basis of law or pursuant to a contract with a health professional (and subject to suitable confidentiality measures); or
    • For historical, scientific, research, or statistical purposes (and subject to suitable protection measures).
  • The processing is carried out by a non-profit body with a political, philosophical, religious, or trade union-related purpose, provided that the processing relates only to members or former members and provided that no data is disclosed to a third party without consent.

Only gather and keep the health information you need

The Information Commissioner's guidance, the Employment Practices Code, covers the thorny issue of workers' health details in depth, however it has not yet been updated to reflect GDPR changes. The Employment Practices Code and a special small business guide are available to download on the Information Commissioner's Office website.

The words of warning are:

  • Collect and hold workers' health details only if it brings real business benefits - and be absolutely clear what they are (see below).
  • Gather only the information you need, eg information in a medical report on a sick employee should be limited to information required to establish fitness to work.
  • Make it clear to the person why you want these details.
  • Ask for the person's consent, which must be freely given - a blanket consent given by a worker at the beginning of employment is not always sufficient. If applying for a report from a worker's GP, get the worker's specific consent to your application.
  • Use the data only for the purpose given to the person.
  • Make the person aware that they have right of access to their details which you hold.
  • Ensure the data is transmitted and stored securely, usually separately from other personnel records. If you don't the workers concerned may have the right to compensation.
  • Ensure personnel authorising the collection of, or handling, the data are authorised to do so by the business, and aware of Data Protection rules, including the fact that interpretation of medical information should only be carried out by a suitably qualified health professional.
  • Make sure managers only have access to the extent of health information necessary to carry out their management responsibilities, and the information given to them should be limited to those details necessary to establish fitness to work.
  • Keep the details only for as long as you need them.

There are special rules for workers in occupational health schemes. In particular, workers giving information to health professionals under the scheme are entitled to confidentiality. This means that, for example, if you monitor workers' email or telephone conversations, it should be made clear that they should not use your work email or telephone system to contact your occupational health scheme. You may wish to give them access to an alternative, unmonitored email system or telephone line. Take advice.

Reasons for collecting health information

Employers must have good reason to ask for health details and the details requested should relate to the worker's job and the work environment. Main reasons would be health and safety at work, to satisfy other legal obligations (eg suitability to join an occupational pension or health insurance scheme), and for the employer to avoid liability for unfair dismissal under discrimination law. For example, under the Equality Act, the employer can fall foul of discrimination claims if they do not know that a job applicant is disabled and therefore fails to consider 'reasonable adjustments' that ensure the disabled applicant is on an equal balance with other applicants.

Be discreet when collecting health information

The means of gathering the information should be as non-intrusive as possible. For example, information should only be collected at the stage when there is a good chance of an applicant being offered a job; and a health questionnaire is less intrusive than a medical test.

Health information and testing

Unless you are collecting information as part of an occupational health and safety programme that the workers have volunteered for, information asked for, or any medical test, should be limited to that required to:

  • Establish the worker is fit to carry out the job.
  • Avoid significant risks to the health and safety of other workers.
  • Decide whether a worker is fit to return to work after being off sick, or entitled to sick pay (or other health-related benefits).
  • Stop discrimination or decide whether there is a need to make 'reasonable adjustments'.

Only a very physically demanding job or a particular work situation should require a medical test. Alcohol or drug testing would have to be warranted by extreme circumstances, and you would also need to consider following up with a disciplinary process.

Information collected for one purpose cannot be used for another purpose without the worker's consent.

Keeping health information records

Whatever the information you collect, or testing you carry out, keep a record of the business purpose justifying the testing, and write down:

  • Who will be tested.
  • What they will be tested for.
  • How often.
  • What will happen as a result of the testing, whether results are positive or negative.

Any information that is obtained that is not relevant to the purpose for which information is being gathered, or testing carried out, must be permanently deleted, whether it is irrelevant at the time, or becomes irrelevant subsequently. Health information should therefore be periodically reviewed and, like all personal data, should be kept for no longer than is necessary in light of the purpose or purposes for which it was originally obtained.

The Information Commissioner's Office has created a checklist to help you ensure you are complying with the rules on collecting, using and storing health information.

If in doubt, take legal advice.

What does the * mean?

If a link has a * this means it is an affiliate link. To find out more, see our FAQs.