Introduction
On 27 October 2022, we launched a public consultation seeking views on the draft guidance ‘Employment practices and data protection: information about workers’ health’. The purpose of the guidance is to help employers comply with data protection law when processing workers’ health information.
The consultation ran until 26 January 2023.
We received 24 responses to the public consultation from different sized organisations and people, all with an interest in handling information about workers’ health. We thank everyone who took the time to comment and share their views. The breakdown of respondents is as follows:
| An organisation or person employing workers |
10 |
| A representative of a professional, industry or trade association | 4 |
| A trade union | 1 |
| A person acting in a professional capacity | 3 |
| A person acting in a private capacity (eg someone providing their views as a member of the public) | 2 |
| A entity acting in a professional capacity as a provider of specialist data protection and legal affairs advice | 4 |
We have carefully considered the responses and used them to inform the final version of the guidance.
We received a range of comments on the draft guidance. It is not possible to cover every point in detail that was raised as a result of the consultation. However, we have identified several key themes that did emerge from the responses, which we summarise below.
Key themes
Structure of the draft guidance
In general, the responses to the draft guidance were positive. Most respondents thought the draft guidance is clear and easy to understand. They also felt it is easy to find information within the draft guidance. They said its clear headings and structure were helpful, particularly for those with limited data protection knowledge.
Several respondents considered the draft guidance to be largely appropriate for its audience, given the range of organisations who may use it and their varying level of existing data protection knowledge. However, one respondent expressed the view that the guidance would be better if it was targeted towards a wider audience covering workers and their representatives, rather than just employers.
There were a couple of suggestions of including a checklist or glossary of terms to help those less familiar with data protection law.
Whilst many respondents seemed to be content with the presentation of information, a couple of respondents felt there was unnecessary repetition of some points. For example, references to the data protection principles, which could be removed to help streamline the guidance. However, another respondent suggested it would be beneficial to have further repetition of key points. We received a suggestion of combining some sections to reduce the length of the guidance. Some felt it was long and difficult to digest. Others suggested separating out some content. Several respondents asked for further detail in some areas.
ICO response
We don’t necessarily expect people to read the guidance from start to finish. Instead, you can identify the information you need to find and read just that section. We provide links to other related areas and to separate guidance if you want to know more. Because of this, we consider it important to refer back to key concepts in the different sections of the guidance, particularly the data protection principles, where this is appropriate.
Our intention has always been for this guidance to be mainly for employers to help them understand their data protection responsibilities when handling their workers’ health information. Other readers, such as workers and their representatives may still find the guidance useful to understand how they can expect employers to handle their personal information. We will consider whether to produce guidance more tailored to groups such as workers in due course.
We have also included checklists to complement the guidance. We will consider whether there are any additional resources we can provide.
Guidance topics and detail
Generally, respondents felt the draft guidance covered the right issues. However, a number of respondents suggested there could be further detail, and that employers would find more examples useful. Several respondents asked for examples covering the different lawful bases and special category conditions that employers could use for handling workers’ health information. For example, we received a request for greater clarity about the use of the substantial public interest condition when processing health information.
A few respondents also wanted additional areas to be covered in the guidance. Some of these suggestions are covered under the other themes discussed elsewhere in this summary.
Several respondents queried some technical aspects of the draft guidance or suggested potential improvements to help clarify certain points.
ICO response
We have provided some additional clarification to various explanations throughout the guidance, and added several examples to provide further clarity for employers. This includes extra examples covering different lawful bases and special category conditions.
Occupational health
Several respondents asked for further guidance on occupational health (OH) issues, with some asking for additional detail aimed more at OH professionals. This included the data protection considerations when an employer uses an ‘in-house’ OH department or team. They requested more content on the difference in requirements for OH professionals and management, and what information sharing managers can require from OH professionals.
Some respondents wanted the guidance to cover more detailed considerations, such as:
- the different OH tools an employer can use;
- contracting out for OH schemes; and
- more on the use of health questionnaires when recruiting for roles.
Others wanted further detail on the appropriate lawful bases and special category conditions that employers could rely on.
Some respondents noted certain issues that practitioners may face when dealing with legislation and requirements other than data protection law. This included the importance of other duties, such as the duty of confidentiality and they wanted the guidance to emphasise this more.
A few respondents suggested adding some external links to other professional bodies and resources to the guidance.
ICO response
We have tried to focus on helping employers understand their data protection obligations when they want to use workers’ personal information as part of occupational health referrals. This part of the guidance specifically covers when an employer uses an external OH provider, rather than an ‘in-house’ function, as the employer will remain the controller for any such processing.
This guidance is not aimed at OH professionals themselves and it would not be appropriate for us to give guidance about their professional responsibilities.
We recognise that employers face practical issues when trying to comply with data protection law and other legislation. We can only provide guidance on matters within our remit, so it would not be appropriate for us to comment on other legislative requirements or issues that may arise. We suggest employers seek their own independent legal advice on their other legal responsibilities. However, we are committed to provide greater certainty to stakeholders on what is within our remit (their data protection obligations). We have endeavoured to do this in this guidance. In particular, we have used the terms ‘must’, ‘should’ and ‘could’ to help readers understand what is a legal requirement, and what is good practice.
In terms of recruitment, we are developing specific guidance focusing on recruitment, selection and verification issues which we will publish for public consultation in due course.
Health records
Several respondents asked for further guidance on various aspects of keeping and using the health records of workers. This included how employers should deal with workers voluntarily providing their health information. They also asked how employers can meet accuracy requirements when workers are able to input their own health information onto self-service systems.
Additionally, some suggested that the guidance could address how an employer should deal with inferences about people’s health information.
Some respondents asked for further guidance on more specific issues. For example, responding to subject access requests involving health information, and sharing workers' health information in very specific scenarios.
A few respondents mentioned they would like to see examples where automated decision-making is used to process workers’ health information. As well as when Article 22 (automated decision-making and profiling) requirements might be engaged.
ICO response
We have added some clarification to the guidance to cover situations where workers may provide or update their own personal health information. We have also included links to other existing ICO guidance that covers inferences about special category data, Article 22 requirements and artificial intelligence.
We have also recently published a series of Q and As covering subject access requests for employers.
We are working on producing specific guidance focusing on employment records. This should help address questions around handling employment records that include health information not otherwise covered in the guidance.
Recruitment and health information
Several respondents wanted more guidance and clarification about collecting and using health information as part of the recruitment process. As noted under the OH theme, there was a request to include further detail on using health questionnaires. A number of respondents queried how health information obtained from recruitment can be used for equality and discrimination monitoring purposes.
ICO response
We are planning to produce specific guidance focusing on recruitment, selection and verification. Whilst we don’t intend this to specifically concentrate on health information, it should help address some of the recruitment issues employers may face. For example, whether they may want to collect applicants’ health information.
Other laws and responsibilities
Several respondents asked for more details on how data protection law interacts with other legal obligations and responsibilities that employers may have. This included health and safety law, employment law, and common law, including the duty of confidence, especially given the nature of health information. Some wanted the guidance to go further into aspects of other legislation and ethical principles.
ICO response
We recognise that there may be practical issues employers face when trying to comply with data protection law and their obligations under other legislation. However, we can only provide guidance on matters within our remit, so it would not be appropriate for us to comment on other legislative requirements or issues that may arise. We highlight where employers may have other considerations. We suggest employers seek independent legal advice on their other legal responsibilities.
Mental health and wellbeing
Some respondents said they would like to see additional guidance covering the use of personal information involving mental health and wellbeing issues in the workplace. This included monitoring or collecting workers’ health information, or both, to assess mental and emotional wellbeing, as well as stress levels. Other issues included the use of wellness schemes and handling and sharing information about a person’s mental health. For example, if they present a risk of self-harm.
ICO response
We consider that the guidance already makes clear that mental health information is treated in the same way as information about physical health. Therefore, the guidance applies to an employer’s handling of their workers’ mental health information in the same way as information about their physical health. However, we will consider whether there is any need for future guidance on mental health issues in the workplace.
We are developing new guidance on information sharing in mental health emergencies at work, which we will publish soon.
General issues
There were a number of other more specific points raised by some respondents that don’t fit into a theme, but which we think are worth mentioning in this summary.
Some respondents mentioned difficulties or potential misunderstandings or examples of bad practice they have encountered involving collecting and using health information.
Others thought that the guidance should:
- cover equality of opportunity or treatment, diversity and disabilities;
- put a greater emphasis on employers consulting with workers when introducing new ways of working or technologies that might collect their health information; and
- include practices that developed during the Covid-19 pandemic, such as employers collecting vaccination information and testing workers.
ICO response
We appreciate all the feedback we have received and the suggestions made. However, we must ensure our guidance focuses on data protection issues only. We intend to update this guidance as and when needed. For example, to take into account developments in technology that may have an impact on employers’ use of health information.
We will consider whether we need to produce any specific guidance for employers on dealing with public health emergencies, drawing on the experience of the Covid-19 pandemic, as and when needed.
We hope that the finalised guidance will provide clarity to employers on their data protection obligations when collecting and using workers’ health information. Also, that this will address some of the problems and issues that some may have experienced.
We recognise that employers may want further guidance on particular issues. In the future, we will consider any opportunities to add additional detail to our employment guidance products.