The ICO exists to empower you through information.

Latest updates - last updated 5 March 2024

5 March - In the section 'Can we share a worker's health information in an emergency?' we have added a link to related guidance we have published on 'Information sharing in mental health emergencies at work.

31 August 2023 - This guidance was published.

In detail

Who is this guidance for?

This guidance is aimed at employers to help them understand their data protection obligations under the UK GDPR and DPA 2018 (we refer to these as ‘data protection law’) when handling the health information of the people who work for them. The guidance also provides links to other pieces of key data protection guidance if you want to find out more information.

The guidance aims to:

  • help provide greater regulatory certainty;
  • protect workers’ data protection rights; and
  • help employers to build trust with workers.

How is this guidance structured?

The guidance has two main parts. The first section contains an overview of how data protection law applies to the processing of workers’ health information. It looks at the data protection principles and the basics for compliance, with links to further detailed guidance.

The second part considers some of the most common types of employment practices where you process workers’ health information. It looks at what the law requires you to do, as well as good practice advice.

While we recommend that you read the guidance in full, you can choose which parts of the guidance you read to fit your needs.

What do you mean by ‘worker’?

We use the term ‘worker’ throughout this guidance only to refer to someone who performs work for an organisation. Business models have changed in the last decade, with the rise of the gig economy. This guidance captures these relationships too. It is aimed at all circumstances where there is an employment relationship or otherwise a relationship between an organisation and a person who performs work for the organisation, regardless of the nature of the contract.

How should we use this guidance?

To help you to understand the law and good practice as clearly as possible, this guidance says what organisations must, should and could do to comply.

Legislative requirements

  • Must refers to legislative requirements.

Good practice

  • Should does not refer to a legislative requirement, but what we expect you to do to comply effectively with the law. You should do this unless there is a good reason not to. If you choose to take a different approach, you must be able to demonstrate that this approach also complies with the law.
  • Could refers to an option or example that you could consider to help you to comply effectively. There are likely to be various other ways you could comply.

This approach only applies where indicated in our guidance. We will update other guidance in due course.