Latest updates - last updated 31 August 2023
31 August 2023 - This guidance was published.
- Who is this guidance for?
- How is this guidance structured?
- What do you mean by ‘worker’?
- How should we use this guidance?
This guidance is aimed at employers to help them understand their data protection obligations under the UK GDPR and DPA 2018 (we refer to these as ‘data protection law’) when handling the health information of the people who work for them. The guidance also provides links to other pieces of key data protection guidance if you want to find out more information.
The guidance aims to:
- help provide greater regulatory certainty;
- protect workers’ data protection rights; and
- help employers to build trust with workers.
The guidance has two main parts. The first section contains an overview of how data protection law applies to the processing of workers’ health information. It looks at the data protection principles and the basics for compliance, with links to further detailed guidance.
The second part considers some of the most common types of employment practices where you process workers’ health information. It looks at what the law requires you to do, as well as good practice advice.
While we recommend that you read the guidance in full, you can choose which parts of the guidance you read to fit your needs.
We use the term ‘worker’ throughout this guidance only to refer to someone who performs work for an organisation. Business models have changed in the last decade, with the rise of the gig economy. This guidance captures these relationships too. It is aimed at all circumstances where there is an employment relationship or otherwise a relationship between an organisation and a person who performs work for the organisation, regardless of the nature of the contract.
To help you to understand the law and good practice as clearly as possible, this guidance says what organisations must, should and could do to comply.
- Must refers to legislative requirements.
- Should does not refer to a legislative requirement, but what we expect you to do to comply effectively with the law. You should do this unless there is a good reason not to. If you choose to take a different approach, you must be able to demonstrate that this approach also complies with the law.
- Could refers to an option or example that you could consider to help you to comply effectively. There are likely to be various other ways you could comply.
This approach only applies where indicated in our guidance. We will update other guidance in due course.