Checklists

☐ We have checked the processing of health information is necessary for the purpose we have identified and are satisfied there is no other reasonable and less intrusive way to achieve that purpose.

☐ We have identified a lawful basis for processing the health information.

☐ We have identified a special category condition for processing the health information.

☐ We avoid overly relying on consent when processing workers’ health information unless we can demonstrate it is genuine and freely given

☐ We have documented what health information we are processing.

☐ Where required, we have an appropriate policy document in place.

☐ We have considered whether we need to do a data protection impact assessment.

☐ We ensure we only collect and use health information that is adequate, relevant and necessary and do not hold more than we need for the purpose.

☐ We included specific information about our processing of health information in our privacy information for workers.

☐ We have considered our retention policy on health information and keep the health information of workers only for as long as necessary.

☐ We ensure we keep the health information of our workers accurate, and where necessary, up to date.

☐ We put in place appropriate security measures to protection the health information of our workers.

☐ If we use health information of workers for automated decision making (including profiling), we have checked we comply with Article 22.

☐ We have considered how the use of the health information of our workers affects our other obligations such as accountability, data protection by design and default, and appointing Data Protection Officers (DPOs).

☐ We understand our obligations when workers exercise their data protection rights.

☐ We distinguish between sickness, injury, and absence records.

☐ Where we only need to know information about the length of a worker’s absence, and where practical, we consider using absence records instead of sickness records.

☐ We limit who can access and use information about workers from sickness and injury records, including whether they can have full access to the information of workers. We ensure they know what they can and cannot do with the health information.

☐ We only use sickness and injury records in ways that workers would reasonably expect.

☐ We have identified a lawful basis and a special category condition for processing sickness and injury records.

☐ We only share information from sickness or injury records about a worker’s illness, medical condition or injury with third parties where it is necessary and proportionate to do so. For example:

• there is a legal obligation;
• it is necessary for legal proceedings; or
• the worker has given explicit consent to the sharing. 

☐ We tell our workers how we intend to use information they provide as part of an occupational health scheme and the reports produced as a result. We also tell them who it might be made available to and why.

☐ We tell workers what data protection rights they have around the use of their information.

☐ We consider implementing a data sharing agreement with the occupational health provider, setting out under what terms information will be shared.

☐ We ensure that when requesting a worker’s medical file as part of an occupational health referral, we handle any information received in accordance with data protection law.

☐ We don’t ask workers to consent to the disclosure of their entire medical record, unless this is absolutely necessary.

☐ We avoid compromising any confidential communications between workers and health professionals in an occupational health service.

Deciding when to collect information through medical examinations and testing

☐ We are able to justify collecting information through medical examination and testing of workers.

☐ We have made it clear to workers the rules and standards and when we may use tests to help enforce these.

☐ We carry out a data protection impact assessment to help document our purposes, justifications, safeguards, and how we intend to comply with our data protection obligations.

☐ We consider other less intrusive means of achieving our purposes, such as a health questionnaire instead of testing.

Carrying out medical examinations and testing

☐ We tell workers what they are being tested for, the frequency of testing, and the consequences of the results.

☐ We use the least intrusive forms of medical examination and testing that will bring the intended benefits to our organisation.

☐ We ensure that the testing method is of good quality, reliable and provides accurate results.

☐ We only collect information if it is a necessary and justified measure to:

• prevent a significant risk to the health and safety of the worker, or other workers;
• to determine a particular worker’s fitness to work;
• to determine their entitlement to health-related benefits;
• to prevent discrimination on the grounds of disability or to assess the need to make reasonable adjustments; or
• to comply with other legal obligations.

☐ We collect information through a medical examination or medical testing of workers if the testing is part of an occupational health and safety programme that workers have a free choice to participate in.

☐ We make it clear early on in the recruitment process that we will only carry out medical examinations or testing once there is a likelihood that they will be appointed.

☐ We limit the use of the information we collect for the purpose it was originally collected. We only carry out a different test on an existing sample, if the worker has been told about it and has freely consented.

☐ We keep the information we have collected confidential, using an appropriate level of security.

☐ We do not carry out the covert collection of bodily samples for testing.

☐ We do not retain information obtained from medical examination or testing that is not relevant for the purpose(s) for which the examination or testing took place or for longer than is necessary.

Deciding when to collect information through drug and alcohol testing

☐ We are able to justify collecting information by testing workers for drug or alcohol use (eg for health and safety reasons).

☐ We have made the rules and standards we may use tests to enforce clear to workers.

Carrying out drugs and alcohol testing

☐ We only use drug or alcohol tests where they provide significantly better evidence of impairment than other less intrusive means.

☐ We use the least intrusive forms of testing that will bring the intended benefits to our organisation.

☐ We tell workers what drugs they are being tested for.

☐ We base any testing on reliable scientific evidence about the effect of particular substances on workers.

☐ We limit testing to those substances and the extent of exposure that will meet the purpose for which the testing is conducted.

☐ We ensure random testing is genuinely random.

☐ We do not collect personal information by testing all workers, whether randomly or not, if only workers carrying out particular activity pose a risk. 

☐ We avoid using genetic testing to collect information to make predictions of a worker’s future general health. We only introduce genetic testing, if at all, after very careful consideration.

☐ We only use genetic testing as a last resort where it is:

• clear that a worker with a detectable genetic condition is likely to pose a serious safety risk to others; or
• known that a specific work environment or practice might pose a specific risk to workers with particular genetic variations; and
• this is the only reasonable method to collect the required information.

☐ We carry out a data protection impact assessment if we want to process any genetic data.

☐ We only ask a worker to voluntarily provide information from their genetic test if it is relevant for our health and safety or other legal duties.

☐ We only introduce health monitoring where it is a proportionate and necessary measure to address a particular issue, or where we have specific legal, industry or sectorial duties that require us to monitor the health of our workers.

☐ We ensure the health information collected from monitoring is not used in ways that is unfair or discriminatory to our workers.

☐ We carry out a data protection impact assessment if we want to introduce health monitoring of workers.

☐ We have identified a lawful basis for the monitoring and collection of workers’ health information.

☐ We have identified a special category condition for the monitoring and collection of workers’ health information.

☐ We have considered how the monitoring and use of the health information of our workers affects our other data protection obligations, such as accountability, data protection by design and default, and purpose limitation.

☐ We have considered how Article 22 applies if we are using automated decision making when monitoring the health of our workers. 

Preparing to share workers’ health information

☐ We have considered the purpose for sharing workers’ health information and ensure that it is reasonable and proportionate to do so.

☐ We treat our workers fairly and do not use their health information in ways that would have unjustified adverse effects on them.

☐ We tell workers about why and how we propose to share their health information before or at the time we share it if this is not possible.

☐ We identify at least one lawful basis and a special category condition for processing before we share any health information.

☐ We avoid overly relying on consent to share workers’ health information unless we can demonstrate it is genuine and freely given.

Sharing health information in an emergency

☐ We have considered how we might need to share health information about workers in an emergency and considered developed a plan for doing so.

☐ We have considered what types of health information, how and when, and the risk involved in sharing and not sharing information as part of a data protection impact assessment.

☐ We have considered how we will share the health information securely.

☐ We have provided clear guidance and training to staff on when and how to share health information appropriately in an emergency.

Disclosing a worker’s health information to other workers

☐ We do not disclose a worker’s health information to other workers unless they genuinely need the information to carry out their roles, or where there is a legal requirement to inform other workers for health and safety purposes.

☐ Where possible we avoid naming individual workers where there has been a communicable disease, but still let close contacts know they may have been exposed.