Data protection and workers’ health information
In detail
- Why is it important that the health information we have on workers complies with data protection law?
- How do we ensure we use workers’ health information fairly?
- How do we lawfully process workers’ health information?
- What lawful bases might apply if we want to process workers’ health information?
- What special category conditions might apply?
- Can we rely on a worker’s consent?
- How do we limit how much health information we collect?
- What do we need to tell workers when processing their health information?
- How long can we keep workers’ health information?
- How do we keep workers’ health information accurate and up to date?
- How do we keep the health information of workers secure?
- What if we use automated decision making involving workers’ health information?
- Do we need to do a data protection impact assessment?
- Who is responsible for data protection and health information in our organisation?
- Checklist
Why is it important that the health information we have on workers complies with data protection law?
Health information is some of the most sensitive personal information you might process about your workers. The UK GDPR and the DPA 2018 (referred to here as data protection law) applies whenever you process information about your workers’ health.
As an employer, it’s likely that there are many circumstances in which you might need to process information about a worker’s health. This includes, but is not limited to:
- a questionnaire completed by workers to detect problems with their health;
- sickness absence forms;
- information about their impairment or disability;
- the results of a worker’s eye-test who has been using display screens;
- records of blood tests carried out to ensure they have not been exposed to hazardous substances;
- the results of an alcohol or drugs test;
- the results of a fitness to work assessment to determine entitlement to benefits or suitability for continued employment; and
- records of vaccination and immunisation status and history.
Data protection law sets out principles for the collection and use of personal information, including health information.
Article 4(15) of the UK GDPR gives the following definition of ‘health data’:
‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status.
As this personal information reveals or concerns a person’s health, it is a type of special category data with certain extra rules that you must follow. These rules do not prevent the processing of health information, but limit the circumstances in which you can do it.
In an employment context, this covers the collection and use of information about a worker’s physical or mental health or condition.
Further reading
You can read our separate detailed guidance on special category data, which includes further information on 'What is health data?'. It also covers 'What about inferences and educated guesses?'. This considers whether inferences about people can count as special category data, which may be relevant to your use of health information.
How do we ensure we use workers’ health information fairly?
If you want to collect and use information on your workers’ health, you must be clear about why you are doing so. You must also have justifiable reasons for collecting it. This might be to support your workers by providing flexibility such as reasonable adjustments and equal access, other necessary support or improving health and safety.
Remember that gathering information about your workers’ health is intrusive and in some cases it may be highly intrusive, depending on the sensitivity of the information. It is though reasonable for workers to expect they will need to share a proportionate amount of heath information with you, for example when dealing with:
- sickness absence;
- occupational health referrals; and
- other employment-related purposes.
However, workers can legitimately expect that employers will respect their privacy when handling their health information.
Data protection law requires fairness. In general, you should handle health information in ways that workers would reasonably expect and not use it in ways that have unjustified adverse effects on them. You must be clear and transparent about your purposes for processing health information from the start. You should carefully consider not only how you can use their health information, but also the reasons why you need to use their information.
You must record your purposes as part of your documentation obligations and specify them in your privacy information for individuals. For more details, see 'What do we need to tell workers when processing their health information?' and 'Who is responsible for data protection and health information in our organisation?' below.
You can only use the health information for a new purpose if:
- this is compatible with your original purpose;
- you get specific consent from the worker; or
- you have a clear obligation or function set out in law.
Remember to consider your obligations under employment law, health and safety law and other legislation. Remember to also consider any common law duties, as well as any relevant industry standards you may have.
Further reading
Read our guidance on:
How do we lawfully process workers’ health information?
To lawfully process health information, you must first identify a lawful basis under Article 6 of the UK GDPR. As health information is special category data, it needs a greater level of protection. There are rules covering the use of special category data. You cannot process this type of information unless you meet some additional requirements. This means that, in addition to a lawful basis, you must also identify a special category condition for processing under Article 9 of the UK GDPR. You may also need to satisfy a condition in schedule 1 of the DPA 2018. For more information on this, see 'What special category conditions might apply?' below.
Lawfulness also means that you don’t do anything with workers’ health information which is unlawful in a general sense (eg statute and common law obligations, whether criminal or civil). If your processing of health information involves committing a criminal offence, it will obviously be unlawful. However, processing may also be unlawful if it results in:
- a breach of a duty of confidence;
- a breach of industry-specific legislation or regulations; or
- a breach of the Human Rights Act 1998.
These are just examples and this list is not exhaustive. You may need to take your own legal advice on other relevant legal requirements.
Below, we set out the lawful bases that are most likely to apply in an employment context when you need to process your workers’ health information.
Further reading
You can use our interactive guidance tool to help you decide which lawful basis might apply.
You can find more information about the following:
What lawful bases might apply if we want to process workers’ health information?
There are six lawful bases for processing personal information. At least one of these must apply whenever you process health information. No one basis is better, safer or more important than the others. How you decide which lawful basis applies depends on your specific purposes and the context of the processing of workers’ health information. Remember, you must determine your lawful basis for processing your workers’ health information before you begin this processing. You must document it.
We’ve listed below the lawful bases that are most likely to apply to the processing of workers’ health information in an employment context. Other lawful bases may be available.
Remember, it is your responsibility to decide what lawful basis is most appropriate for your health processing. If you can meet the criteria for a specific lawful basis, then it’s likely you can rely on it.
Contract
This lawful basis applies where the processing is necessary for a contract you have with the worker, or because they have asked you to take specific steps before entering into a contract. This is most likely going to apply when you need to process a worker’s health information to fulfil your obligations under an employment contract. This lawful basis only applies to processing purely for contractual employment purposes, rather than legal obligations under employment law.
Example
As part of their contract of employment with their workers, an employer provides occupational sick pay. This is a type of contractual sick pay and is distinct to statutory sick pay, which is a legal requirement. The employer needs to process details of their workers’ sickness absences to pay occupational sick pay. They therefore rely on contract as their lawful basis. They also identify a special category condition for processing the health information.
Further reading
Legal obligation
You can rely on this lawful basis where you need to process a worker’s health information to comply with the law (although this does not include contractual obligations).
Example
An employer has a legal requirement to report 'specified injuries' to the Health and Safety Executive, under RIDDOR 2013. This would involve the processing of a worker’s health information. The employer relies on legal obligation for their lawful basis. They also identify a special category condition.
Example
An employer needs to process sickness absence information about their workers in order to comply with their legal obligation to pay statutory sick pay. The employer therefore relies on legal obligation as their lawful basis.
The employer also identifies an appropriate special category condition.
Further reading
Legitimate interests
This may apply if the processing of the health information is necessary for your legitimate interests or the legitimate interests of a third party. This won’t apply if there is a good reason to protect the worker’s personal information which outweighs those legitimate interests. As part of this, you should carry out a legitimate interests assessment to determine if this is the case.
Example
An employer is being sued by one of their workers following an accident at work. The employer wants to share details of the accident with their solicitors to obtain legal advice on their position and potentially to defend the claim. The information about the accident includes details of the worker’s injuries, which qualify as health information. The employer carries out a legitimate interest assessment and they are satisfied they can rely on legitimate interests in sharing the health information. They also identify a special category condition for processing.
Example
An employer needs to recruit for a position where the health and fitness of the post holder is integral to the role. Therefore, they want to ensure that the person they employ passes a health exam. They decide to make their job offer conditional on the shortlisted person subsequently having a medical exam prior to starting employment. As a result, they need to collect this person’s health information.
The employer determines that it is in their legitimate business interests to have fully vetted staff, given the nature of the work. They consider the different job roles and determine that the level of vetting depends on the type of role. They assess what checks and vetting are actually necessary for each role. This ensures that the processing is targeted and proportionate to the specific role and responsibilities in order to meet the necessity test. For their lawful basis, the employer relies on legitimate interests. They also identify a special category condition for processing.
Further reading
For further information see our guidance on Legitimate interests and in particular the see the section 'How can we apply legitimate interests in practice?'.
Vital interests
In exceptional circumstances, you may be able to rely on the vital interests lawful basis if you need to process a worker’s health information to protect their life, or the life of another person. You cannot rely on vital interests for health information if the worker is capable of giving consent, even if they refuse their consent. This lawful basis is very limited in its scope and generally only applies to matters of life and death. For example, this lawful basis may apply where there is a medical emergency and a worker’s life is at immediate risk.
Further reading
What special category conditions might apply?
As explained above, health information is special category data. This means that as well as identifying a lawful basis under Article 6, you must also identify a special category condition under Article 9. There are 10 conditions for processing special category data. For five of these conditions, you must meet additional conditions and safeguards set out in schedule 1 of the DPA 2018.
If you are relying on a schedule 1 condition, many of these also require you to have an ‘appropriate policy document’ in place. This acts as part of the additional safeguards that are necessary for the processing to take place.
Further reading
See our separate guidance 'What is an appropriate policy document?' for more information. We have also produced a template you can use.
See also Special category data.
Remember that you must determine your special category condition before you begin the processing. You must document your decision, along with your lawful basis.
We’ve listed below the most likely special category conditions relevant to processing workers’ health information in an employment context.
Employment, social security and social protection law
This condition is particularly relevant for employers, for example where you are:
- ensuring the health, safety and welfare of workers; or
- maintaining records of statutory sick pay and maternity pay.
Your purpose must be to comply with employment law, or social security and social protection law. You need to identify the legal obligation or right in question, either by reference to the specific legal provision or by pointing to an appropriate source of advice or guidance that sets it out clearly. For example, you can refer to a government website or to industry guidance that explains generally applicable employment obligations or rights. In the context of workers’ health information, this would be a legal obligation or right that requires you to process their health information.
This condition does not cover processing to meet purely contractual employment rights or obligations (such as occupational sick pay, which is given above as an example of processing based on the contract lawful basis. However, processing for the purpose of paying statutory sick pay would be covered by the condition).
You must justify why processing this specific information is necessary. It must be a reasonable and proportionate way of meeting specific rights or obligations. You must not obtain or use more information than you need.
If you are relying on this special category condition, you also must meet the associated condition set out in part 1 of schedule 1 of the DPA 2018. This condition also means you must have an appropriate policy document in place.
Further reading
Legal claims or judicial acts
You may rely on this condition to process health information if the processing is necessary to establish, exercise or defend legal claims. This might apply if a worker is suing their employer over an incident that affected their health.
Example
An employer is being sued by one of their workers following an accident at work. The employer wants to pass the details of the accident to their solicitors to obtain legal advice on their position and potentially to defend the claim. The information about the accident includes details of the worker’s injuries, which qualify as health information. The purpose of the disclosure is to establish its legal position and to defend the claim.
The employer has also identified a lawful basis, such as legitimate interests (see above).
You must justify why processing this specific information is necessary to establish, exercise or defend the legal claim. The use of this information must be relevant and proportionate, and you must not obtain or use more information than you need.
You can only rely on the legal claims element of this condition, as the judicial acts element only applies to courts acting in their judicial capacity.
Further reading
Substantial public interest
This condition allows you to process health information, if this is necessary for reasons of substantial public interest as set out in UK law.
To rely on this condition, you must meet one of the specific substantial public interest conditions set out in part 2 of schedule 1 of the DPA 2018. You must also have an ‘appropriate policy document’ in place for almost all of these conditions.
The most likely substantial public interest conditions relevant for processing worker health information are:
- statutory and government purposes; and
- safeguarding of children and of individuals at risk.
This list isn’t exhaustive. If you intend to rely on any substantial interest conditions, you should look at the details of the specific conditions in the legislation to determine what condition is most appropriate to your purpose.
Further reading
Read our guidance on:
For more information on the different conditions see:
Vital interests
You may also find that vital interests might apply in some limited circumstances, similar to the vital interests lawful basis as discussed above.
Further reading
Can we rely on a worker’s consent?
Here, we consider the issue of relying on a worker’s consent as a lawful basis or explicit consent as a special category condition. This is because consent provides certain challenges in an employment context.
Consent is one of the lawful bases for processing personal information. Data protection law sets a high standard for consent, and people must have a genuine choice over how you use their information. Consent must be unambiguous and involve a clear affirmative action (ie using an opt-in). You must also allow people to withdraw their consent as easily as they give it.
However, you may find it difficult to rely on consent to process health information about your workers. This is because, as an employer, you will generally be in a position of power over your workers. They may fear adverse consequences and might feel they have no choice but to agree to the collection of their health information. Therefore, they cannot freely give their consent. If the worker has no genuine choice over how you use their information, you cannot rely on consent as a lawful basis.
Example
A company requires their workers wear a device to monitor their movements for time management and complex stock movement purposes. The company considered whether less intrusive methods would meet these purposes but decided these alternative methods do not meet their business needs.
The wearable device also has the ability to monitor heart rate. The company asks their workers to consent to the additional collection of heart rate information to measure their fitness levels in order to contribute to performance evaluation purposes. As this is health information, they also ask for explicit consent. However, the workers may feel compelled to consent, as they don’t want to risk their job or come across as difficult or having something to hide.
As the workers’ consent is not freely given, the company cannot rely on consent or explicit consent in this example. This is because of the power imbalance between the employer and worker.
You should avoid relying on consent unless you are confident you can demonstrate it is freely given. This means that a worker must be able to refuse without fear of a penalty being imposed. They must also be able to withdraw their consent at any time.
If you think it will be difficult for you to show that your workers’ consent is freely given, you should consider relying on a different lawful basis, such as legitimate interests. See 'What lawful bases might apply if we want to process workers’ health information?' for other lawful bases that you may consider using for the type of processing you want to do.
However, this does not mean that you can never use consent as a lawful basis. Even where you are in a position of power, there may be situations where you can still show that workers have freely given their consent.
Example
A medical firm offers health screening for their staff, using their own in-house services to test and examine their workers. The firm makes it clear that there is no requirement to take part. They say that they will not take participation into account for performance evaluation purposes or any purpose other than the voluntary health screening.
Participation is genuinely optional and there are no adverse consequences to those who do not want to take part. Therefore, the firm can consider consent as their lawful basis. They can also consider explicit consent as their special category condition for processing.
There are also other considerations you must take into account if you want to rely on consent, such as recording and managing consent.
Explicit consent
Explicit consent is one of the conditions that you can use to process special category data, including health information. Data protection law does not define explicit consent. However, it is not likely to differ much from the usual high standard of consent. The key difference is that a person must expressly confirm their explicit consent in a clear statement (whether oral or written). You cannot infer explicit consent from someone’s actions.
Explicit consent is the only special category condition that can apply to a wide range of circumstances. In some cases, it may be the only appropriate condition, depending what you want to do with the health information.
Further reading
For more information please see our separate guidance on consent and on explicit consent.
How do we limit how much health information we collect?
You must not collect more health information than you really need for your stated purpose. The information you do collect must be relevant and adequate to properly fulfil that purpose.
You should consider whether there are targeted ways of collecting information about your workers’ health that would deliver the outcomes you want while being acceptable to them. For example, rather than testing all your workers for a particular role that requires a certain level of fitness, you could, if appropriate to meet your business needs and the role’s physical requirements, use a health questionnaire to select the people you are testing.
In general, you should collect as little health information about as few workers as possible. It’s likely employers will need to obtain at least some health information about their workers during the normal course of their employment. How much health information you collect depends on what is necessary for certain job roles. Some roles require you to collect more detailed health information about your workers, such as:
- those working in hazardous environments;
- workers whose jobs require high levels of physical fitness; or
- those dealing with clinically at risk people.
This will often be for health and safety reasons. You should only collect more detailed health information in areas of highest risk.
Example
An employer decides to use a health questionnaire for their workers to ensure they are medically fit to work in a physical job role. The employer ensures that they only collect information that they really need. They design the health questionnaire to ensure it only collects relevant information.
It is good practice for health professionals to design health questionnaires. This also means the questionnaires should be interpreted by those who are qualified to draw meaningful conclusions from the information supplied by the worker.
You should check any questionnaire you use to ensure it complies with your legal obligations.
Example
An employer commissions a medical report on a worker who is off work due to a long term sickness absence. The employer only asks for information on the worker’s fitness for continued employment in their role. They don’t ask the medical report author to provide details of the worker’s condition. They ask the author to provide an assessment of whether or not the worker is fit to return to employment, whether they need to be redeployed or whether the employer needs to make adjustments to the workplace to accommodate their condition.
Example
An employer needs access to specific information from a worker’s medical record. The employer does not ask the worker to consent to the disclosure of their entire medical record, as this contains more information than the employer needs. Instead the employer only seeks the disclosure of the whole record, or substantial parts of it, where this is genuinely necessary. Where the employer needs information from a GP or other medical professional, they ask the worker specific, relevant questions to elicit the information needed.
Where an employer needs to obtain a report from a worker’s GP or other medical practitioner responsible for the worker’s care, the employer considers the requirements of the Access to Medical Reports Act 1988 or the Access to Health Records (Northern Ireland) Order 1993.
You must not collect health information purely on the chance that you may find it useful in the future. However, you may hold information for a foreseeable event that might never occur if you can justify it.
Example
An employer holds details of the blood groups of some of their workers who do hazardous construction work. The employer has safety procedures in place to help prevent accidents. Therefore, the employer may never need this information, but they still need to hold this information in case of an emergency.
However, it may be excessive to hold details of the blood groups of the rest of the workforce who aren’t involved in hazardous work, such as office staff.
Remember that, as an employer, your interest is mainly in knowing whether a worker is or will be fit to work. As far as possible, leave it to medical professionals to access and interpret detailed medical information for you. See also 'What if we use occupational health schemes?' and 'What if we use medical examinations and drugs and alcohol testing?'.
Remember that workers have a right to rectification and a right to erasure about their personal information.
Further reading
For more information see our separate guidance on data minimisation.
You can also read our separate guidance on the right to rectification and the right to erasure.
What do we need to tell workers when processing their health information?
Data protection law requires fairness and transparency. It provides a right for workers to be informed about how their employer is using their health information and why.
Transparency is fundamentally linked to fairness. Transparent processing is about being clear, open and honest with your workers. You must let your workers know that information about their health is being collected and why, who will have access to it and in what circumstances. You’re unlikely to ever be able to justify gathering information about workers’ health covertly.
You must include specific information about your processing of health information in your privacy information for your workers. It’s important that you tell your workers about your processing in a way that is easily accessible and easy to understand, using clear and plain language. There are a range of ways you can provide this privacy information. You could provide it:
- as part of your staff privacy notice on your organisation’s intranet;
- as part of your general data protection policy;
- as separate privacy information in a worker handbook;
- using ‘just in time’ notices if using online workshops, platforms or tools where you might collect health information or share it with others;
- as a general notice on a staff notice board; or
- by sending a letter or email to workers.
Which method you use as the most effective way of giving privacy information to your workers depends on the nature of your organisation and what fits best with your needs.
Where you are taking a specific action, for example if a worker is undergoing a medical test, you must ensure, prior to the test, that the worker is fully aware what, why and how much information you are collecting. They also need to know what rights they have under data protection law. If they are referred to a doctor or nurse, it is important that they know what sort of information you will receive as a result.
See also 'What if we use occupational health schemes?' and 'What if we use medical examinations and drugs and alcohol testing?'.
Further reading
Read our separate guidance on lawfulness, fairness and transparency and the right to be informed for more detail on your transparency obligations and the privacy information you must provide to workers.
For more on data protection rights see:
How long can we keep workers’ health information?
You must not keep personal information for longer than you need it. Therefore, you need to consider how long you need to keep worker health information, as well as the health information of former workers. You also need to justify keeping this information. This depends on your purposes for holding the information.
Where you are processing health information, you must record your retention schedules to comply with documentation requirements. It is good practice to have a retention policy, wherever possible.
You should also periodically review the health information you hold and erase or anonymise it when you no longer need it.
Example
You have collected general health information about a worker during the course of their employment. Once they have left your organisation, you review whether you need to retain that information now they are no longer employed by you. You delete any unnecessary information, subject to any other legal obligations you may have around retaining employment and health and safety records.
Remember to consider any legal or regulatory requirements and seek advice on compliance if necessary. There are various legal requirements and professional guidelines about keeping certain kinds of records, such as information on aspects of health and safety. Certain legislation may require you to keep the information for a specified period. This might mean you need to keep health information to comply with such a requirement.
You also must carefully consider any challenges to your retention of worker health information. Workers have a right to erasure if you no longer need the information for the purposes for which you collected it.
This principle closely links to the data minimisation principle. For more details, see 'How do we limit how much health information we collect?' above.
Further reading
For more information on how long you can keep personal information please read our separate guidance on storage limitation.
See also our separate guidance on Documentation requirements.
We also have separate guidance on the right to erasure.
How do we keep workers’ health information accurate and up to date?
Data protection law requires you to ensure personal information is accurate and, where necessary, kept up to date (the accuracy principle). You must take all reasonable steps to ensure your workers’ health information is not incorrect or misleading as to any matter of fact.
You must keep the health information updated, although this depends on the nature of the information and what you are using it for. For example, if you hold information about a worker’s blood type, the information itself will not change. However, if you need to keep records of details that can change over time, such as a worker’s hearing level, you may need to update these. It is probably worth asking the worker concerned to review and confirm any changes.
If you discover that the health information is incorrect or misleading, you must take reasonable steps to correct or erase it as soon as possible.
You must carefully consider any challenges by your workers to the accuracy of their health information.
If your workers have the ability to input or update their own health information on your organisation’s system (such as your HR platform), your ability to ensure accuracy of the information may be more limited. However, you could carry out periodic reviews of your workers’ records. If you decide to review worker records, you should ensure that appropriately authorised people carry out this work. You may prefer to instead ask workers themselves to periodically check the information they enter.
This principle has clear links to a worker’s right to rectification and their right to erasure.
How do we keep workers’ health information secure?
Data protection law requires that you must have appropriate security measures in place to protect your workers’ health information. This is the ‘integrity and confidentiality’ principle – also known as the security principle.
You must ensure the level of security you apply is appropriate to the nature of the information you are protecting and harm that might result from misuse or loss. Given that health information is special category data, you must have a high level of security. Unless you apply a particularly high level of security to all employment records, it is likely that you would need to single out health information about your workers for special treatment. This means you must keep information about workers’ health particularly secure.
Depending on the nature of your organisation, you could keep information about your workers’ health on a separate database or system, or subject to separate access controls. For example, limiting access to only those who need to see it, such as using password protection. If you use physical records, you could separate health information from the other contents of a worker’s personnel file (such as by putting it in a sealed envelope) and keeping it in a locked cabinet.
You should also consider who has access to workers’ health information. You should apply the principle of ‘need to know’. As far as possible, you should limit access to information on medical conditions to health professionals, such as doctors and nurses.
Managers should only have access where it is necessary for them to undertake their management responsibilities. You should limit this to only the information they need to meet their obligations. It’s likely you can limit this to information about a worker’s current or likely future fitness to work. It may be less information than a doctor or nurse needs to make an assessment of the worker. In some cases, a manager may need to know more about a worker’s state of health to protect that worker or others.
When you are developing your information management systems, you must consider data protection by design and by default. This ensures that data protection is built into your systems. If you are reviewing your existing systems, you must consider how you can incorporate this requirement.
Further reading
We have produced separate guidance on security.
Read our separate guidance on data protection by design and by default.
What if we use automated decision making involving workers’ health information?
You may sometimes want to use automated decision-making about your workers. This is where a decision is made by automated means without any human involvement.
These decisions often involve profiling of people, although they do not have to. In an employment context, you might use profiling to analyse or predict aspects of a worker’s performance.
Article 22 of the UK GDPR stops you from making solely automated decisions, including those based on profiling, that have a legal or similarly significant effect on people. Where you want to use special category data, the restrictions are stronger. This means you must not use your workers’ health information in any automated decision-making systems, unless:
- you have the worker’s explicit consent; or
- the processing is necessary for reasons of substantial public interest.
If you can meet one of these, there are additional requirements you must satisfy. These include allowing workers to request human intervention or to challenge a decision. As this kind of processing is considered high-risk in terms of the potential impacts on people, you must carry out a data protection impact assessment (see 'Do we need to do a data protection impact assessment?' below).
If Article 22 does not apply, for example because there is meaningful human involvement, then you can continue to carry out profiling and automated decision-making. However, you must still comply with the data protection principles and identify and record your lawful basis and special category condition for the processing of health information.
You must have processes in place so workers can exercise their rights.
People have a right to object to profiling in certain circumstances. You must bring details of this right specifically to the attention of your workers.
Further reading
We have produced separate guidance on artificial intelligence and data protection, which includes a section on the application of Article 22 where automated decision making involves the use of artificial intelligence.
See also:
Do we need to do a data protection impact assessment?
A data protection impact assessment (DPIA) is a process to help you identify and minimise data protection risks. An effective DPIA allows you to identify and fix problems at an early stage, bringing broader benefits for both workers and your organisation.
Under data protection law you must do a DPIA before you begin any type of processing that is “likely to result in a high risk”. This includes some specified types of processing. There are also other circumstances where you must do a DPIA, and in some cases you must consult the ICO before you can begin processing.
You should carry out a DPIA given the sensitive and potentially intrusive nature of processing workers’ health information. As noted above, it may be a requirement depending on the processing you want to do. A DPIA also provides you with the opportunity to involve your workers before you start any new processing of their health information.
Throughout this guidance, we highlight issues we recommend you should consider as part of your DPIA. Where a DPIA isn’t required, a risk assessment is still a useful tool to help you identify any potential issues with your proposed use of health information.
Further reading
For a general overview, read our separate guidance on data protection impact assessments.
For further information, read our detailed DPIA guidance.
The following sections may also be particularly useful:
- When do we need to do a DPIA?
- What does the ICO consider likely to result in high risk?
- Do we need to consult the ICO?
We have also produced a DPIA template that you can use.
Who is responsible for data protection and health information in our organisation?
Accountability is one of the key principles in data protection law. The accountability principle means that you must take responsibility for what you do with health information and how you comply with the other principles.
You must have appropriate measures and records in place to demonstrate your compliance with your data protection obligations. This doesn’t just include compliance with the principles (as explained in the preceding sections). It also includes your other obligations, such as:
- taking a ‘data protection by design and default’ approach;
- documenting your processing activities; and
- carrying out data protection impact assessments (DPIAs) for uses of health information that are likely to result in high risk.
You should identify who within your organisation has responsibility to authorise or carry out the collection of information about your workers’ health. You should ensure they are aware of your organisation’s policies and procedures.
You should also ensure they are made aware of data protection law. If they lack proper authority and necessary training, this could lead to a risk of non-compliance, for example when deciding to collect health information or when introducing medical testing. It is also important to consider any obligations under other laws, such as employment law and health and safety legislation.
Further reading
For more information, see our separate guidance on:
- Accountability principle
- Accountability and governance
- Data protection by design and default
- Documentation
- Data protection impact assessments
We have also produced the accountability framework, which can help any organisation, whether small or large, with their obligations. You may wish to use the framework to help you assess your organisation’s accountability.
Ultimately, your organisation, as the controller, has responsibility for data protection compliance. If you use any processors that are processing health information on your behalf, you must ensure you have a written contract in place with them.
Further reading
See our separate guidance on controllers and processors and also on contracts for more information.
If you have a data protection officer, you must involve them in any decisions about your processing of health information.
Further reading
You also must be aware of the data protection rights workers have when you are processing their health information.
Further reading
For more information, read our separate guidance on individual rights.
Checklist: Data protection and workers’ health information
☐ We have checked the processing of health information is necessary for the purpose we have identified and are satisfied there is no other reasonable and less intrusive way to achieve that purpose.
☐ We have identified a lawful basis for processing the health information.
☐ We have identified a special category condition for processing the health information.
☐ We avoid overly relying on consent when processing workers’ health information unless we can demonstrate it is genuine and freely given
☐ We have documented what health information we are processing.
☐ Where required, we have an appropriate policy document in place.
☐ We have considered whether we need to do a data protection impact assessment.
☐ We ensure we only collect and use health information that is adequate, relevant and necessary and do not hold more than we need for the purpose.
☐ We included specific information about our processing of health information in our privacy information for workers.
☐ We have considered our retention policy on health information and keep the health information of workers only for as long as necessary.
☐ We ensure we keep the health information of our workers accurate, and where necessary, up to date.
☐ We put in place appropriate security measures to protection the health information of our workers.
☐ If we use health information of workers for automated decision making (including profiling), we have checked we comply with Article 22.
☐ We have considered how the use of the health information of our workers affects our other obligations such as accountability, data protection by design and default, and appointing Data Protection Officers (DPOs).
☐ We understand our obligations when workers exercise their data protection rights.