The ICO exists to empower you through information.

In detail

What does this section cover?

This section provides advice for employers with occupational health schemes and who use external providers. It does not provide detailed professional guidance to doctors, nurses and others involved in such schemes.

What do we tell workers when using an occupational health scheme?

Remember that workers have a right to be informed how you use their personal information and why. You must make this clear from the outset, as part of your transparency obligations. This includes when you may share their information with external occupational health providers and what information you may get back from them. You can read 'What do we need to tell workers when processing their health information?' for more information on this.

You must clearly set out to workers, preferably in writing, how you intend to use information they supply in the context of an occupational health scheme, who you might make it available to and why. It is particularly important to inform workers of the circumstances, if any, when their line manager can access to the information they supply to a health professional. You must also be transparent about what data protection rights workers have around the use of their information and the reports that are produced.

Unless told otherwise, workers are entitled to assume that information they give to a doctor, nurse or other health professional will be treated in confidence and not passed to others.

Are occupational health providers controllers or processors?

If an occupational health provider is processing personal information in their professional capacity, with their own medical professional obligations, it is likely that they are acting as the controller, rather than as a processor.


Company A contracts the occupational health provision for their workers to Company B. Company B is a professional occupational health provider and their staff comply with their own medical obligations. Company B determines the purposes of the processing of Company A’s workers’ health information. Company B is the controller when processing the information of workers referred to them for their occupational health service.

This also means that the occupational health provider must comply with their data protection obligations as a controller. This includes responding to information rights requests made by workers, such as subject access requests.

It is important to remember you are the controller for any personal information about your workers that you obtain for your own purposes from the occupational health provider.

You must tell your workers who is in control of what health information, and who to direct any information rights requests to.

If you use an occupational health provider regularly, you should consider implementing a data sharing agreement with the provider.

What do we need to do when requesting a worker’s medical file as part of an occupational health referral?

If you need a report from a worker’s GP or any other medical practitioner responsible for their clinical care, then the Access to Medical Reports Act 1988 or the Access to Health Records (Northern Ireland) Order 1993 applies. Although this legislation is not part of data protection law, the information you receive from the report is subject to data protection law.

You should not normally ask workers to consent to the disclosure of their entire medical record or other comprehensive care and treatment records (such as those held by a hospital). This is because you are highly unlikely to need to see their entire record. See also 'How do we limit how much health information we collect?'

How do we ensure we respect workers’ confidential communications with health professionals?

You should not compromise any confidentiality of communications between workers and health professionals in an occupational health service.

If workers are allowed to use work telephones or email accounts for confidential communication with their occupational health service, you should not compromise this confidentiality by monitoring the contents of these communications.

If you set your systems up in such a way that you unintentionally pick up a confidential conversation or other communication, you should delete information about that conversation or communication at the earliest opportunity. You should not keep any record of it.

You may find it beneficial to ask your workers to mark private communications such as emails sent via work systems appropriately to help you avoid reading confidential messages. For example, you could ask your workers to mark them ‘non-work’ or ‘private’ to help you avoid reading confidential messages.

How do we limit who has access to medical information about workers?

You should only make medical details about workers available to managers where necessary to allow them to discharge their management responsibilities. You should keep this type of access to a minimum. As far as possible, an occupational health advisor should hold the medical information about a worker and only tell the worker’s manager the results of the health assessment. For example, they can explain whether or not there’s a legitimate reason for a worker’s absence from work.

Depending on the nature of your organisation, your HR department may well be involved in the referral process of a worker to an occupational health provider. They might need to have some access to that worker’s health information, particularly if the worker needs changes to their workplace as a result. The key point is that you should ensure only information that is genuinely needed for those to carry out their roles effectively is available to them.

Remember that the sharing of medical information given by a worker to an occupational health practitioner or other health professional is restricted not just by data protection law, but also by a duty of confidence. Generally, you need to obtain explicit consent for the release of such information to non-medical staff.

Consider whether you need to comply with any guidance from relevant professional bodies and regulators, such as the General Medical Council (GMC) or Health and Care Professions Council.


We tell our workers how we intend to use information they provide as part of an occupational health scheme and the reports produced as a result. We also tell them who it might be made available to and why.

We tell workers what data protection rights they have around the use of their information.

We consider implementing a data sharing agreement with the occupational health provider, setting out under what terms information will be shared.

We ensure that when requesting a worker’s medical file as part of an occupational health referral, we handle any information received in accordance with data protection law.

We don’t ask workers to consent to the disclosure of their entire medical record, unless this is absolutely necessary.

We avoid compromising any confidential communications between workers and health professionals in an occupational health service.

You can also view and print off this checklist and all the checklists of this guidance on our checklists page.