- Can we share health information of our workers?
- How do we ensure the lawfulness of sharing?
- Can we share a worker’s health information in an emergency?
- Can we disclose information about a worker’s health to other workers?
Sometimes you may need to share health information about your workers. Data protection law does not prevent this, where it is appropriate to do so. This might be, for instance, as part of an occupational health referral, as part of a legal claim, or under some other legal obligation. There may also be urgent or emergency situations in which you need to share information about a worker’s health to help safeguard them.
Whenever you want to share health information of workers you must:
- consider your purpose and ensure that it is reasonable and proportionate;
- treat your workers fairly and not use their health information in ways that would have unjustified adverse effects on them;
- tell workers about why and how you propose to share their health information before or at the time you share if this is not possible; and
- identify at least one lawful basis and a condition for processing before you start sharing any health information.
You should also consider whether your ability to share health information is subject to other legal constraints outside of data protection law. For health information, this may include any duty of confidence that may apply, particularly where workers may expect confidentiality.
Before sharing any health information of a worker, you must identify at least one lawful basis. You must also identify a special category condition for processing. Which lawful basis and condition for processing are appropriate depends on your purpose for sharing the information. In order to comply with the accountability principle you must also show that you considered these before sharing the information.
For more information, please see 'What lawful bases might apply if we want to process workers’ health information?' and 'What special category conditions might apply?'.
For most information sharing, it is better not to rely on consent as the lawful basis, or explicit consent as the special category condition for processing. If you cannot offer a genuine choice, consent is not appropriate. Employers are often in a position of power over workers and therefore it’s best to avoid relying on consent unless they are confident they can demonstrate it is freely given. Please see the section 'Can we rely on a worker’s consent?' for more information.
Depending why you need to share a worker’s health information, other lawful bases such as legitimate interests or legal obligation are more likely to be appropriate. Similarly, the employment, social security and social protection law condition may be more appropriate as a special category condition for processing.
Remember, you must meet your other data protection obligations, including fairness and transparency, to ensure your data sharing is compliant.
See our separate guidance on:
Yes. Data protection law allows organisations to share personal information in an urgent or emergency situation, including to help them prevent loss of life or serious physical, emotional or mental harm. In an emergency you should go ahead and share health information as is necessary and proportionate. Not every urgent situation is an emergency, but an emergency might include where there is the risk of serious harm to human life, such as preventing serious physical harm or loss of life.
A worker is involved in an accident at work that seriously injures them and knocks them unconscious. An ambulance is called and paramedics arrive on the scene. The employer is aware that the worker has an underlying medical condition as part of a recent occupational health review, and informs paramedics about this information to ensure that the worker receives appropriate care and treatment.
You should plan ahead as far as possible for dealing with urgent or emergency situations. Having an emergency plan in place that takes into account information sharing can help prevent any delays in a crisis.
If you are likely to be involved in responding to emergency or critical situations (such as in high risk industries), you should consider in advance whether you may need to share your workers’ health information. This might include information about a worker’s mental health as well as their physical health, depending on the circumstances of the emergency. You must also consider how you will share the information securely. The best way to do this is through a data protection impact assessment (DPIA).
You should factor in the risks involved in not sharing health information, which could be more harmful than sharing the information.
As part of your planning, you should ensure staff have clear guidance and training around their roles and responsibilities, to give them confidence in using and sharing health information appropriately in an emergency situation.
See the Data sharing code of practice and in particular the section Data sharing in an urgent situation or in an emergency.
You should not normally need to disclose a worker’s health information with other workers, beyond those who genuinely need the information to carry out their roles, for example your HR department.
Some job roles and industries may have legal requirements around an employer informing other staff about a worker’s health condition. This is most likely to be for health and safety purposes, for example where there is a high risk of a communicable disease that other workers may have been exposed to, or in areas with strict controls such as in food production. Where possible, you should avoid naming individual workers, but you can still let other people know that they may have been a close contact of a case.
If a worker has freely consented to your disclosing their health information with other workers (perhaps they are on long-term sickness absence and want their colleagues to know the reason why), then it would be acceptable to do so in such circumstances.
Preparing to share workers’ health information
☐ We have considered the purpose for sharing workers’ health information and ensure that it is reasonable and proportionate to do so.
☐ We treat our workers fairly and do not use their health information in ways that would have unjustified adverse effects on them.
☐ We tell workers about why and how we propose to share their health information before or at the time we share it if this is not possible.
☐ We identify at least one lawful basis and a special category condition for processing before we share any health information.
☐ We avoid overly relying on consent to share workers’ health information unless we can demonstrate it is genuine and freely given.
Sharing health information in an emergency
☐ We have considered how we might need to share health information about workers in an emergency and considered developed a plan for doing so.
☐ We have considered what types of health information, how and when, and the risk involved in sharing and not sharing information as part of a data protection impact assessment.
☐ We have considered how we will share the health information securely.
☐ We have provided clear guidance and training to staff on when and how to share health information appropriately in an emergency.
Disclosing a worker’s health information to other workers
☐ We do not disclose a worker’s health information to other workers unless they genuinely need the information to carry out their roles, or where there is a legal requirement to inform other workers for health and safety purposes.
☐ Where possible we avoid naming individual workers where there has been a communicable disease, but still let close contacts know they may have been exposed.