ICO guidance: handling worker health data

The Information Commissioner’s Office (ICO) has published guidance on the handling of worker health data with the aim of providing advice and examples of good practice.

The guidance has two main parts. The first looks at how the processing of workers’ health information applies to data protection law, it looks at the principles and the basics for compliance. The second part considers workplace common practice, when processing worker health information and details good practice advice and the legal requirements.

Key takeaways

  • The ICO’s definition of “monitoring workers” is any form of data collection/supervision that takes place on an individual undertaking work for an organisation.
  • Data protection law does not prevent employers from monitoring workers but it must be in a legally complaint way.
  • When deciding whether to monitor a worker, it’s important to balance the interests of the organisation with a workers’ legitimate expectation of privacy and their rights under data protection law.
  • Transparency: a worker must be informed about any monitoring, including the nature, extent, and the reasons why. The only exception is for covert monitoring which is allowed in very rare circumstances.
  • Only relevant information should be collected and a worker should be made aware as to why it is relevant.
  • Clear communication: when informing a worker about monitoring it needs to be clear and accessible. It’s important to explain any relevant policies and any recent updates.
  • Data protection impact assessment: mandatory for any monitoring of a worker or collection of data to ensure any risks are noted and managed. These assessments are crucial when processing any high-risk data.
  • Organisations must not use automated decision-making programs to process worker health data unless they have explicit consent, or it is necessary due to a substantial public interest.
  • The need to keep worker data secure, and to ensure that employers have a high level of organisational and technical security.
  • Workers should be made aware that they can make a subject access request to gain access to any personal information gathered through monitoring.

The guidance states that monitoring workers legally can only be carried out under six lawful bases: consent; contract; legal obligation; vital interests; public tasks; and legitimate interests.

The ICO are producing an online resource with topic-specific guidance on employment practices and data protection.

Contact our employment law team

Visit our employment law page to learn more about how we can help you with your business needs and to contact the team.