The Information Commissioner's Office (ICO) has published its draft guidance on information about workers' health as a part of its project to update the Employment Practices Data Protection Code.


This is the second topic-specific draft guidance for consultation, the first being on monitoring employees at work (our article on which can be found here).

While the ICO's guidance does not impose any new legal obligations, the Guidance is intended to help organisations understand their responsibilities by creating an accessible and easy-to-understand guide. Employers often process a lot of their workers' health information, which the ICO considers to be some of the most sensitive personal information. It is therefore vital for employers to know how to handle this sensitive information.

The Draft Guidance

For the most part the guidance reaffirms the current position on processing workers' health data, including sections on:

  • sickness, injury and absence records (and which should be preferred);
    occupational health schemes;
  • medical examinations and testing;
  • genetic testing; and
  • health monitoring.

The ICO considers the various circumstances where health information might be obtained, how employers can limit the amount of information collected and who has access it, who employers can share this information with and how it should be securely stored.

Key Themes
  • The lawful basis for processing such health data - The ICO warns that it may be difficult for employers to rely upon consent to process health data about workers because of the power imbalance that exists between employers and workers. If workers have no genuine choice over how employers use their information, then consent cannot be relied on as a lawful basis for processing.  However, data protection laws allow for employers to process health data where they are required to do so by statutory employment law requirements – so in most instances, consent is not required.
  • Data minimisation - Employers should be thinking carefully about how much health information they actually need to collect, as this is likely to vary between job roles. The ICO explains that it would be legitimate to collect more detailed health information from those working in hazardous environments, workers whose jobs require high level of physical fitness, or those dealing with clinically vulnerable individuals.
  • Data sharing – The ICO recommends that employers should adopt a "need to know" policy to ensure the health information is only shared with and accessible to those who actually need to access it.
  • Security – High levels of security should apply to health data, which may require it to be kept separately from general employee records.
Data Protection Impact Assessments

It also provides guidance on data protection impact assessments (DPIAs), pointing out that given the sensitive and potentially intrusive nature of processing workers' health information it may, in some instances, be a requirement (rather than just good practice) to carry out a DPIA prior to processing any of the information. This will be in instances where the employer intends to process health data that is likely to pose a high risk to workers, such as when conducting medical tests. The guidance on medical testing largely confirms the established position but serves as a useful reminder to employers of the instances where it may or may not be considered necessary and justified to test workers.

Employment Obligations

The document reminds employers that they should also be aware of their obligations under employment law, health and safety law and other legislation, as well as any applicable industry standards. For example, employers may need to process sickness records to comply with their duty to make reasonable adjustments for workers with disabilities or to ensure employees are not unfairly dismissed for capability reasons.

If a worker on long-term sickness absence is apprehensive about providing health information to an employer, an employer seeking to commission a medical report could consider limiting the information requested to information solely on the worker’s fitness for continued employment in their role. In line with the data minimisation principle, the report could provide an assessment of whether or not the worker is fit to return to employment, whether they should be redeployed, or whether adjustments need to be made to the workplace to accommodate their condition. This avoids having to disclose further sensitive medical details of the worker’s condition which are not required by the employer.

What should employers do?

This is still only draft guidance, but organisations who would like to contribute to the consultation should do so before the closing date of 26 January and we would be happy to help, so please do get in touch if you would like our support or for more information.  
Prior to the outcome of the consultation, employers may want to take the opportunity to:

  • Consider the potential impact the new draft guidance will have on their business; and
  • Review current practices of processing employee health information and consider if any improvements can be made to ensure their approach to collecting and processing health-related data continues to be appropriate.

Contributors Jo McLean and Hannah Magrath

Key contacts

Meet the team
Jo McLean

Jo McLean

Managing Associate, Commercial Services and Data
Edinburgh, UK

View profile
Richard Yeomans

Richard Yeomans

Partner, Employment
London, UK

View profile