ICO Publishes Guidance on Handling Worker Health Data
On 31 August 2023, the UK Information Commissioner’s Office (ICO) published guidance on the handling of worker health data for employers (ICO Guidance). The ICO Guidance aims to provide tips and good practice advice about how to comply with applicable data protection legislation such as the UK GDPR when collecting and processing worker health data. Helpfully, the ICO Guidance also contains various checklists to help employers assess data protection considerations when processing worker health data.
Set out below are the key takeaways from the ICO Guidance:
- UK GDPR principles: The ICO Guidance reminds organisations to ensure personal data, including health data, are processed in accordance with the UK GDPR principles (e.g., the principles of: (a) lawfulness, fairness, and transparency; (b) purpose limitation; (c) data minimisation; (d) accuracy; (e) storage limitation; (f) integrity and confidentiality; and (g) accountability).
- Transparency principle: According to the ICO Guidance, health data, which is defined as personal data related to the physical or mental health of a natural person, is among the most sensitive personal data an employer will process about its workers. The ICO Guidance reiterates that the collection of information about workers’ health is “intrusive”, and is “highly intrusive” if the information is sensitive. Where employers want to collect and use information regarding their workers’ health, the ICO has emphasized that the employer must be clear about why they are doing so and have justified reasons for collecting such data.
- Lawfulness principle: Organisations must be clear about the purposes and the applicable legal basis for processing health data under Article 6 (e.g., for compliance with a legal obligation) and, separately, under Article 9 (e.g., for compliance with a legal obligation under employment and health and safety law) of the UK GDPR and make such information available to workers.
Relatedly, the ICO Guidance reiterates the issues regarding relying on consent as a legal basis for processing in an employment context. The UK GDPR sets a high standard for consent, requiring a genuine choice over how personal data are used. Consent must be unambiguous and involve a clear affirmative action (i.e., using an opt-in). Individuals must also be provided with the ability to easily withdraw their consent. Generally, it is difficult for organisations to rely on consent to process health data about its workers due to the imbalance of power between worker and employer. If the worker has no genuine choice over how their data is used, the provision of any consent would be deemed to be invalid and could not be relied upon in accordance with the UK GDPR.
- Broader employment law obligations: The ICO Guidance reminds organisations to be aware of their obligations under employment law, health and safety law, and other legislation, as well as any applicable employment standards and the interplay between these laws and standards and their data protection obligations.
- Carrying out data protection impact assessments (DPIA): The ICO Guidance reaffirms the importance of carrying out a DPIA prior to any collection or processing of health data, particularly where any processing of health data is likely to pose a “high risk” to workers (e.g., conducting medical testing, and processing genetic data).
- Automated decision-making in the workplace: The ICO has clarified that organisations must not use workers’ health data in any automated decision-making unless the worker’s explicit consent has been obtained (bearing in mind the difficulties in obtaining valid GDPR-standard consent in an employment context, as discussed above), or the processing is necessary for reasons of substantial public interest. Workers have the ability to request human intervention or to challenge a decision produced by automated decision-making technology. As this kind of processing is considered high risk in terms of potential impacts on people, a DPIA must be carried out prior to any processing, particularly where any automated decision-making involves the use of artificial intelligence.
- Importance of security: The ICO Guidance reminds organisations to ensure that they have in place a high level of technical and organisational security measures to keep workers’ health data secure. Organisations should also consider who in the organisation has access to workers’ health data and ensure that access to health data is restricted as appropriate on a need-to-know basis.
- Sharing health data in an emergency: The ICO Guidance states that it is permitted to share worker’s heath data in an emergency, including for the purposes of preventing loss of life or serious physical, emotional or mental harm. Where possible, employers should consider how this information will be shared securely, and the ICO considers carrying out a DPIA to be the best way to do this.
- Use of health tracking technologies: To the extent employers want to monitor the health of workers through the use of health tracking technologies, such as health and fitness tracking apps and wearables, the ICO recommends that organisations must be able to justify this as a proportionate and necessary measure to achieve a particular purpose. Organisations need to consider whether there is a less privacy intrusive way to do this and carry out a DPIA prior to any processing.
- Avoid genetic testing in the workplace: The ICO warns against genetic testing to predict the future health of workers or obtain information about genetic susceptibility to occupational diseases in an employment context. In addition, workers should not be required to disclose the results of a previous genetic test. The ICO is clear that organisations may only ask workers to voluntarily provide information from their genetic test but only if the information is relevant to health and safety or for any other legal duty.
This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.