Oct 302023

ICO Publishes Guidance on Handling Worker Health Data

William RM Long, Denise Kara and Mhairi Cameron
, , ,

On 31 August 2023, the UK Information Commissioner’s Office (ICO) published guidance on the handling of worker health data for employers (ICO Guidance). The ICO Guidance aims to provide tips and good practice advice about how to comply with applicable data protection legislation such as the UK GDPR when collecting and processing worker health data. Helpfully, the ICO Guidance also contains various checklists to help employers assess data protection considerations when processing worker health data.

Set out below are the key takeaways from the ICO Guidance:

  • UK GDPR principles: The ICO Guidance reminds organisations to ensure personal data, including health data, are processed in accordance with the UK GDPR principles (e.g., the principles of: (a) lawfulness, fairness, and transparency; (b) purpose limitation; (c) data minimisation; (d) accuracy; (e) storage limitation; (f) integrity and confidentiality; and (g) accountability).
  • Transparency principle: According to the ICO Guidance, health data, which is defined as personal data related to the physical or mental health of a natural person, is among the most sensitive personal data an employer will process about its workers. The ICO Guidance reiterates that the collection of information about workers’ health is “intrusive”, and is “highly intrusive” if the information is sensitive. Where employers want to collect and use information regarding their workers’ health, the ICO has emphasized that the employer must be clear about why they are doing so and have justified reasons for collecting such data.
  • Lawfulness principle: Organisations must be clear about the purposes and the applicable legal basis for processing health data under Article 6 (e.g., for compliance with a legal obligation) and, separately, under Article 9 (e.g., for compliance with a legal obligation under employment and health and safety law) of the UK GDPR and make such information available to workers.

Relatedly, the ICO Guidance reiterates the issues regarding relying on consent as a legal basis for processing in an employment context. The UK GDPR sets a high standard for consent, requiring a genuine choice over how personal data are used. Consent must be unambiguous and involve a clear affirmative action (i.e., using an opt-in). Individuals must also be provided with the ability to easily withdraw their consent. Generally, it is difficult for organisations to rely on consent to process health data about its workers due to the imbalance of power between worker and employer. If the worker has no genuine choice over how their data is used, the provision of any consent would be deemed to be invalid and could not be relied upon in accordance with the UK GDPR.

  • Broader employment law obligations: The ICO Guidance reminds organisations to be aware of their obligations under employment law, health and safety law, and other legislation, as well as any applicable employment standards and the interplay between these laws and standards and their data protection obligations.
  • Carrying out data protection impact assessments (DPIA): The ICO Guidance reaffirms the importance of carrying out a DPIA prior to any collection or processing of health data, particularly where any processing of health data is likely to pose a “high risk” to workers (e.g., conducting medical testing, and processing genetic data).
  • Automated decision-making in the workplace: The ICO has clarified that organisations must not use workers’ health data in any automated decision-making unless the worker’s explicit consent has been obtained (bearing in mind the difficulties in obtaining valid GDPR-standard consent in an employment context, as discussed above), or the processing is necessary for reasons of substantial public interest. Workers have the ability to request human intervention or to challenge a decision produced by automated decision-making technology. As this kind of processing is considered high risk in terms of potential impacts on people, a DPIA must be carried out prior to any processing, particularly where any automated decision-making involves the use of artificial intelligence.
  • Importance of security: The ICO Guidance reminds organisations to ensure that they have in place a high level of technical and organisational security measures to keep workers’ health data secure. Organisations should also consider who in the organisation has access to workers’ health data and ensure that access to health data is restricted as appropriate on a need-to-know basis.
  • Sharing health data in an emergency: The ICO Guidance states that it is permitted to share worker’s heath data in an emergency, including for the purposes of preventing loss of life or serious physical, emotional or mental harm. Where possible, employers should consider how this information will be shared securely, and the ICO considers carrying out a DPIA to be the best way to do this.
  • Use of health tracking technologies: To the extent employers want to monitor the health of workers through the use of health tracking technologies, such as health and fitness tracking apps and wearables, the ICO recommends that organisations must be able to justify this as a proportionate and necessary measure to achieve a particular purpose. Organisations need to consider whether there is a less privacy intrusive way to do this and carry out a DPIA prior to any processing.
  • Avoid genetic testing in the workplace: The ICO warns against genetic testing to predict the future health of workers or obtain information about genetic susceptibility to occupational diseases in an employment context. In addition, workers should not be required to disclose the results of a previous genetic test. The ICO is clear that organisations may only ask workers to voluntarily provide information from their genetic test but only if the information is relevant to health and safety or for any other legal duty.

This post is as of the posting date stated above. Sidley Austin LLP assumes no duty to update this post or post about any subsequent developments having a bearing on this post.

William RM Long

London

wlong@sidley.com

Denise Kara

London

dkara@sidley.com

Mhairi Cameron

Trainee Solicitor

mcameron@sidley.com

You might also like
EU Formally Adopts Cyber Law for Connected Products

On 12 March 2024, the European Parliament approved the EU Cyber Resilience Act (“CRA”) with a large majority of 517-12 votes in favor of the legislation (with 78 abstentions). The CRA aims to ensure that “products with digital elements” (“PDE”) i.e., connected products such as smart devices, and remote data processing solutions, are resilient against cyber threats and provide key information in relation to their security properties.

Chambers 2024 Global Practice Guides for Data Protection & Privacy and Cybersecurity
The newest editions of the Chambers Global Practice Guides have been published and, once again, Sidley lawyers have contributed to two guides: Data Protection & Privacy 2024 and Cybersecurity 2024. These publications cover important developments across the globe and offer insightful legal commentary for businesses on issues related to data privacy and cybersecurity, such as regulatory enforcement and litigation, global cooperation to combat cybercrime, international agreement on ‘Software Security by Design,’ a global approach to policy on artificial intelligence, and more. Sidley partner Alan Charles Raul is a contributing editor to both guides in addition to authoring the introductions. The UK chapters of Cybersecurity 2024, covering “UK Law and Practice” and “UK Trends and Development” were authored by Sidley lawyers William Long, Francesca Blythe, Denise Kara, and Eleanor Dodding.
EU Formally Adopts World’s First AI Law

On March 13, 2024, the European Parliament formally adopted the EU Artificial Intelligence Act (“AI Act”) with a large majority of 523-46 votes in favor of the legislation. The AI Act is the world’s first horizontal and standalone law governing AI, and a landmark piece of legislation for the EU.