The ICO has published detailed guidance which explains an employer’s data protection obligations when they process health data concerning their workers.
Health data is categorised as special category personal data and is granted enhanced protection under the UK GDPR..
The first part of the guidance explains how the UK GDPR and Data Protection Act 2018 (DPA 2018) applies to the employer and guides them through the essentials of:
- Complying with the stricter statutory requirements for processing special category data.
- Providing employees with information about the employer’s processing of their data.
- Performing a data protection impact assessment before processing any health data.
- Data minimisation and security.
The second part focuses on how data protection law applies to specific workplace scenarios such as managing sick absence records and occupational health schemes, conducting drugs and alcohol testing, and how to approach sharing employee health data. The guidance sets out useful examples to show how employers can comply with their obligations.
The ICO sets out the legal obligations of employers and sets out recommended good practice that it expects should be adopted by the employer to demonstrate its compliance with those legal requirements.
There is also a handy set of checklists included to give employers an overview and quick guide of what should be an employer’s data protection considerations whenever they need to process workers’ health information.
The guidance can be found here: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/employment-information/information-about-workers-health/