At the end of August 2023 the ICO introduced some new guidance to help employers understand their data protection obligations under the UK GDPR and DPA 2018, when handling the health information of the people who work for them. You can find this guidance here.

This is an important read for the HR department, and data protection officer of any organisation in the UK, as it helps to provide clear guidance and structure.

The guidance recognises that in some instances, collecting health information is required as part of someone’s employment. However it also recognises that this is intrusive, so should be limited only to the minimum information required, and only when it is required, and that an employer should respect an employee’s privacy when handling their health information.

Here are some of the key features of the ICO guidance in relation to handling employee health information:

• You should consider how you will use the information, and why you need the information
• You should be clear and transparent about why you are handling the health information
• You must record your purposes for handling this information as part of your documentation
• You should not handle more information than is required, and should not request information just in case it could be useful in the future
• There should be a lawful basis for handling this information
• The information must be kept confidentially and securely
• The information must be accurate wherever possible
• It should not be kept for longer than you need it, and you should have a retention policy
• You should leave it to medical professionals to access and interpret detailed medical information, for example when making decisions about fitness for work

It is this final point that is commonly ignored, and subsequently dealt with ineffectively by employers.

The ICO guidance attempts to capture the essence of the relevant data protection law, by ensuring that employers are acting reasonably and responsibly when it comes to health information. Part of this involves ensuring that you aren’t collecting intrusive medical information with a view to making clinical judgements yourself, as this falls within the remit of your occupational health service.

An example that the ICO provide is about health questionnaires for workers to ensure they are medically fit to work in their job role, and states the following: “It is good practice for health professionals to design health questionnaires. This also means the questionnaires should be interpreted by those who are qualified to draw meaningful conclusions from the information supplied by the worker.”

So if part of your recruitment process involves fitness for work checks, do not use your own health questionnaires to make these decisions. You must use an occupational health provider such as Smart Clinic, who operates a service called a pre-placement screening, where an employee completes an assessment directly with the occupational health provider, so as not to reveal confidential medical information to their new employer, and so that any clinical decisions and advice can be made by a suitable qualified professional.

Similarly if you have a situation with an employee where their work is potentially impacting upon their health, or their health is potentially impacting upon their work, be careful not to explore this too deeply yourself, as you’re in danger of collecting unnecessary medical information, and then inadvertently making decisions on an employee’s ability as a result.

If you would like more advice or would like to begin using Smart Clinic for your occupational health service, please contact us today and our client team will be delighted to get you set up.