what is health data?
the dpa defines health data as ‘data concerning health’, which means ‘personal data relating to the physical or mental health of an individual… which reveal information about their health status’. health data can be about someone’s past, current, or future health status and covers information about medical conditions, medical tests, medical treatments, and any other information about an individual’s health.
as a result, health data encompasses a wide range of personal data, including:
-
information about someone’s physical health and physical health conditions (eg diabetes, epilepsy, menopause, or high blood pressure)
-
information about someone’s mental health and mental health conditions (eg depression, anxiety, adhd, or ocd)
-
information relating to maternity and children
-
medical examination data, medical test results, diagnoses, and treatments
-
information about injuries, diseases, disabilities or risks of diseases
-
information about someone’s medical history
-
identifiers assigned to individuals to identify them for health purposes (eg nhs numbers), if these are combined with information revealing something about the individual’s health
for more information on health data, see the information commissioner’s office’s (ico’s) guidance on health data.
how is health data relevant for employers?
employers process staff members’ personal data for various reasons simply by acting as an employer. however, health data is often some of the most sensitive personal data that employers process about their staff members.
there are various circumstances in which employers may need to process health data. for example, when handling:
-
information relating to staff sickness, including records of sickness absence forms (eg self-certification forms)
-
information about disabilities collected to facilitate making reasonable adjustments
-
eye-test results for staff members who have been using display screen equipment (dse)
-
results of workplace alcohol or drug tests
-
records of vaccination statuses (especially if certain vaccinations are encouraged under a vaccination policy)
-
questionnaires completed by staff members to help detect problems with their health
-
information about allergies to help determine what reasonable adjustments can be made regarding service animals
-
records relating to staff members’ pregnancies and maternity entitlements
-
records of medical tests (eg blood tests) carried out to ensure staff members have not been exposed to hazardous substances
-
the results of any fitness for work assessments carried out to determine whether staff members are fit to return to work after a period of sickness
the gdpr and dpa set out stringent rules on the processing of personal data. this is particularly important when the information in question is special category sensitive data, like information about staff members’ health.
when can employers process health data?
under the gdpr and dpa, health data can only be processed if the employer has a lawful basis for doing so. as health data is awarded greater protection than other forms of personal data, a special category condition for processing must also be established. the lawful basis and special category condition for processing must both be determined and clearly recorded before an employer processes staff members’ personal data.
lawful bases for the processing of health data
while the law sets out 6 potential lawful bases for processing personal data, the ones that are most likely applicable to the processing of health data include:
-
performance of a contract - for example, if processing is necessary for the performance of a contract formed between the employer and a staff member or because the staff member has asked the employer to take specific steps before entering into a contract. employers will often rely on this basis for processing where they need to process a staff member’s health data to fulfil obligations under an employment contract
-
legal obligation - this is where the employer needs to process staff members’ health data to comply with an obligation imposed on them by the law. for example, employers must process information about sickness absences to comply with their obligations around statutory sick pay
-
legitimate interests - this is where the processing is necessary for the employer’s legitimate interests or the legitimate interests of a third party. a legitimate interests assessment (lia) will need to be carried out to determine where such legitimate interests exist. for example, an employer may have a legitimate interest in processing health data when recruiting for a role where fitness is integral to the performance of the role and the job offer is conditional on a candidate passing a medical examination
-
vital interests - this is where the processing is necessary to protect the vital interests of the staff member or another person. vital interest usually applies to matters of life and death. for example, an employer may need to disclose a staff member’s health data in the event of a medical emergency if the staff member’s life is at risk
for more detailed information on these lawful bases, read processing personal data.
special category conditions for processing for health data
due to the sensitive nature of health data, it is insufficient for an employer to have only a lawful basis for processing this data. employers must also identify a special category condition for processing. while there are 10 potential special category conditions for processing, the ones that are most likely applicable include:
-
employment, social security, and social protection law - this can be relied on where the processing is essential for enabling the employer to fulfil their duties and exercise certain rights under employment, social security, and social protection laws. this may be particularly relevant for employers when they are ensuring staff members’ health and safety or maintaining statutory sick pay and maternity pay records
-
legal claims or judicial acts - this can be relied on where the processing of health data is necessary to establish, exercise, or defend legal claims. for example, where a former staff member is bringing a legal claim against the employer over an incident that affected their health (eg a workplace injury)
-
substantial public interest - this can be relied on where the processing of health data is necessary for one of the substantial public interest conditions, which are set out in uk law. for example, an employer may process staff health data under the substantial public interest condition of statutory and government purposes when monitoring and managing workplace hazards
-
vital interests - this can be relied on where the processing of health data is necessary to protect the vital interests of the staff member or another person where the staff member is physically or legally incapable of giving consent. for example, in a medical emergency where the employer needs to disclose a staff member’s medical data (eg allergies) while they are unresponsive
for more information on the special category conditions for processing, read compliance for dpias. note that an appropriate policy document (apd) must be completed before relying on some of these conditions. for more information on apds, read appropriate policy documents.
what other data protection obligations apply to health data?
in addition to establishing a clear basis and special category condition for processing staff members' health data, employers must comply with all other data protection obligations.
data protection laws require employers to be fair and transparent in their health data processing. this means that employers must:
-
have a clear and justifiable reason for collecting staff members’ health data before processing any data
-
clearly explain why they are collecting the health data (eg to make reasonable adjustments for disabilities, facilitate equal access and equal opportunities, or ensure staff health and safety)
-
process health data in ways that staff members would reasonably expect
-
not use health data in ways that have unjustified adverse effects on staff members
employers must also ensure that the health data they collect is proportionate. due to the sensitive nature of health data, collecting this data may be (highly) intrusive. while staff members can expect to disclose some information about their health to their employer (eg regarding their sickness absences or medical history), employers must only collect and process the necessary information. to determine what is proportionate, employers should consider what data they need and why. generally speaking, employers should collect as little health information about as few staff members as possible.
for more information on data protection obligations in general, read data protection, data protection principles, and complying with the gdpr.
what should employers tell staff members when processing their health data?
as part of their transparency obligation, employers must be clear, open and honest with staff members about their health data processing. employers must inform staff members about:
-
which health data they collect
-
why they collect this health data
-
who will have access to their health data and in what circumstances
specific information about health data processing must be provided to staff members. this information must be easily accessible and easy to understand (ie communicated using clear and plain language). how this information is best provided depends on the nature of the employer’s organisation and its needs. for example, the best method could be:
-
in a privacy notice (eg an employee privacy notice or consultant privacy notice)
-
in the employer’s data protection and data security policy
-
in the employer’s staff handbook
-
through other written communications with staff members (eg letters or emails)
-
by posting notices on communal notice boards
how long can employers keep staff members’ health data for?
employers must only keep health data for as long as needed (known as a ‘data retention period’). as a result, employers must carefully consider how long they need their current staff members’ health data for and how long they need their former staff members' health data for. a justification for these data retention periods needs to be provided.
it’s crucial that employers regularly review the health data they store and either delete or anonymise it when it is no longer needed. employers should also make sure to record their retention and review periods in a data retention policy.
for more information, read data retention and document destruction.
how should staff members’ health data be stored?
employers must keep personal data safe and secure. due to the sensitive nature of health data, employers must have a high level of security (ie information about staff members’ health must be kept particularly secure). exactly what this means for a given employer depends on the nature of the employer’s organisation. for example, it may be appropriate to store health data on a separate database or system or to have separate access controls for health data (eg only granting access to those who need to see the health data, such as hr managers).
for more information, read data protection principles.
do employers need to conduct data protection impact assessments when processing staff members’ health data?
a data protection impact assessment (dpia) is a process that helps organisations identify and minimise data protection risks. a dpia must be carried out whenever the processing of personal data is likely to result in a high risk to the rights and freedoms of individuals. there are also certain additional situations in which a dpia must always be carried out. even when a dpia isn’t mandatory, employers should consider carrying out a dpia before processing health data due to the sensitive nature of health data. for more information, read data protection impact assessments.
for more information on processing health data in the workplace, see the ico’s guidance on data protection and workers’ health information. for more general information on data protection in the workplace, read data protection and employees.
do not hesitate to ask a lawyer if you have any questions or concerns about your data protection obligations. consider using our gdpr compliance service to ensure your business complies with all applicable data protection laws.