ICO Guidance on Processing Workers’ Health Data

On 31st August 2023, the UK Information Commissioner’s Office (ICO) published guidance for employers on handling their workers’ health data, in accordance with their obligations under the UK GDPR and the Data Protection Act 2018.

The ICO has also included various checklists providing an overview of what employers need to consider when they want to collect and use their workers’ health information. Some of the main takeaways from the ICO guidance are:

* Health information is special category data, therefore it requires a higher level of protection and a lawful basis under Article 6 UK GDPR to be lawfully processed. In addition, a special category condition for processing under Article 9 UK GDPR is also required, along with, possibly, a condition in schedule 1 DPA 2018.

* It is important to carry out Data Protection Impact Assessments (DPIA) before collecting or processing health data, particularly when the latter is “likely to result in a high risk” to workers.

* If using automated decision-making, organisations must not use their workers’ health information unless they have obtained the workers’ explicit consent or the processing is necessary for reasons of substantial public interest, in order to comply Article 22 UK GDPR.

* In an emergency, employers can share worker’s health data. In exceptional circumstances, an organisation may be able to rely on the vital interests lawful basis to process a worker’s health data to protect their life, or the life of another person. Vital interests can only be relied on as a lawful basis for processing health data if the worker is not capable of giving consent. For this reason, this generally only applies if it is a life-or-death situation.

CREDIT: REC
https://www.rec.uk.com/our-view/insights/legal-news-and-views/legal-hot-topics-2-november-2023