Data protection and employment practice (6)
The Employment Practices Data Protection Code - Part 4: Information about Workers' Health - sets out good practice when processing employees' medical information, thereby enabling organisations to meet the requirements of the Data Protection Act 1998.
This is the final part of our series of guidance notes on data protection and employment practice, (see box below for details of the first five guidance notes in this series), and is concerned with the final part of the Employment Practices Data Protection Code - Part 4: information about workers' health1, which the Information Commissioner published on 13 December 2004.
Part 4 of the Code provides guidance for employers on the proper way to process information about workers' health to ensure compliance with the Data Protection Act 1998 ("the DPA"), and in accordance with good practice. The term "processing" (see below) encompasses every use to which information can be put. In Part 4 of the Code, the term certainly includes the obtaining and collecting, and the handling and subsequent use of, information about a worker's physical or mental condition.
According to the Commissioner's press release announcing Part 4's publication, the Code "aims to strike a balance between the legitimate expectations of workers that personal information about them will be handled properly and the legitimate interests of employers in deciding how best, within the law, to run their own businesses". Continuing, David Smith, Assistant Information Commissioner, said: "Information about peoples' health is very sensitive and requires effective protection. This part of the code addresses issues of real, practical relevance to many employers and those they employ. We believe we have set out a common-sense approach in a user-friendly manner."
Part 4 (as is the case with the other three parts of the Code) does not impose any new legal obligations and has no legal status of its own. The DPA, under s.51 of which the Code is issued, is the legislative instrument that imposes responsibilities on employers to process personal data about their employees in a fair and proper way. It is therefore the DPA that employers are legally obliged to comply with. Breaches of, or non-compliance with, the Act can result in the commission of criminal offences for which employers may be prosecuted.
The Code is an aid to guide employers in complying with the DPA's requirements. It covers the points an employer needs to bear in mind, and describes the actions that need to be taken in respect of these points. It represents the Information Commissioner's recommendations as to how the legal requirements of the DPA can be met. Although there is no legal obligation to follow its recommendations, and employers may meet the Act's requirements in alternative ways, employers who do nothing may well find that they are in breach of the Act's requirements. Should any enforcement action be brought against such an employer under the Act, the Commissioner has stated that he is likely to rely on relevant parts of the Code. It is in this respect that employers would be well-advised to familiarise themselves with the Code's recommendations. Moreover, the Commissioner envisages that following the Code will produce certain additional benefits for employers, including increased trust in the workplace, good housekeeping, and protection from legal action.
SCOPE AND DEFINITIONS
As with the DPA, the Code covers information that an employer processes on any individual worker, including successful and unsuccessful job applicants and former job applicants, current and former employees, and current and former agency, casual and contract staff. The Code also applies to volunteers and those on work experience placements.
The type of information covered by the DPA and Code extends to information about such individuals kept by an employer on automated and computerised systems. It covers information on paper or microfiche, and held in a relevant filing system, but not in simple manual files. The meaning of "relevant filing system" was explained by the Court of Appeal in Durant v Financial Services Authority2. It amounts to much more than a bundle of documents about each individual worker, even if filed in date order. It must be a well-structured manual system, in the sense that a searcher is led by some guide to where specific information about a named worker can be found readily. This system may take the form of topic dividers within individually named personnel files or name dividers within a file on a particular topic, such as "training applications".
This information must amount to personal data about the individual. "Personal" data, according to Durant, is information about a living person that affects that person's privacy (whether in their personal or family life, business or professional capacity). It is information that has the person as its focus or which is otherwise biographical in nature. It must also identify a person, either by itself or together with other information in, or likely to come into, the employer's possession.
Only personal information that is subject to "processing" is covered by the Act and therefore the Code. This term, as already described, covers a comprehensive range of activities to which information can be subjected, from its initial extraction, through to its retention, use, storage, access, disclosure and final disposal.
Sensitive personal information
The personal information covered by Part 4 of the Code is information concerning an individual's physical or mental health or condition. Such information is categorised as "sensitive personal information" under the DPA, meaning that certain extra conditions must be satisfied before it can be processed by an employer. This may be information about a worker's physical or mental health, kept as part of their sickness records; or, information about their disabilities, kept for equal opportunities purposes or to bring about workplace adaptations.
Typically, information about workers' health may be obtained from health questionnaires or medical examinations or tests, including drug and alcohol tests, and tests carried out as part of occupational health or private medical insurance schemes. As discussed below, all information obtained as a result of such examination or testing is likely to be sensitive personal data, requiring the fulfilment of at least one of the Schedule 2 and one of the Schedule 3 conditions to the DPA before it can be collected, stored, used, disclosed or otherwise processed (see below for details of these conditions). These conditions do not prevent the processing of health information; they only limit the circumstances in which such processing can take place. The processing must also comply with other requirements of the Act, including the data protection principles (especially the principle of fair and lawful processing) as well as with other provisions protecting individuals' rights to privacy, such as Article 8 of the European Convention on Human Rights. Employers may wish to process medical information about their staff in a number of circumstances, and perhaps the most pertinent example is where the employer wishes to engage in medical testing.
An employer may require its workers to undergo medical testing, and there are as many different medical tests as there are reasons for testing. Further, the employer may wish the testing to be carried out at any stage of employment, from a pre-employment health questionnaire right through to after the termination of employment when an exit assessment may be undertaken. Such medical testing almost inevitably involves an employer collecting or obtaining sensitive personal data about their workers for subsequent use.
Where medical testing yields personal information about an employee that is then held electronically on automated/computer systems, or kept in a relevant filing system, Part 4 of the Code applies. Where, however, no record of a test result is kept, the result is immediately conveyed to the employee and then is destroyed or otherwise disposed of, there is no need for recourse to the Code. Neither will there be any need to consider the Code in circumstances where, for example, a line manager asks about a worker's health, but keeps no record of the conversation, or does not intend to keep such a record, or only keeps a note in a general notebook.
The various medical tests used in practice to gather information about workers' health might include the following:
A right to test?
The Code does not deal specifically with the issue of whether an employer has a legal right to conduct medical testing on its workers, or to require them to submit a health questionnaire or other medical report. As we have seen, it comes into play only once any test conducted yields results that are recorded in a computerised or manual filing system.
Any medical examination or testing of workers is always going to require the worker's consent and cooperation. The issue will often be, however, whether that consent is freely and explicitly given. Therefore, if an employer wants to introduce, for example, random testing, this should be expressly provided for in the employment contract. A refusal to submit to the testing would result in a breach of contract. In the absence of such a contractual term, the threat of dismissal or other detriment for refusing to consent would be likely to vitiate any consent actually given, and an issue would arise as to whether testing in such circumstances would constitute a breach of mutual trust and confidence, and possibly even assault and/or battery. Indeed, testing by a public sector employer in this situation could be found to be an act inconsistent with art.8 of the European Convention on Human Rights (the right to respect for private and family life), and as far as private sector employers are concerned, the courts would be obliged to interpret the statutory provisions on constructive dismissal, and the common law on what constitutes a breach of mutual trust and confidence, in a manner consistent with art.8.
Further, the human rights implications of random testing are such that the employer should also be able to show clear justification for it. The only reason for its introduction should be to assess competency to do the job, or to identify behaviour that constitutes a health and safety risk. Finally, and as the Code advises, random testing should be carried out in all cases by qualified health personnel.
If an employer makes a job offer conditional upon a satisfactory medical examination, it may withdraw the offer if the candidate refuses to take a medical examination. Such an examination is also likely to be justified if designed to ensure that a prospective worker is suitable to perform his or her job duties, or where the job will involve the handling of hazardous substances. Withdrawing an offer because of the results of an examination may have disability discrimination implications.
An employer would also be well advised to have a policy in place before arranging to have workers undergo medical testing. The construction of such a policy should, from the outset, involve workers and their representatives. The end result should ensure compliance with the DPA and Part 4 of the Code, as discussed in greater detail below. The policy should therefore explain why testing is necessary; when a worker will be referred for a medical; the purpose to which test information will be put; who has responsibility for carrying it out; the worker's consent; the processing of the information obtained; and who will have access.
Confidentiality
Keeping medical information confidential is covered by the Code and discussed further below. However, it is worth emphasising here the employment law implications of breaching the duty of confidentiality. These might include breach of the DPA; breach of contract (namely, the implied term of trust and confidence); misrepresentation under the Misrepresentation Act 1976; and breach of professional ethics. This means that all those involved in employee medicals, including the employer, the health professionals who carry out and interpret the test and its results, and anybody else to whom test results are disclosed, such as the employer's legal advisers, should keep the disclosures confidential.
Further below, we will see that the Code requires disclosures of workers' health information to be made only on a "need to know" basis. For example, it states that line managers should not be given more detailed information of health records or of any diagnosis than is necessary to arrive at the relevant decision. Only that which is necessary, for example, in order to ascertain the likely period of absence from work, should be divulged by the health professional. Therefore, employers should proceed on the basis that all health information obtained about a worker remains the property of the individual, is confidential, and must be maintained as such.
The DPA categorises certain personal information about individuals as sensitive personal information. Processed information about an individual's "physical or mental health or condition" amounts to sensitive personal data within the meaning of the DPA, meaning that the relevant sensitive data conditions must be met. Information gleaned by any of the various types of medical testing discussed above will be caught by this definition. As we have already stated, the categorisation of health information as "sensitive" does not in any way prevent its processing, but it does mean that the circumstances in which processing can take place are severely circumscribed. An employer must therefore be able to fulfil one or more of the following conditions before it can process health information about its employees:
The need for explicit consent
The worker's consent is a crucial prerequisite for the employer obtaining health information about them. The DPA and the Code stipulate that the processing of sensitive personal data must be sanctioned by having the explicit consent of the worker. Explicit consent means that the worker must have been told clearly exactly what personal data are involved in the processing, and how they are to be used. Thus consent should cover not only any testing itself, but also the subsequent recording, use and disclosure of the test results.
Most importantly, the worker must have signed their agreement. Their consent must be freely given (ie the worker must have had a real choice as to whether or not to consent). There must not have been any penalty involved for withholding consent. So, consent will be invalidated where, in fact, the employee is left with no real choice but to give it. For example, where the direct consequence of withholding consent is dismissal, being passed over for promotion, or the denial of some significant benefit.
During recruitment and selection, as opposed to during actual employment, there is more scope for valid consent - as the individual has a freer choice in the open job market to decide whether or not to apply for a particular job. This may cease to be the case as recruitment proceeds towards a firm job offer being made, but which is made conditional on the giving of consent.
"Appropriate" security
Personal data must be kept secure, otherwise breaches of the DPA and other laws might occur from their misuse, disclosure or loss. The level of security that must be applied to data depends on the nature of the data to be protected. Because health information is sensitive personal data, a high level of security is required, and, where necessary, such information must be singled out by the employer for special treatment, that is, it must either be kept on a separate database, it must be subject to separate access controls, or be kept in a sealed envelope in the employee's personnel file.
In addition to these appropriate security measures, access to health information in general should be restricted on a "need to know" basis, so that only health professionals see workers' medical details. As already discussed, as far as line managers are concerned, their need to know is limited to no more health information than is necessary for them to carry out their management responsibilities - in most cases, this will be for fitness-to-work purposes only. Where health information is collected to run a pension or insurance scheme, the information should not be available to the employer unless this is necessary for administrative purposes. If, for any reason, people who are not health professionals need to have access to medical information, the Code recommends that those others should be subject to contractual conditions of confidentiality equivalent to those imposed on a health professional by their professional standards.
In the Information Commissioner's view, employers are unlikely ever to need a worker's entire medical record, held by their general practitioner, to be disclosed to them, and the same applies for any other comprehensive care and treatment records held by a hospital. Therefore, workers should not be required to consent to the disclosure of their entire medical record. In principle, no more health information than is necessary for the purposes behind its collection should be collected, and health questionnaires should be reviewed to ensure that only information that is really needed is requested.
An employer who requires specific information should refer specific relevant questions to the general practitioner or to the hospital, in order to elicit the information needed. The worker's consent must, of course, first be sought before the general practitioner can release such information. In this regard, health questionnaires should be designed by health professionals in order to ensure that the information sought is relevant or necessary. They should also be interpreted by those qualified to draw meaningful conclusions from the information supplied.
Impact assessments
An employer who satisfies a sensitive data condition for the processing of information about their workers' health must next go on to conduct an impact assessment in order to be clear that the benefits to be gained by processing such information justifies the intrusion into their employee's privacy, or any other adverse impact on them. The employer must be able to show that it is processing information about workers' health as a proportionate response to a particular problem. An impact assessment must cover the following ground:
(a) the extent of the intrusion into the worker's and his or her family's private lives by the collecting of health information;
(b) who will have access to the information, and whether they have a business need to know;
(c) the impact on the relationship of trust and confidence between employer and employee that the collection of health information will have; and
(d) whether collecting health information will be oppressive and demeaning for the worker.
(a) whether health questionnaires rather than tests should be used;
(b) whether changes in the workplace will remove the need to obtain health information through testing; for example, eliminating exposure to hazardous substances.
(c) Whether medical testing can be restricted to workers who have demonstrated drink-or drug-related problems at work, rather than all workers.
(d) Whether collecting health information can be confined to areas of highest risk, for example, to the workers whose jobs pose a particular risk for them, rather than all workers.
(e) Whether medical testing can be designed to reveal only a narrow range of information that is directly relevant to the purpose for which it is undertaken.
(f) Whether access to health information can be limited so that it is only seen by medically qualified staff or those working under specific confidentiality agreements.
(a) establish what the benefits are;
(b) consider any alternative method of obtaining these benefits;
(c) balance these benefits against any adverse impact;
(d) be fair to individual workers;
(e) ensure that the intrusion is no more than absolutely necessary;
(f) bear in mind the particularly sensitive nature of health information;
(g) take into account the results of consultation with trade unions, employee representatives or with workers themselves.
An impact assessment will identify what collection and use of medical information currently takes place within the organisation. It will also identify any collection or use of information about workers' health that is planned.
In many cases, an impact assessment will amount to no more than a simple mental evaluation of the risks faced by the business, and an assessment as to whether the obtaining of health information would reduce or eradicate those risks, or would bring particular benefits. On other occasions, an impact assessment may place more complicated or onerous requirements on an employer: for example, where it faces different risks of varying degrees of seriousness, and where the considerations involved in making the assessment are better documented.
GOOD PRACTICE RECOMMENDATIONS
The Code sets out specific good practice recommendations that an employer should endeavour to follow when processing health information in particular circumstances. These are set out in the following six subsections, which will be dealt with in turn:
1. Information about workers' health: general considerations.
2. Sickness and injury records.
3. Occupational health schemes
4. Information from medical examination and testing.
5. Information from drug & alcohol testing.
6. Information from genetic testing.
These recommendations are most likely to be of relevance to larger organisations and to those organisations with specific health and safety obligations, although all employers who keep information about their workers' health will also find them relevant. The notes and examples, aimed at those larger organisations, are set out in the Supplementary Guidance to the Code3.
(1) General considerations for processing health information
Ensuring a sensitive data condition exists and that an impact assessment has been conducted that justifies medical testing, are some of the general considerations under the DPA and the Code that an employer must bear in mind before proceeding to test its employees for health information. The rest are set out in the box below as a set of core principles that must preface any medical testing. Flowing on from this are the key points and possible actions, all of which we have dealt with in our discussions above, on fulfilling sensitive data conditions; providing appropriate security measures and the giving of explicit consent.
The Code also recommends that, within an organisation, there must be someone or some persons with responsibility or authority for processing workers' health information. This person must be aware of the employer's responsibilities under the DPA and under the Code, and is the one to ensure that there is compliance, and that there has been consideration of all data protection issues. Those who lack proper authority or training will bring about non-compliance risks if they introduce medical testing or the collection of health information. Only those qualified to interpret medical information should be allowed to do this.
(2) Sickness and injury records
The Code distinguishes between a "sickness record", which contains details of the illness or condition responsible for a worker's absence; an "injury record", which contains details of the injury suffered by a worker; an "absence record", a record that may give the reason for a worker's absence as "sickness" or "accident", but which does not include any reference to specific medical conditions; and an "accident record", which may amount to an injury record if it includes details of the injury suffered by an identifiable worker.
Because sickness and injury records contain information about workers' physical or mental health, one of the conditions for processing sensitive personal information will have to be satisfied.
(3) Occupational health schemes
Some employers operate occupational health schemes within which to manage employee health and medical testing. The Code's good practice recommendations are as follows:
(4) Medical examination and testing
An employer who conducts medical examinations and testing should aspire to the following good practice recommendations regarding the collection and handling of information from such testing. The Code emphasises here that it will be insufficient only to obtain a worker's consent or to satisfy another sensitive data condition. In order to ensure full data protection compliance, employers should be mindful of the obligation to comply with the data protection principles, which require information obtained through medical examination to be relevant, accurate and up-to-date, as well as requiring there to be appropriate security for such information.
(5) Drug and alcohol testing
Random testing should be limited to workers employed in safety-critical activities, rather than involving all workers. Employers should be aware that even in those safety-critical areas, such as in public transport or heavy industry, workers in different jobs will pose different safety risks, and therefore it will not be justified to collect information by testing all employees randomly.
(6) Obtaining health information from genetic testing
Genetic testing can provide employers with information of two kinds: first, that which enables the likely future general health of workers to be predicted; and second, about their genetic susceptibility to occupational diseases. Still in its developmental stages, the Code cautions that it is of uncertain predictive value, and rarely used in the employment context. Therefore, and upon the advice of the Human Genetics Commission, no worker should be required to take a genetic test as a condition of employment. Its introduction will require very careful consideration.
The Human Genetics Commission should be informed of any proposals to use genetic testing for employment purposes.
The genetic test used must be valid, accurate and reliable. Results should be communicated to the individual tested and there should be professional advice available to the individual. Test results should be carefully interpreted, taking account of how they might be affected by environmental conditions.
REFERENCES
1The Information Commissioner, The Employment Practices Data Protection Code Part 4: Information about Workers' Health (2004), available at: www.informationcommissioner.gov.uk.
2[2004] EWCA (Civ) 1746.
3The Information Commissioner, The Employment Practices Data Protection Code Part 4: Information about Workers' Health - Supplementary Guidance (2004), available at: www.informationcommissioner.gov.uk.
The personal information covered by the Code concerns workers' physical or mental health or condition, and so will amount to sensitive personal data under the DPA. Thus a sensitive data condition must be satisfied in respect of any processing of such information.
|
GENERAL CONSIDERATIONS Core principles
Source: The Employment Practices Data Protection Code,
Part 4: Information about Workers' Health.
|
"Diseases with a recognised genetic component resulting from a defect in a single gene include cystic fibrosis, sickle cell anaemia, Huntington's Disease and haemophilia. Other diseases with a genetic component result from interactions between several genes; these are thought to be influenced by environment, diet and lifestyle, and include heart disease, several cancers and some allergies. Even for single-gene diseases, the predictive value of genetic testing may be limited. The disease in question may never manifest itself during the working life of the individual, and it is not always possible to predict the severity of future disease. Even more complex is the situation where diseases involving several genes is concerned. Presently, it is virtually impossible to predict accurately, using genetic tests, either whether the disease will develop at all, or if it does, its timing and severity. Even if the genetic basis of such diseases becomes fully understood, environmental and lifestyle factors, which may themselves be unpredictable, will limit the predictability of disease development. Genetic screening for susceptibility to workplace environmental hazards clearly has some precautionary relevance, but in many cases the link between a particular genetic status and susceptibility to a particular hazard has only a theoretical basis at present. Presently, very few genetic tests are available that give information to either an employer or employee which could validly be used in the context of decisions concerning employment. While it is likely that this situation may change in the future, it is difficult to predict the pace of such change. Validity of a genetic test would require demonstration of:
In such a sensitive area, it is obviously extremely important that procedures for genetic testing are as reliable as possible, as provision of incorrect information to an employer or employee could have far-reaching consequences. All stages of a scientifically satisfactory testing procedure should have built-in negative and positive controls to ensure the reliability of the test result. Good laboratory practice should be observed at all times, including detailed documentation of procedures and results. Even when testing procedures are optimised, false negatives and false positives will emerge and validation procedures for the tests may be required." Source: Ethical aspects of Genetic
Testing in the Workplace (European Group on Ethics in Science and New
Technologies, July 2003). |
(1) Data protection and
employment practice (1): The Data Protection Act 1998, covering
the key definitions that dictate the scope of the Act and the nature of
its requirements and the Data Protection Principles. (2) Data protection and
employment practice (2): The rights of data subjects under the
Act; the exceptions, exemptions and defences available to data
controllers; and the Information Commissioner's powers and
duties. (3) Data protection and
employment practice (3): The Employment Practices Data Protection
Code of Practice Part 1: Recruitment and Selection. (4) Data protection and
employment practice (4): The Employment Practices Data Protection
Code of Practice Part 2: Employment Records.
DATA PROTECTION
AND EMPLOYMENT PRACTICE GUIDANCE NOTES
(5) Data protection and
employment practice (5): The Employment Practices Data Protection
Code of Practice Part 3: Monitoring at
Work.