Data protection and employment practice (6)

The Employment Practices Data Protection Code - Part 4: Information about Workers' Health - sets out good practice when processing employees' medical information, thereby enabling organisations to meet the requirements of the Data Protection Act 1998.

This is the final part of our series of guidance notes on data protection and employment practice, (see box below for details of the first five guidance notes in this series), and is concerned with the final part of the Employment Practices Data Protection Code - Part 4: information about workers' health1, which the Information Commissioner published on 13 December 2004.

Part 4 of the Code provides guidance for employers on the proper way to process information about workers' health to ensure compliance with the Data Protection Act 1998 ("the DPA"), and in accordance with good practice. The term "processing" (see below) encompasses every use to which information can be put. In Part 4 of the Code, the term certainly includes the obtaining and collecting, and the handling and subsequent use of, information about a worker's physical or mental condition.

According to the Commissioner's press release announcing Part 4's publication, the Code "aims to strike a balance between the legitimate expectations of workers that personal information about them will be handled properly and the legitimate interests of employers in deciding how best, within the law, to run their own businesses". Continuing, David Smith, Assistant Information Commissioner, said: "Information about peoples' health is very sensitive and requires effective protection. This part of the code addresses issues of real, practical relevance to many employers and those they employ. We believe we have set out a common-sense approach in a user-friendly manner."

Part 4 (as is the case with the other three parts of the Code) does not impose any new legal obligations and has no legal status of its own. The DPA, under s.51 of which the Code is issued, is the legislative instrument that imposes responsibilities on employers to process personal data about their employees in a fair and proper way. It is therefore the DPA that employers are legally obliged to comply with. Breaches of, or non-compliance with, the Act can result in the commission of criminal offences for which employers may be prosecuted.

The Code is an aid to guide employers in complying with the DPA's requirements. It covers the points an employer needs to bear in mind, and describes the actions that need to be taken in respect of these points. It represents the Information Commissioner's recommendations as to how the legal requirements of the DPA can be met. Although there is no legal obligation to follow its recommendations, and employers may meet the Act's requirements in alternative ways, employers who do nothing may well find that they are in breach of the Act's requirements. Should any enforcement action be brought against such an employer under the Act, the Commissioner has stated that he is likely to rely on relevant parts of the Code. It is in this respect that employers would be well-advised to familiarise themselves with the Code's recommendations. Moreover, the Commissioner envisages that following the Code will produce certain additional benefits for employers, including increased trust in the workplace, good housekeeping, and protection from legal action.

SCOPE AND DEFINITIONS

As with the DPA, the Code covers information that an employer processes on any individual worker, including successful and unsuccessful job applicants and former job applicants, current and former employees, and current and former agency, casual and contract staff. The Code also applies to volunteers and those on work experience placements.

The type of information covered by the DPA and Code extends to information about such individuals kept by an employer on automated and computerised systems. It covers information on paper or microfiche, and held in a relevant filing system, but not in simple manual files. The meaning of "relevant filing system" was explained by the Court of Appeal in Durant v Financial Services Authority2. It amounts to much more than a bundle of documents about each individual worker, even if filed in date order. It must be a well-structured manual system, in the sense that a searcher is led by some guide to where specific information about a named worker can be found readily. This system may take the form of topic dividers within individually named personnel files or name dividers within a file on a particular topic, such as "training applications".

This information must amount to personal data about the individual. "Personal" data, according to Durant, is information about a living person that affects that person's privacy (whether in their personal or family life, business or professional capacity). It is information that has the person as its focus or which is otherwise biographical in nature. It must also identify a person, either by itself or together with other information in, or likely to come into, the employer's possession.

Only personal information that is subject to "processing" is covered by the Act and therefore the Code. This term, as already described, covers a comprehensive range of activities to which information can be subjected, from its initial extraction, through to its retention, use, storage, access, disclosure and final disposal.

Sensitive personal information

The personal information covered by Part 4 of the Code is information concerning an individual's physical or mental health or condition. Such information is categorised as "sensitive personal information" under the DPA, meaning that certain extra conditions must be satisfied before it can be processed by an employer. This may be information about a worker's physical or mental health, kept as part of their sickness records; or, information about their disabilities, kept for equal opportunities purposes or to bring about workplace adaptations.

Typically, information about workers' health may be obtained from health questionnaires or medical examinations or tests, including drug and alcohol tests, and tests carried out as part of occupational health or private medical insurance schemes. As discussed below, all information obtained as a result of such examination or testing is likely to be sensitive personal data, requiring the fulfilment of at least one of the Schedule 2 and one of the Schedule 3 conditions to the DPA before it can be collected, stored, used, disclosed or otherwise processed (see below for details of these conditions). These conditions do not prevent the processing of health information; they only limit the circumstances in which such processing can take place. The processing must also comply with other requirements of the Act, including the data protection principles (especially the principle of fair and lawful processing) as well as with other provisions protecting individuals' rights to privacy, such as Article 8 of the European Convention on Human Rights. Employers may wish to process medical information about their staff in a number of circumstances, and perhaps the most pertinent example is where the employer wishes to engage in medical testing.

MEDICAL TESTING

An employer may require its workers to undergo medical testing, and there are as many different medical tests as there are reasons for testing. Further, the employer may wish the testing to be carried out at any stage of employment, from a pre-employment health questionnaire right through to after the termination of employment when an exit assessment may be undertaken. Such medical testing almost inevitably involves an employer collecting or obtaining sensitive personal data about their workers for subsequent use.

Where medical testing yields personal information about an employee that is then held electronically on automated/computer systems, or kept in a relevant filing system, Part 4 of the Code applies. Where, however, no record of a test result is kept, the result is immediately conveyed to the employee and then is destroyed or otherwise disposed of, there is no need for recourse to the Code. Neither will there be any need to consider the Code in circumstances where, for example, a line manager asks about a worker's health, but keeps no record of the conversation, or does not intend to keep such a record, or only keeps a note in a general notebook.

The various medical tests used in practice to gather information about workers' health might include the following:

  • A pre-employment health questionnaire or examination. This might be used to obtain a worker's medical history in order to detect any health problems before employment commences. Usually taking the form of a self-administered questionnaire or health declaration by the worker, the information obtained could be used for the purposes of ensuring health and safety in the workplace. Beyond this, an assessment of a worker's health in relation to a particular job may be deemed advisable, or indeed, may be required by statute. This will be the case with jobs that require high levels of physical or mental alertness and fitness, such as in the emergency services; jobs that present specific hazards to the general public, such as those in public transport or healthcare; or jobs where workers are exposed to substances such as compressed air, radiation or lead.
  • Information about a worker's disabilities or special needs might also be collected at the pre-employment stage in order to ensure equal opportunities during recruitment or, after successful recruitment of disabled workers, to inform decisions on the obligation to make reasonable adjustments in the workplace to accommodate such workers.
  • Eye-test results
  • may be required where workers use display screen equipment;

  • Details of workers' blood type may be held in case of their involvement in accidents or exposure to hazardous substances.
  • Other tests might be carried out to detect the presence of alcohol or drugs. Health and safety legislation obliges an employer, so far as is reasonably practicable, to ensure the health, safety and welfare of its employees, and an employer may wish to carry out drug and alcohol testing in order to prevent injuries being caused by the operation of machinery (for example) while under the influence of intoxicating substances.
  • A medical examination might be carried out during the course of employment as part of the employer's occupational health scheme, and the results submitted in order to facilitate personnel decisions about the worker.
  • To assist in decisions regarding an employee's return to work following a period of incapacity, or entitlement to benefits, an employer may wish to obtain a medical report from the employee's general practitioner.
  • A medical report or medical evidence may be required in order to help determine the question of whether an employee is disabled within the meaning of the Disability Discrimination Act 1995, in order that reasonable adjustments can be made, or to assist a tribunal in legal proceedings.
  • The results of genetic tests could be used to pinpoint workers who may be susceptible in the future to genetic diseases, in order (for example) to exclude them from certain types of employment.
  • An employer may also require records of a worker's vaccination and immunisation status and history.
  • A right to test?

    The Code does not deal specifically with the issue of whether an employer has a legal right to conduct medical testing on its workers, or to require them to submit a health questionnaire or other medical report. As we have seen, it comes into play only once any test conducted yields results that are recorded in a computerised or manual filing system.

    Any medical examination or testing of workers is always going to require the worker's consent and cooperation. The issue will often be, however, whether that consent is freely and explicitly given. Therefore, if an employer wants to introduce, for example, random testing, this should be expressly provided for in the employment contract. A refusal to submit to the testing would result in a breach of contract. In the absence of such a contractual term, the threat of dismissal or other detriment for refusing to consent would be likely to vitiate any consent actually given, and an issue would arise as to whether testing in such circumstances would constitute a breach of mutual trust and confidence, and possibly even assault and/or battery. Indeed, testing by a public sector employer in this situation could be found to be an act inconsistent with art.8 of the European Convention on Human Rights (the right to respect for private and family life), and as far as private sector employers are concerned, the courts would be obliged to interpret the statutory provisions on constructive dismissal, and the common law on what constitutes a breach of mutual trust and confidence, in a manner consistent with art.8.

    Further, the human rights implications of random testing are such that the employer should also be able to show clear justification for it. The only reason for its introduction should be to assess competency to do the job, or to identify behaviour that constitutes a health and safety risk. Finally, and as the Code advises, random testing should be carried out in all cases by qualified health personnel.

    If an employer makes a job offer conditional upon a satisfactory medical examination, it may withdraw the offer if the candidate refuses to take a medical examination. Such an examination is also likely to be justified if designed to ensure that a prospective worker is suitable to perform his or her job duties, or where the job will involve the handling of hazardous substances. Withdrawing an offer because of the results of an examination may have disability discrimination implications.

    An employer would also be well advised to have a policy in place before arranging to have workers undergo medical testing. The construction of such a policy should, from the outset, involve workers and their representatives. The end result should ensure compliance with the DPA and Part 4 of the Code, as discussed in greater detail below. The policy should therefore explain why testing is necessary; when a worker will be referred for a medical; the purpose to which test information will be put; who has responsibility for carrying it out; the worker's consent; the processing of the information obtained; and who will have access.

    Confidentiality

    Keeping medical information confidential is covered by the Code and discussed further below. However, it is worth emphasising here the employment law implications of breaching the duty of confidentiality. These might include breach of the DPA; breach of contract (namely, the implied term of trust and confidence); misrepresentation under the Misrepresentation Act 1976; and breach of professional ethics. This means that all those involved in employee medicals, including the employer, the health professionals who carry out and interpret the test and its results, and anybody else to whom test results are disclosed, such as the employer's legal advisers, should keep the disclosures confidential.

    Further below, we will see that the Code requires disclosures of workers' health information to be made only on a "need to know" basis. For example, it states that line managers should not be given more detailed information of health records or of any diagnosis than is necessary to arrive at the relevant decision. Only that which is necessary, for example, in order to ascertain the likely period of absence from work, should be divulged by the health professional. Therefore, employers should proceed on the basis that all health information obtained about a worker remains the property of the individual, is confidential, and must be maintained as such.

    THE SENSITIVE DATA CONDITIONS

    The DPA categorises certain personal information about individuals as sensitive personal information. Processed information about an individual's "physical or mental health or condition" amounts to sensitive personal data within the meaning of the DPA, meaning that the relevant sensitive data conditions must be met. Information gleaned by any of the various types of medical testing discussed above will be caught by this definition. As we have already stated, the categorisation of health information as "sensitive" does not in any way prevent its processing, but it does mean that the circumstances in which processing can take place are severely circumscribed. An employer must therefore be able to fulfil one or more of the following conditions before it can process health information about its employees:

  • The processing must be necessary to enable the employer to meet its legal obligations. These may be the obligations to ensure health and safety at work, or to prevent discrimination. It is likely that following the coming into force on 1 October 2004 of the new statutory dispute resolution procedures, these legal obligations will now include decisions regarding termination of employment on the ground of long-term incapacity, and the need to obtain a medical report about the employee to aid in that decision.
  • The processing is for medical purposes. For example, the provision of medical care or treatment, and is undertaken by a health professional or an occupational health doctor.
  • The processing is in connection with legal proceedings. This will be, for example, where the collection of medical information is necessary to defend a tribunal claim on disability discrimination. The legal proceedings may be actual or prospective.
  • The worker has given explicit consent to the processing of his or her medical information.
  • The need for explicit consent

    The worker's consent is a crucial prerequisite for the employer obtaining health information about them. The DPA and the Code stipulate that the processing of sensitive personal data must be sanctioned by having the explicit consent of the worker. Explicit consent means that the worker must have been told clearly exactly what personal data are involved in the processing, and how they are to be used. Thus consent should cover not only any testing itself, but also the subsequent recording, use and disclosure of the test results.

    Most importantly, the worker must have signed their agreement. Their consent must be freely given (ie the worker must have had a real choice as to whether or not to consent). There must not have been any penalty involved for withholding consent. So, consent will be invalidated where, in fact, the employee is left with no real choice but to give it. For example, where the direct consequence of withholding consent is dismissal, being passed over for promotion, or the denial of some significant benefit.

    During recruitment and selection, as opposed to during actual employment, there is more scope for valid consent - as the individual has a freer choice in the open job market to decide whether or not to apply for a particular job. This may cease to be the case as recruitment proceeds towards a firm job offer being made, but which is made conditional on the giving of consent.

    "Appropriate" security

    Personal data must be kept secure, otherwise breaches of the DPA and other laws might occur from their misuse, disclosure or loss. The level of security that must be applied to data depends on the nature of the data to be protected. Because health information is sensitive personal data, a high level of security is required, and, where necessary, such information must be singled out by the employer for special treatment, that is, it must either be kept on a separate database, it must be subject to separate access controls, or be kept in a sealed envelope in the employee's personnel file.

    In addition to these appropriate security measures, access to health information in general should be restricted on a "need to know" basis, so that only health professionals see workers' medical details. As already discussed, as far as line managers are concerned, their need to know is limited to no more health information than is necessary for them to carry out their management responsibilities - in most cases, this will be for fitness-to-work purposes only. Where health information is collected to run a pension or insurance scheme, the information should not be available to the employer unless this is necessary for administrative purposes. If, for any reason, people who are not health professionals need to have access to medical information, the Code recommends that those others should be subject to contractual conditions of confidentiality equivalent to those imposed on a health professional by their professional standards.

    In the Information Commissioner's view, employers are unlikely ever to need a worker's entire medical record, held by their general practitioner, to be disclosed to them, and the same applies for any other comprehensive care and treatment records held by a hospital. Therefore, workers should not be required to consent to the disclosure of their entire medical record. In principle, no more health information than is necessary for the purposes behind its collection should be collected, and health questionnaires should be reviewed to ensure that only information that is really needed is requested.

    An employer who requires specific information should refer specific relevant questions to the general practitioner or to the hospital, in order to elicit the information needed. The worker's consent must, of course, first be sought before the general practitioner can release such information. In this regard, health questionnaires should be designed by health professionals in order to ensure that the information sought is relevant or necessary. They should also be interpreted by those qualified to draw meaningful conclusions from the information supplied.

    Impact assessments

    An employer who satisfies a sensitive data condition for the processing of information about their workers' health must next go on to conduct an impact assessment in order to be clear that the benefits to be gained by processing such information justifies the intrusion into their employee's privacy, or any other adverse impact on them. The employer must be able to show that it is processing information about workers' health as a proportionate response to a particular problem. An impact assessment must cover the following ground:

  • It must identify clearly the purpose behind the collection and holding of information about workers' health and the specific business benefits it is likely to bring. The issue here is the extent to which the employer's collection of health information actually addresses the risks it is directed at.
  • It must identify any likely adverse impact there might be in collecting and holding such information. The question for the employer here is: what are the consequences of collecting and holding health information, for the worker, and possibly, for the worker's family? In order to answer this, the employer must go on to consider the following:
  • (a) the extent of the intrusion into the worker's and his or her family's private lives by the collecting of health information;

    (b) who will have access to the information, and whether they have a business need to know;

    (c) the impact on the relationship of trust and confidence between employer and employee that the collection of health information will have; and

    (d) whether collecting health information will be oppressive and demeaning for the worker.

  • The impact assessment must consider what alternatives exist to collecting and holding the information. The question for the employer is whether it is necessary at all to collect health information. If so, what is the least intrusive way in which to do so? The employer must consider the following:
  • (a) whether health questionnaires rather than tests should be used;

    (b) whether changes in the workplace will remove the need to obtain health information through testing; for example, eliminating exposure to hazardous substances.

    (c) Whether medical testing can be restricted to workers who have demonstrated drink-or drug-related problems at work, rather than all workers.

    (d) Whether collecting health information can be confined to areas of highest risk, for example, to the workers whose jobs pose a particular risk for them, rather than all workers.

    (e) Whether medical testing can be designed to reveal only a narrow range of information that is directly relevant to the purpose for which it is undertaken.

    (f) Whether access to health information can be limited so that it is only seen by medically qualified staff or those working under specific confidentiality agreements.

  • The impact assessment must take into account any obligations that arise from collecting and holding the information. The employer must consider whether and how workers will be notified about the collection of their health information; how security of health information will be handled in compliance with the DPA; and the implications of the worker's subject access rights.
  • The impact assessment must take a view as to whether collecting and holding health information is justified. Justifying the collection of health information requires the employer to:
  • (a) establish what the benefits are;

    (b) consider any alternative method of obtaining these benefits;

    (c) balance these benefits against any adverse impact;

    (d) be fair to individual workers;

    (e) ensure that the intrusion is no more than absolutely necessary;

    (f) bear in mind the particularly sensitive nature of health information;

    (g) take into account the results of consultation with trade unions, employee representatives or with workers themselves.

    An impact assessment will identify what collection and use of medical information currently takes place within the organisation. It will also identify any collection or use of information about workers' health that is planned.

    In many cases, an impact assessment will amount to no more than a simple mental evaluation of the risks faced by the business, and an assessment as to whether the obtaining of health information would reduce or eradicate those risks, or would bring particular benefits. On other occasions, an impact assessment may place more complicated or onerous requirements on an employer: for example, where it faces different risks of varying degrees of seriousness, and where the considerations involved in making the assessment are better documented.

    GOOD PRACTICE RECOMMENDATIONS

    The Code sets out specific good practice recommendations that an employer should endeavour to follow when processing health information in particular circumstances. These are set out in the following six subsections, which will be dealt with in turn:

    1. Information about workers' health: general considerations.

    2. Sickness and injury records.

    3. Occupational health schemes

    4. Information from medical examination and testing.

    5. Information from drug & alcohol testing.

    6. Information from genetic testing.

    These recommendations are most likely to be of relevance to larger organisations and to those organisations with specific health and safety obligations, although all employers who keep information about their workers' health will also find them relevant. The notes and examples, aimed at those larger organisations, are set out in the Supplementary Guidance to the Code3.

    (1) General considerations for processing health information

    Ensuring a sensitive data condition exists and that an impact assessment has been conducted that justifies medical testing, are some of the general considerations under the DPA and the Code that an employer must bear in mind before proceeding to test its employees for health information. The rest are set out in the box below as a set of core principles that must preface any medical testing. Flowing on from this are the key points and possible actions, all of which we have dealt with in our discussions above, on fulfilling sensitive data conditions; providing appropriate security measures and the giving of explicit consent.

    The Code also recommends that, within an organisation, there must be someone or some persons with responsibility or authority for processing workers' health information. This person must be aware of the employer's responsibilities under the DPA and under the Code, and is the one to ensure that there is compliance, and that there has been consideration of all data protection issues. Those who lack proper authority or training will bring about non-compliance risks if they introduce medical testing or the collection of health information. Only those qualified to interpret medical information should be allowed to do this.

    (2) Sickness and injury records

    The Code distinguishes between a "sickness record", which contains details of the illness or condition responsible for a worker's absence; an "injury record", which contains details of the injury suffered by a worker; an "absence record", a record that may give the reason for a worker's absence as "sickness" or "accident", but which does not include any reference to specific medical conditions; and an "accident record", which may amount to an injury record if it includes details of the injury suffered by an identifiable worker.

    Because sickness and injury records contain information about workers' physical or mental health, one of the conditions for processing sensitive personal information will have to be satisfied.

  • The Code recommends that employers should, as far as is practicable, limit their record-keeping to absence records rather than sickness or injury records, and that where possible, sickness and injury records should be kept separate from absence and accident records. It is therefore envisaged that, where absence records will do, full sickness or injury records should not be used or accessed instead.
  • The Code also recommends that information from sickness or injury records should be disclosed only where there is a legal obligation to do so, where it is necessary for legal proceedings or where the worker has given explicit consent to the disclosure. Such information should not be disclosed to managers except on a need-to-know basis. This, for example, rules out the practice in some organisations of keeping "league tables" of individual records.
  • (3) Occupational health schemes

    Some employers operate occupational health schemes within which to manage employee health and medical testing. The Code's good practice recommendations are as follows:

  • Workers should be informed, preferably in writing, of how their health information will be used, who will have access to it, for what purpose and why. They may assume, unless told otherwise, that the information they give to health professionals will be treated in confidence.
  • Confidential communications between workers and health professionals in an occupational health service should be protected. For example, where workers are allowed to communicate with health professionals via the employers' telephone or email, these should not be monitored.
  • The standards of confidentiality should be the same as those set out in the Guidance on Ethics for Occupational Physicians, published by the Faculty of Occupational Medicine. Where these are followed, the DPA's requirements are likely to be satisfied. These guidelines are published by the Faculty of Occupational Medicine (5th Edition - May 1999 ISBN 1-86016-112-X) for occupational physicians, rather than employers, but will clarify the legal and ethical constraints that operate in this area.
  • (4) Medical examination and testing

    An employer who conducts medical examinations and testing should aspire to the following good practice recommendations regarding the collection and handling of information from such testing. The Code emphasises here that it will be insufficient only to obtain a worker's consent or to satisfy another sensitive data condition. In order to ensure full data protection compliance, employers should be mindful of the obligation to comply with the data protection principles, which require information obtained through medical examination to be relevant, accurate and up-to-date, as well as requiring there to be appropriate security for such information.

  • If the testing is being done to enforce the employer's rules and standards, such as in relation to alcohol and illegal drug use in the workplace, those rules and standards themselves should be clearly set out in a policy that is well known to the workers. Either in this policy or separately, the employer should go on to set out the circumstances in which medical testing may take place, the nature of the testing, how information obtained through testing will be used and the safeguards in place for workers subject to testing.
  • Test samples should not be obtained covertly. Neither should existing samples, test results or other information obtained through medical examination be used for a purpose other than that for which it was originally obtained. This means that employers must clarify the purpose for which testing is carried out. They must also obtain workers' consent again if they wish to carry out a different test on an existing sample. Therefore, an employer will be acting unfairly if it tests a blood sample for the presence of alcohol when the worker has been told only that the sample will be tested to check for the presence of a particular chemical to which the worker might have been exposed.
  • Moreover, if a test reveals information that is not relevant to the purpose for which the test was conducted, that result should be permanently deleted. This would be the case where, for example, a test for the presence of illegal drugs indicates as well that a worker is pregnant. The employer should neither record this fact, nor use it to discriminate against the worker on the ground of pregnancy. Tests should not be designed to detect this in the first place. Health information that is excessive or irrelevant should not be retained, or should be kept separately in a confidential occupational health file.
  • Medical examination or testing of applicants or potential workers must be done only when there is an intention to appoint them and the employer is satisfied the testing is necessary and justified: (a) to determine whether the potential worker is fit or likely to remain fit for the particular employment; or (b) to meet any legal requirements for testing; or (c) to determine the terms on which a potential worker is eligible to join a pension or insurance scheme. Before testing job applicants, employers should record the business purpose for which the exam or test is to be introduced; and consider less intrusive ways of meeting the same objectives - a health questionnaire will be less intrusive than a medical examination. Individuals should be told early on in the recruitment process that they may be subjected to medical examination or testing should there be an intention to appoint them.
  • Medical testing or examination of current workers should be conducted only as part of a voluntary occupational health and safety programme, or if satisfied that it is a necessary and justified measure to prevent a significant health and safety risk to the worker or others; determine the worker's fitness for continued employment; or determine the worker's entitlement to health-related benefits (sick pay); or to prevent discrimination against workers on the grounds of disability.
  • (5) Drug and alcohol testing

  • The benefits of undertaking drug or alcohol testing must justify any adverse impact. Unless it is for health and safety reasons, collecting information through drug and alcohol testing is unlikely to be justified. Because this testing is intrusive, an employer must undertake and document an impact assessment. Testing after an incident has occurred, such as a road traffic accident, is more likely to be justified than random testing.
  • The amount of personal information obtained through drug and alcohol testing must be limited to use in situations where such testing provides significantly better evidence of impairment than other, less intrusive means. The least intrusive methods must be used, and workers should be told what they are being tested for. Any testing should be based on reliable scientific evidence of the effect of particular substances on workers. Moreover, testing should be limited to those substances and the extent of exposure that will have a significant bearing on the purposes for which the testing is conducted.
  • In general, the Code takes a dim view of random testing, and directs that the selection of workers for testing should be "justified, properly documented, adhered to and communicated to workers". On the one hand, it states that workers should not be deceived into thinking that testing is being carried out randomly if it is not; on the other, if testing is to be random then it must be carried out in a genuinely random way. Workers should be told of any criteria that trigger testing, for example, suspicion that work performance is impaired as a result of drug and alcohol use.
  • Random testing should be limited to workers employed in safety-critical activities, rather than involving all workers. Employers should be aware that even in those safety-critical areas, such as in public transport or heavy industry, workers in different jobs will pose different safety risks, and therefore it will not be justified to collect information by testing all employees randomly.

  • Ideally, testing should be designed with a view to ensuring safety at work, and not to disclose the individual's drug or alcohol use. It will generally not be justified to detect illegal use of substances in this way, except where illegal use would amount to a breach of the contract of employment or disciplinary rules, and where it would cause serious damage to the employer's business. The example given is where it would substantially undermine public confidence in the integrity of a law enforcement agency.
  • It goes without saying that workers should be fully aware of any drug or alcohol testing taking place, and of the possible consequences of being tested. Therefore, there should be a drug or alcohol policy in a staff handbook that workers are aware of and the consequences of breach of which explained to them. They should be aware of the blood-alcohol level that will trigger the disciplinary process, and no testing should be conducted on their samples without their knowledge.
  • The drug and alcohol testing itself should be conducted in its entirety by qualified and competent professional staff, in order to ensure "sufficient technical quality". Workers should be provided with a duplicate of any sample taken, to enable them to have it independently analysed if they wish. Employers should not assume that the tests are infallible. If disputes arise, they should be prepared to deal properly with them.
  • (6) Obtaining health information from genetic testing

    Genetic testing can provide employers with information of two kinds: first, that which enables the likely future general health of workers to be predicted; and second, about their genetic susceptibility to occupational diseases. Still in its developmental stages, the Code cautions that it is of uncertain predictive value, and rarely used in the employment context. Therefore, and upon the advice of the Human Genetics Commission, no worker should be required to take a genetic test as a condition of employment. Its introduction will require very careful consideration.

  • Genetic testing should not be used to obtain information that is predictive of a worker's future general health. As well as being too intrusive, such predictive value is also insufficiently certain to be treated as reliable.
  • A worker should not be required to disclose the results of a previous genetic test. Any such disclosure should be voluntary.
  • Genetic testing should be used only where a worker has a particular, detectable genetic condition that may pose a serious safety risk to others or where it is known that a specific working environment or practice might pose specific risks to workers with particular genetic variations. It is therefore really a measure of last resort, where it is not practicable to make changes to the working environment or practices so as to reduce risks to all workers, and it is determined that it is the only reasonable method to obtain the required information.
  • The Human Genetics Commission should be informed of any proposals to use genetic testing for employment purposes.

  • The genetic test used must be valid, accurate and reliable. Results should be communicated to the individual tested and there should be professional advice available to the individual. Test results should be carefully interpreted, taking account of how they might be affected by environmental conditions.

    REFERENCES

    1The Information Commissioner, The Employment Practices Data Protection Code Part 4: Information about Workers' Health (2004), available at: www.informationcommissioner.gov.uk.

    2[2004] EWCA (Civ) 1746.

    3The Information Commissioner, The Employment Practices Data Protection Code Part 4: Information about Workers' Health - Supplementary Guidance (2004), available at: www.informationcommissioner.gov.uk.


    MAIN POINTS TO NOTE

  • Part 4 of the Code guides employers in the proper processing of health information about their workers in order for them to be data protection-compliant.
  • The personal information covered by the Code concerns workers' physical or mental health or condition, and so will amount to sensitive personal data under the DPA. Thus a sensitive data condition must be satisfied in respect of any processing of such information.

  • The Code is invoked at the point at which medical testing yields personal information about an individual that is then either held electronically in automated or computerised systems, or held in a relevant filing system.
  • Apart from in certain limited circumstances, there is no general legal right to require workers to submit to medical testing of any kind in the employment context.
  • Medical testing, and the obtaining of health information, always requires the worker's explicit consent and cooperation. This means "freely given" consent evidenced by the worker's signature.
  • Employers should always ensure that the employment contract makes clear provision for medical testing or the obtaining of health information, and that there is also a clear policy on such testing or examination that is communicated to workers.
  • The duty of confidentiality applies to the obtaining of health information. The Code recommends that a need-to-know basis should underpin access to or disclosures of such information so that line managers are not provided with more health information about workers than is necessary for their decision-making.
  • A high level of security is required for the keeping of health information. To this end, employers must ensure it is kept in a separate database, is subject to separate access controls or kept in sealed envelopes in workers' personnel files.
  • An impact assessment must be conducted to ensure that the benefits to be gained by processing health information justify the intrusion into workers' privacy or other adverse impact on them.
  • The general considerations for processing health information take into account most of the foregoing main points. Moreover, the Code recommends that a person or persons be identified within an organisation to be given particular responsibility and authority for processing workers' health information.
  • The good practice recommendations for processing sickness and injury records include that employers should limit their record-keeping to absence records rather than sickness or injury records. Information from the latter should be disclosed only where there is a legal obligation to do so, where there are legal proceedings, or where the worker has given explicit consent.
  • The good practice recommendations for processing health information obtained from administering an occupational health scheme should be underlined by the duty of confidentiality that health professionals owe to individuals, that is workers, in this context.
  • The good practice recommendations for processing information obtained through medical examination or testing include clarity as to the business purpose of such testing. Employers should first consider any less intrusive means of achieving the same objectives.
  • The good practice recommendations for processing information yielded by drug and alcohol testing include ensuring that it is being done for a health and safety reason. Generally, random testing should not be limited to workers in jobs with safety-critical activities.
  • The good practice recommendations for processing information from genetic testing include ensuring that it is not used to obtain information that predicts the future general health of workers.


  • DOCUMENT EXTRACT

    GENERAL CONSIDERATIONS

    Core principles

  • It will be either intrusive and may be highly intrusive to obtain information about your workers' health.
  • Workers have legitimate expectations that they can keep their personal health information private and that employers will respect their privacy.
  • If employers wish to collect and hold information on their workers' health, they should be clear about the purpose and satisfied that this is justified by real benefits that will be delivered.
  • One of the sensitive data conditions must be satisfied.

  • Workers should be aware of the extent to which information about their health is held and the reasons for which it is held.

  • Decisions on a worker's suitability for particular work are properly management decisions but the interpretation of medical information should be left to a suitably qualified health professional.
  • Source: The Employment Practices Data Protection Code, Part 4: Information about Workers' Health.


    DOCUMENT EXTRACT

    "Diseases with a recognised genetic component resulting from a defect in a single gene include cystic fibrosis, sickle cell anaemia, Huntington's Disease and haemophilia. Other diseases with a genetic component result from interactions between several genes; these are thought to be influenced by environment, diet and lifestyle, and include heart disease, several cancers and some allergies. Even for single-gene diseases, the predictive value of genetic testing may be limited. The disease in question may never manifest itself during the working life of the individual, and it is not always possible to predict the severity of future disease. Even more complex is the situation where diseases involving several genes is concerned. Presently, it is virtually impossible to predict accurately, using genetic tests, either whether the disease will develop at all, or if it does, its timing and severity. Even if the genetic basis of such diseases becomes fully understood, environmental and lifestyle factors, which may themselves be unpredictable, will limit the predictability of disease development.

    Genetic screening for susceptibility to workplace environmental hazards clearly has some precautionary relevance, but in many cases the link between a particular genetic status and susceptibility to a particular hazard has only a theoretical basis at present.

    Presently, very few genetic tests are available that give information to either an employer or employee which could validly be used in the context of decisions concerning employment. While it is likely that this situation may change in the future, it is difficult to predict the pace of such change.

    Validity of a genetic test would require demonstration of:

  • its relevance to health protection of workers
  • the reliability and reproducibility of the test and
  • the level of predictive value for the test.
  • In such a sensitive area, it is obviously extremely important that procedures for genetic testing are as reliable as possible, as provision of incorrect information to an employer or employee could have far-reaching consequences. All stages of a scientifically satisfactory testing procedure should have built-in negative and positive controls to ensure the reliability of the test result. Good laboratory practice should be observed at all times, including detailed documentation of procedures and results. Even when testing procedures are optimised, false negatives and false positives will emerge and validation procedures for the tests may be required."

    Source: Ethical aspects of Genetic Testing in the Workplace (European Group on Ethics in Science and New Technologies, July 2003).


    DATA PROTECTION AND EMPLOYMENT PRACTICE GUIDANCE NOTES

    (1) Data protection and employment practice (1): The Data Protection Act 1998, covering the key definitions that dictate the scope of the Act and the nature of its requirements and the Data Protection Principles.

    (2) Data protection and employment practice (2): The rights of data subjects under the Act; the exceptions, exemptions and defences available to data controllers; and the Information Commissioner's powers and duties.

    (3) Data protection and employment practice (3): The Employment Practices Data Protection Code of Practice Part 1: Recruitment and Selection.

    (4) Data protection and employment practice (4): The Employment Practices Data Protection Code of Practice Part 2: Employment Records.

    (5) Data protection and employment practice (5): The Employment Practices Data Protection Code of Practice Part 3: Monitoring at Work.