New code governs information about workers' health
The publication of part 4 of the Employment Practices Data Protection Code provides practical guidance for employers and trustees dealing with medical information. It is important that information collected is necessary and no more intrusive than it needs to be. This feature looks at the scope of the Code, the recommendations made and the implications for pension schemes.
Summary of key points
|
The Data Protection Act 1998 came into force in March 2000. Since that date various publications have been produced by the Information Commissioner to aid interpretation of the Act. The principal one for those working in pensions is the final part of the four-part Employment Practices Data Protection Code*. It deals exclusively with information about the health of workers. In addition, supplementary guidance and guidance for small businesses have been published. The assistant Information Commissioner, David Smith, says: "Information about people's health is very sensitive and requires effective protection. This part of the code addresses issues of real, practical relevance to many employers and those they employ."
Application of part 4
The code extends beyond employees. The term "worker" is of much wider scope, and includes current and former employees, successful and unsuccessful applicants or former applicants for work, current and former agency staff, casual staff and contract staff. Volunteers, those on work experience placements and presumably apprentices will also be covered.
The general rules in the Act about what sort of information will be included are reflected in the code. Any information about individuals kept by a data controller on computer or other electronic system, or a "relevant filing system" on paper in an employment context, will be within the ambit of the code. The Court of Appeal has now examined the concept of a relevant filing system in the Durant case†. To be covered by the Act, the system must be well structured, and it should be simple to search for a particular type of information about a certain individual. A bundle of papers about individual workers will not suffice.
Sensitive personal data
Part 4 of the code focuses on health information. This is likely to be "sensitive personal data", such that, in addition to the general data protection principles, further conditions must be met before the employer can process the information in any way. Box 1 details the conditions identified in part 4 as being the most relevant to the employment context.
Many examples are given of the type of information that will be covered by part 4 of the code. The definition of sensitive personal data includes information about an individual's physical or mental health or condition. This could be noted by an employer as a part of sickness records, or a record of disabilities to facilitate adaptations in the workplace and for equal opportunity purposes. Information may be available about a worker's medical history in a pre-employment questionnaire, or obtained during the course of an interview, for example to assess fitness for work. Drug and alcohol testing, blood tests and genetic tests are dealt with in some detail in the code. Information obtained through medical examinations carried out as part of an occupational health scheme or a private medical insurance scheme is covered. Although not mentioned as a specific example, similar medical examinations or information obtained to determine whether an employee can obtain an early retirement pension through ill health or other pension benefits would fall within the scope of part 4.
The code distinguishes between absence records, and sickness and injury records. An absence record may note that a person is absent due to illness or accident, but will not contain any further detail. A sickness record will give further information as to the condition suffered by the worker. Similarly, an injury record will detail the type of injury sustained by an identifiable worker. Absence records do not contain sensitive data, and therefore do not fall within the ambit of part 4.
Some pension schemes require medical information to be provided before admitting an employee to membership. Medical testing or examinations for this purpose should only be used in relation to those likely to be employed, but applicants should be alerted to any such requirement at an early stage.
Impact assessments
If one of the sensitive data conditions is satisfied, an employer will still have to ensure that either:
(a) it is under a legal duty to process information about a worker's health; or
(b) the benefits gained from processing the information justifies the privacy intrusion or any other adverse impact on the individual.
As to the first option, there are a number of legislative measures that require an employer to obtain and record certain health information, the example given being the duty to monitor workers' possible exposure to hazardous substances. Part 4 provides a helpful system for employers to judge whether the second condition is satisfied - the impact assessment. This method will be of particular assistance where medical testing is contemplated. Box 2 details the way in which an impact assessment may be undertaken. Impact assessments are not mandatory. Neither does the code prejudge the outcome of such an assessment. Whether or not an assessment would lead to a decision to process certain information, and the detail required of an assessment, will depend on the nature and circumstances of each employer. However, the emphasis placed on impact assessments in part 4 appears to indicate that where the Information Commissioner is considering a potential breach of the Act, demonstrating that an assessment has taken place would generally afford employers with better protection than having taken no formal steps prior to making a decision.
General considerations
The main emphasis of part 4 of the code is on limiting the occasions in which an employer will process health information, and on workers' legitimate expectations that their privacy will be respected. Workers should be aware of the extent to which information about their health is being held, and employers should also be clear about the reasons for which such information is held. The purpose of collecting or holding information must be justified by specific business benefits. An important point made is that any interpretation of medical information should be left to a suitably qualified health professional. For example, where a manager requires access to medical information about a particular employee to determine whether they are fit to work, the decision may remain with the manager, but managers must not attempt to interpret the data themselves.
Employees should not have access to more information than is necessary to carry out their duties, nor should more data than necessary be collected. Who will have access to what information must be specified where an employer delegates responsibility to others. Individuals involved must be aware of their employers' responsibilities under the Act. Medical information should generally be separated from other information, and be subject to additional security, such as additional access controls on an electronic system. Specifically in relation to pensions, information collected about health to run a pension scheme should not be available to the employer unless this is necessary for the administration of the scheme. Even where this is justified, the information should not be used for any other purpose.
Legal implications
The code does not impose fresh legal obligations on employers. However, the Information Commissioner will have its recommendations in mind when determining whether or not there has been a breach of the Act in the event of a complaint from an individual. For this reason, part 4 strongly encourages employers to follow its guidance to protect themselves legally.
Many other benefits of following the code are outlined. Trust in the workplace is increased by transparency about the information being held by an employer. The code encourages good organisation of data, allowing out-of-date information to be disposed of and valuable facts to be obtained easily. The code assists with compliance with other legislation, such as the Human Rights Act 1998. Global businesses will be able to adopt similar policies and practices in other EC countries, as the code has been produced in line with an EC Directive.
The other three parts of the code, dealing with recruitment and selection, employment records and monitoring at work, are to be incorporated with part 4 in a single volume later this year.
* Available on the Information Commissioner's website (at www.informationcommissioner.gov.uk ) via "Data Protection", "Your Legal Obligations" and "Codes of Practice".
† Durant v Financial Services Authority [2004] EWCA (Civ) 1746
Impact assessments should be implemented where processing is being considered, and should also be directed at existing practices. An impact assessment involves five stages: (i) Identify clearly the purposes for which health information is to be collected and held, and the benefits this is likely to deliver. A realistic assessment must be made of the extent to which the collection of medical information will address the risks it is directed at. (ii) Identify the adverse impact of collecting and holding the information. The consequences for workers and others who might be affected needs to be carefully considered, including the extent of intrusion into a worker's personal life, whether the information will be viewed by others who do not need to see it, what impact the collection of information will have on the relationship of mutual trust and confidence between employer and employee, and whether the information will be oppressive or demeaning. (iii) Consider the alternatives to collecting and storing medical information. This involves considering whether it is necessary to collect the medical information, and whether there is a less intrusive way of doing it. For example, health questionnaires could be used instead of medical tests; changes in the workplace could remove the need for medical testing; the collection could be confined to those employees at high risk, or to those most likely to pose a safety risk to others, such as the public; access to medical information could be limited to medically qualified staff or those with specific confidentiality agreements. (iv) Take into account the obligations that arise from collecting and holding information. Consideration should be given to whether and how workers will be notified about the processing of their information, how the information will be kept securely and in accordance with the Act, and the implications of the rights individuals have to obtain a copy of the information stored. (v) Judge whether collecting and storing the medical information is justified. A conscious decision must be made as to whether current or proposed processing is justified. The benefits of processing must be weighed against the adverse impact. Emphasis is placed on the need to be fair to individual workers. Significant intrusion will not normally be justified unless there is a real risk of serious damage to the employer's business. The results of any consultation with workers, trade unions or other representatives should be taken into account. Source: Based on "Employment Practices Data Protection Code, Part 4, Information about Workers' Health". |
Our research This feature is based primarily on part 4 of the "Employment Practices Data Protection Code", "Supplementary Guidance" and "Guidance for Small Businesses", which are available from the Information Commissioner's website at www.informationcommissioner.gov.uk. Additional information has been drawn from Industrial Relations Law Bulletin no.755, also published by IRS, and from a client newsletter produced by solicitors Freshfields Bruckhaus Deringer. |