New code governs information about workers' health

The publication of part 4 of the Employment Practices Data Protection Code provides practical guidance for employers and trustees dealing with medical information. It is important that information collected is necessary and no more intrusive than it needs to be. This feature looks at the scope of the Code, the recommendations made and the implications for pension schemes.

Summary of key points

  • Part 4 of the Employment Practices Data Protection Code, which provides guidance on how medical information should be dealt with, has recently been issued.
  • The code does not impose new legal obligations, but employers are strongly encouraged to follow it to help protect themselves from legal action.
  • Information about workers' physical or mental health is "sensitive data", requiring additional conditions to be met for processing.
  • Impact assessments are the recommended tool for determining whether a particular use of information is justified by real business benefits.
  • Additional security will be required where information about workers' health is to be stored.
  • Medical information should only be interpreted by a suitably qualified health professional.
  • The Data Protection Act 1998 came into force in March 2000. Since that date various publications have been produced by the Information Commissioner to aid interpretation of the Act. The principal one for those working in pensions is the final part of the four-part Employment Practices Data Protection Code*. It deals exclusively with information about the health of workers. In addition, supplementary guidance and guidance for small businesses have been published. The assistant Information Commissioner, David Smith, says: "Information about people's health is very sensitive and requires effective protection. This part of the code addresses issues of real, practical relevance to many employers and those they employ."

    Application of part 4

    The code extends beyond employees. The term "worker" is of much wider scope, and includes current and former employees, successful and unsuccessful applicants or former applicants for work, current and former agency staff, casual staff and contract staff. Volunteers, those on work experience placements and presumably apprentices will also be covered.

    The general rules in the Act about what sort of information will be included are reflected in the code. Any information about individuals kept by a data controller on computer or other electronic system, or a "relevant filing system" on paper in an employment context, will be within the ambit of the code. The Court of Appeal has now examined the concept of a relevant filing system in the Durant case. To be covered by the Act, the system must be well structured, and it should be simple to search for a particular type of information about a certain individual. A bundle of papers about individual workers will not suffice.

    Sensitive personal data

    Part 4 of the code focuses on health information. This is likely to be "sensitive personal data", such that, in addition to the general data protection principles, further conditions must be met before the employer can process the information in any way. Box 1 details the conditions identified in part 4 as being the most relevant to the employment context.

    Many examples are given of the type of information that will be covered by part 4 of the code. The definition of sensitive personal data includes information about an individual's physical or mental health or condition. This could be noted by an employer as a part of sickness records, or a record of disabilities to facilitate adaptations in the workplace and for equal opportunity purposes. Information may be available about a worker's medical history in a pre-employment questionnaire, or obtained during the course of an interview, for example to assess fitness for work. Drug and alcohol testing, blood tests and genetic tests are dealt with in some detail in the code. Information obtained through medical examinations carried out as part of an occupational health scheme or a private medical insurance scheme is covered. Although not mentioned as a specific example, similar medical examinations or information obtained to determine whether an employee can obtain an early retirement pension through ill health or other pension benefits would fall within the scope of part 4.

    The code distinguishes between absence records, and sickness and injury records. An absence record may note that a person is absent due to illness or accident, but will not contain any further detail. A sickness record will give further information as to the condition suffered by the worker. Similarly, an injury record will detail the type of injury sustained by an identifiable worker. Absence records do not contain sensitive data, and therefore do not fall within the ambit of part 4.

    Some pension schemes require medical information to be provided before admitting an employee to membership. Medical testing or examinations for this purpose should only be used in relation to those likely to be employed, but applicants should be alerted to any such requirement at an early stage.

    Impact assessments

    If one of the sensitive data conditions is satisfied, an employer will still have to ensure that either:

    (a) it is under a legal duty to process information about a worker's health; or

    (b) the benefits gained from processing the information justifies the privacy intrusion or any other adverse impact on the individual.

    As to the first option, there are a number of legislative measures that require an employer to obtain and record certain health information, the example given being the duty to monitor workers' possible exposure to hazardous substances. Part 4 provides a helpful system for employers to judge whether the second condition is satisfied - the impact assessment. This method will be of particular assistance where medical testing is contemplated. Box 2 details the way in which an impact assessment may be undertaken. Impact assessments are not mandatory. Neither does the code prejudge the outcome of such an assessment. Whether or not an assessment would lead to a decision to process certain information, and the detail required of an assessment, will depend on the nature and circumstances of each employer. However, the emphasis placed on impact assessments in part 4 appears to indicate that where the Information Commissioner is considering a potential breach of the Act, demonstrating that an assessment has taken place would generally afford employers with better protection than having taken no formal steps prior to making a decision.

    General considerations

    The main emphasis of part 4 of the code is on limiting the occasions in which an employer will process health information, and on workers' legitimate expectations that their privacy will be respected. Workers should be aware of the extent to which information about their health is being held, and employers should also be clear about the reasons for which such information is held. The purpose of collecting or holding information must be justified by specific business benefits. An important point made is that any interpretation of medical information should be left to a suitably qualified health professional. For example, where a manager requires access to medical information about a particular employee to determine whether they are fit to work, the decision may remain with the manager, but managers must not attempt to interpret the data themselves.

    Employees should not have access to more information than is necessary to carry out their duties, nor should more data than necessary be collected. Who will have access to what information must be specified where an employer delegates responsibility to others. Individuals involved must be aware of their employers' responsibilities under the Act. Medical information should generally be separated from other information, and be subject to additional security, such as additional access controls on an electronic system. Specifically in relation to pensions, information collected about health to run a pension scheme should not be available to the employer unless this is necessary for the administration of the scheme. Even where this is justified, the information should not be used for any other purpose.

    Legal implications

    The code does not impose fresh legal obligations on employers. However, the Information Commissioner will have its recommendations in mind when determining whether or not there has been a breach of the Act in the event of a complaint from an individual. For this reason, part 4 strongly encourages employers to follow its guidance to protect themselves legally.

    Many other benefits of following the code are outlined. Trust in the workplace is increased by transparency about the information being held by an employer. The code encourages good organisation of data, allowing out-of-date information to be disposed of and valuable facts to be obtained easily. The code assists with compliance with other legislation, such as the Human Rights Act 1998. Global businesses will be able to adopt similar policies and practices in other EC countries, as the code has been produced in line with an EC Directive.

    The other three parts of the code, dealing with recruitment and selection, employment records and monitoring at work, are to be incorporated with part 4 in a single volume later this year.

    * Available on the Information Commissioner's website (at www.informationcommissioner.gov.uk ) via "Data Protection", "Your Legal Obligations" and "Codes of Practice".

    Durant v Financial Services Authority [2004] EWCA (Civ) 1746

    Box 1: Sensitive personal data conditions

    Processing information about workers' physical or mental health will be illegal unless a sensitive data condition is satisfied. The most relevant conditions to employment, as identified in part 4, are:

    (i) The processing is necessary for an employer to carry out its legal obligations. For example, ensuring health and safety at work, to select workers with the health and physical capacity for employment, to prevent discrimination, for determinations of industrial injuries benefit, or to prevent the unfair dismissal of workers on grounds of absence. This category is of wide application.

    (ii) The data subject has given their explicit consent to processing. To comply with this condition, the worker must be told clearly what information is involved, how it will be processed, and the purpose of processing. Consent must be freely given with no penalty imposed for refusal. Blanket consent obtained at the outset of employment may not be sufficient.

    (iii) The processing is necessary to protect the vital interests of the worker or another person where consent cannot be given, cannot reasonably be obtained, or to protect another person where consent is unreasonably withheld. This is intended to deal with medical emergencies.

    (iv) The processing is in connection with actual or prospective legal proceedings, to obtain legal advice, or is otherwise necessary to establish, exercise or defend legal rights. The main relevance of this condition will be where there are prospective or ongoing tribunal or court proceedings.

    (v) The processing is necessary for reviewing equal opportunities, does not support decisions about individuals and is unlikely to cause substantial damage or distress. This is most relevant to workers with disabilities, and such processing may also fall within (i) above.

    (vi) Where the data subject concerned makes the information public.

    (vii) The processing is necessary to carry out statutory functions. This is of use in the public sector.

    (viii) The processing is necessary for medical purposes such as preventative medicine and medical research. The processing should be undertaken by a health professional or someone working under an equivalent duty of confidentiality.

    (ix) The processing is in the substantial public interest, is necessary for research purposes, does not support decisions about individuals and is unlikely to cause substantial damage or distress. For example, research into occupational disease or illness.

    Source: Based on "Employment Practices Data Protection Code, Part 4, Information about Workers' Health, Supplementary Guidance".

    Box 2: Impact assessments

    Impact assessments should be implemented where processing is being considered, and should also be directed at existing practices. An impact assessment involves five stages:

    (i) Identify clearly the purposes for which health information is to be collected and held, and the benefits this is likely to deliver. A realistic assessment must be made of the extent to which the collection of medical information will address the risks it is directed at.

    (ii) Identify the adverse impact of collecting and holding the information. The consequences for workers and others who might be affected needs to be carefully considered, including the extent of intrusion into a worker's personal life, whether the information will be viewed by others who do not need to see it, what impact the collection of information will have on the relationship of mutual trust and confidence between employer and employee, and whether the information will be oppressive or demeaning.

    (iii) Consider the alternatives to collecting and storing medical information. This involves considering whether it is necessary to collect the medical information, and whether there is a less intrusive way of doing it. For example, health questionnaires could be used instead of medical tests; changes in the workplace could remove the need for medical testing; the collection could be confined to those employees at high risk, or to those most likely to pose a safety risk to others, such as the public; access to medical information could be limited to medically qualified staff or those with specific confidentiality agreements.

    (iv) Take into account the obligations that arise from collecting and holding information. Consideration should be given to whether and how workers will be notified about the processing of their information, how the information will be kept securely and in accordance with the Act, and the implications of the rights individuals have to obtain a copy of the information stored.

    (v) Judge whether collecting and storing the medical information is justified. A conscious decision must be made as to whether current or proposed processing is justified. The benefits of processing must be weighed against the adverse impact. Emphasis is placed on the need to be fair to individual workers. Significant intrusion will not normally be justified unless there is a real risk of serious damage to the employer's business. The results of any consultation with workers, trade unions or other representatives should be taken into account.

    Source: Based on "Employment Practices Data Protection Code, Part 4, Information about Workers' Health".

    Our research

    This feature is based primarily on part 4 of the "Employment Practices Data Protection Code", "Supplementary Guidance" and "Guidance for Small Businesses", which are available from the Information Commissioner's website at www.informationcommissioner.gov.uk. Additional information has been drawn from Industrial Relations Law Bulletin no.755, also published by IRS, and from a client newsletter produced by solicitors Freshfields Bruckhaus Deringer.