Protecting health information



The Information Commissioner’s Office (ICO) Employment Practices Data Protection Code deals with information about workers’ health (in part 4). The code is not legally binding but it provides clarification of the law and establishes standards which employers are expected to follow. The ICO had not updated the code since the Data Protection Act 2018 and European General Data Protection Regulation (GDPR) became law at the time the booklet went to press. 


The ICO code says obtaining details of workers’ health is “intrusive”, adding: “Workers have legitimate expectations that they can keep their personal health information private and that employers will respect their privacy”. Employers can only gather information about workers’ health if they can satisfy a “sensitive data condition”, for example, if they need the information to meet their obligations under health and safety law or to prevent discrimination, or if a worker has given their consent freely.


The code covers the following specific areas relating to workers’ health:


• sickness and injury records;



• occupational health schemes;



• information from medical examinations and testing;



• information from drug and alcohol testing; and



• information from genetic testing.



The Code also restricts the scope of drug and alcohol testing at work and makes it clear that companies must not use genetic testing to predict workers’ future general health. Such testing may take place only where “a worker with a particular, detectable genetic condition is likely to pose a serious safety risk to others”, or where “it is known that a specific working environment or practice might pose specific risks to workers with particular genetic variations”.



Guidance accompanying the Code confirms the rights of safety reps, saying that they “have a legal right of access to information that they need to fulfil their functions”. Although an employer should not provide data identifying an individual worker without that worker’s consent, “the law does not prevent an employer from providing anonymised information to a safety representative”. Unions generally welcomed the Code, despite some concerns about drug testing.


Also see the box on pages 91-92 concerning the case of a bus driver who won compensation for unfair dismissal after he was falsely accused of driving under the influence of cocaine, having tested positive in a workplace drug test.