Health monitoring
[ch 4: pages 42-43]The Observer article also referred to a new trend among employers to encourage employees to wear health monitoring trackers as part of corporate wellness programmes. Activity-tracking devices made by companies such as Fitbit and Jawbone include pedometers which track steps walked, and also monitor heartrates, calories burned and sleep levels. Such schemes are more commonplace in the USA and seen as necessary, given the reliance there on workplace health insurance. The technology research company Gartner has predicted that most large companies — those with more than 500 employees — in both the USA and Europe, will offer fitness trackers with their wellness programmes by 2016.
But health monitoring can also have more insidious implications, involving drug and alcohol level tests for example, influencing employers’ decisions on individual suitability to be recruited, retained or promoted to certain employment roles, even if the person’s ability to do his or her job is unaffected.
The Data Protection Act 1998 (DPA) classifies health information as “sensitive” personal information. Processing of such data is more tightly regulated. Employers can only hold information about a worker’s health if it meets one of a stated list of conditions in the Act, the most relevant being the following:
• Is the processing necessary to enable the employer to meet its legal obligations, for example to ensure health and safety at work, or to comply with the requirement not to discriminate against workers on the grounds of sex, age, race or disability?
• Is the processing for medical purposes, for example, the provision of care or treatment, and undertaken by a health professional or someone working under an equivalent duty of confidentiality, such as an occupational health doctor?
• Is the processing in connection with actual or prospective legal proceedings?
• Has the worker given consent explicitly (and freely) to the processing of his or her medical information?
Part 4 of the ICO Employment Practices Code explains the obligations on employers collecting information on workers’ health, and good practice in doing so. The employer needs to undertake a privacy impact assessment (PIA) (see page 83) to ensure that the benefits gained from processing information about workers’ health justify the privacy intrusion or any other adverse impact on them, and needs to be sure that there is no practical less intrusive way of achieving the same result. Particular care should be taken to ensure that health information is kept secure. This includes keeping medical information separate from other personnel information.