No Image Available

Annie Hayes



Read more about Annie Hayes

How to: Keep workers’ health records in line with Data Protection



Paul Avis from Employ-Mend discusses what is needed to comply with Part four of the Data Protection Act (1998); a particularly contentious aspect of workers’ health records.

In December 2004 Part four of the Employment Practices Data Protection Code (Information about Workers’ Health) was launched to complete the clarification of employers’ obligations under Data Protection and, with employee health being the most sensitive area of all, employers should take note of what is now required:

  • Employees will have to give explicit consent for the employer to hold such records.

  • Employees will have access to all such records unless the information is deemed to be harmful. Medical staff will need to assess what is/is not harmful.

  • Such data has to be stored on a single, separate database from the normal HR database.

  • HR and line managers will need training in data management to ensure compliance.

While the detail of the code is clear, its purpose is also of interest. The aim has been to manage both employee expectations about personal information and the needs of the employer in running the organisation.

In adopting the code, employers will also be working in tandem with other related areas including:

  • the Human Rights Act (1998 – particularly Article 8: a right to respect for family and private life).

  • the Regulation of Investigatory Powers Act (2000).

  • the EC Directive 95/46/EC about European standards of acceptable data storage and management.

Anonymous information is excluded but included is information held on applicants and former applicants – whether unsuccessful or not, employees, agency, casual and contract staff – current or former.

Definitions of personal information include e-mails, payroll information, line management notes, personnel files, absence/leave records and application forms.

In simple terms any structured record keeping. Sensitive date, specifically information on an employee’s ‘physical or mental health or condition’ and ‘disabilities’ will fall under this code but employers are also reminded of three further parts of the previously launched Employment Practices code which also have an impact on workers’ health records including:

  • Recruitment and Selection (e.g. use of tailored pre-employment vetting).

  • Employment Records (e.g. retaining sickness absence records).

  • Monitoring at Work (e.g. use of Private Investigators on absent employees).

Focusing on health records:

Examples of records kept about workers’ health include:

  • employee questionnaires to detect problems with health

  • information about disabilities/special needs

  • eye tests

  • blood tests

  • drug/alcohol tests

  • fitness for work assessments

  • vaccination/immunisation status

Excluded are line manager queries about employee’s health where there is no intention of keeping records and only where data is kept following an intervention such as a blood test-not the actual taking of the test itself.

Where sensitive data is to be held the employer must be able to satisfy that there is a need to hold such data (for example is there a need to meet legal obligations such as health and safety compliance/tribunal claim, is it for medical reasons where a confidentiality duty exists such as those of an occupational health physician, is the data needed for legal proceedings?)

Employees will have to give explicit consent for the employer to hold such record. However, blanket consent obtained at the outset of employment cannot always be relied on. There is a need, therefore, to review exactly what the employee has signed up to.

In addition the employee must give such consent freely which sounds like a clear option but becomes more complicated where no consent is given. How can an employer run employee benefit schemes where medical information is needed to admit or decline claims, how can an employer assess ongoing fitness for current and future work?

The advice must be to try to gain explicit consents wherever possible and where an employee initially refuses to provide assurances that there will be little or no change in the record keeping itself. Where this fails it may be necessary to request employment lawyers to draft an appropriate message for the employee noting areas of concern (for example that the employer and their healthcare benefit suppliers can only base decisions on the information that they have at the time). Employees can also withdraw consent at any time.

The Code recommends that employers undertake ‘Impact Assessments’ for information identified as sensitive data. In effect the employer must ensure that the holding of such records is due to a legal duty (e.g. COSHH regulations (2002) compliance) and there must be a benefit in holding such records (e.g. the need to maintain a healthy workforce with no adverse effect such as privacy intrusion).

To achieve this, employers must clearly identify the purpose and benefits of holding health information, identify any adverse impacts of doing so, consider alternatives to holding such records, be clear on their obligations if they hold such information and ensure that there is a justification in their approach.

Adverse impact concerns include the potential breakdown in trust between workers and employers, whether it is oppressive or demeaning and whether inappropriate personnel will see sensitive data.

The recommendation is that storage of the data has to be a single, possibly separate database from the normal HR database and that such records form a prescriptive, consistent approach to employee health or sickness absence management.

An alternative could be that only medical staff see such records or that testing is only for high risk groups. The Code suggests that ‘medical testing be targeted at individuals who have exhibited behavioural problems that may be drink or drug related rather than at all workers’. If these groups are targeted, employers will need to consider the risks of allegations of bullying/harassment and possibly even Disability Discrimination Act (1995) breaches. Where a medical report is commissioned the Code also suggests that fitness for continued employment rather than medical details are sought.

The Information Commissioner has broken this down further into six Good Practice Recommendations and suggests that these will be most relevant to larger organisations or those working in safety critical environments:

1. Information about workers’ health: general conditions
A whole range of recommendations are made in this section but the implications of the most contentious need to be assessed.

It is recommended that only ‘suitably qualified health professionals’ should interpret a worker’s suitability for work and so employers that currently do their own assessments using pre-employment questionnaires should cease such a practice.

With costs ranging from £10-£25 per questionnaire this should not be too costly a change and may afford the employer extra protection. Employees authorised to handle sensitive data should be fully briefed and trained on the terms of the code as well as their personal responsibility (and that of the organisation) to comply.

For example line managers with access to sensitive data perhaps related to employee absence should not leave workstations unlocked or should print off sensitive information and store it securely in hard copy until the absence is resolved at which point it should be sent to the central HR database/collection point.

Collection of information about workers’ health is against the law unless one of the sensitive data conditions is satisfied. The use of private investigators should be carefully assessed on the basis of what degree of intrusion is acceptable and what the reasons for commissioning such services are. Safety representatives will also need to be covered by express consents if accident/injury records identify the individual. The explicit consent wordings should ensure that all of the organisation’s health support network suppliers (both internal and external) are allowed to hold such data.

Sensitive data should ideally be kept away from generic personnel information with access subject to a higher level of security (for example in a sealed envelope or additional access controls).

Line managers who hold spreadsheet information, or personnel records in their units should be especially wary of this and the use of ‘wall planner’ or what are colloquially called ‘name and shaming walls’ to identify absence volumes, will have to cease (their use as holiday planners is still acceptable).

Sensitive information necessary to run either a pension or a health insurance scheme should not be available to the employer unless essential to the employer’s role in running the scheme (e.g. it would not be necessary for an employer to see a full file on a Group Income Protection claimant unless perhaps the claim was declined). It would be better for an Occupational Health specialist to undertake the medical review with an employment lawyer/broker or adviser interpreting the policy wording-as long as such external suppliers were enabled to do so under the explicit terms.

2.Sickness and injury records:
Under the terms of the Code ‘absence records’ are not necessarily sensitive until they highlight a medical condition turning them into ‘sickness records’. In turn it says that an ‘accident record’ only becomes an ‘injury record’ where it highlights details of the injury rather than the accident.

Whilst the recommendation is to restrict ‘sickness and injury’ records and use ‘absence and accident’ records, in reality the line manager will often need to know rudimentary health information to gauge the scope of the issue and hence in many instances sensitive data could be held.

The Code actually states that, ‘Managers should not have access to more information about a worker’s health than is necessary for them to carry out their management responsibilities’ and this should be limited to fitness for work information rather than general medical information.

Hence whilst it is only a semantic point that a ‘wall planner’ is an absence record it later states that ‘no league tables’ of individual records should be kept and hence best practice would be to dispense with the ‘shaming wall’ and to ensure that line managers have automated prompts when employees have exceeded absence policy patterns or triggers.

This in turn ties in with the requirement that health records should only become available should the absence/accident record require it. Sickness and injury records should only be used where an explicit consent has been gained or where there is a legal requirement. In turn simple absence/accident records and legal justification could be a further way in which those who do not give explicit consents can still be proactively managed and there is nothing to prevent the employer from requesting information by way of an Access to Medical Reports Act (1988) consent process but any information provided cannot be retained or stored beyond immediate use unless there is the potential for legal action.

3. Occupational health (OH) schemes
Workers should be confident that information passed onto medical personnel will remain confidential and it is recommended that a written summary of the role of OH is provided to employees.

In addition, if employees contact OH or other support services, employers should not monitor such transactions (e-mail, phone etc) as this could compromise confidentiality. OH personnel are guided by the Faculty of Occupational Medicine guidelines and employers should respect this at all times.

Medical records should ideally be held by suppliers of such services in a confidential OH file. Only relevant information should be sought rather than a full medical history unless the OH team deems it to be necessary.

4. Information from medical examinations and tests
All information held here should be subject to the best practice test of being relevant, up to date and secure. In turn employees should be aware of organisational rules and standards. Communication of absence policies, drug/alcohol testing approaches, fitness for work/health & safety policies should all be clearly highlighted.

Testing or medical assessments should only be carried out where it is necessary to ascertain an employee’s fitness for work, to meet any legal requirement or to join any pension or insurance scheme.

Covert testing of bodily samples will almost never be justified and if a different test is undertaken on the initial sample then the employee should consent prior to that happening. Recommendations include that a record should be kept as to the reason for the assessment and as the sensitive data condition that needs to be satisfied, that the least intrusive approach is undertaken (e.g. written rather than face to face pre-employment medical).

A medical assessment should only be undertaken for workers who have a free choice in participation, to prevent risk to themselves or others, to assess fitness for work (continuing or on a return after an absence), to comply with legal obligations and to prevent discrimination (i.e. seeking adaptations to comply with the Disability Discrimination Act).

In addition it can be used to ‘determine the worker’s entitlement to health related benefits for example sick pay’ and so once again by not providing an express consent an employee could actually jeopardise this entitlement and even lose access to a Group Income Protection benefit.

Whilst the duration of the absence (non-sensitive data) is all that is needed to qualify for this benefit, medical information/sensitive data is needed to validate the extent of sickness in the context of the policy wording. Withholding medical information could make this impossible to achieve. Employers should not use such information on any other basis than that intended (for example using sick pay records to determine those to be considered for redundancy) and once the reason for the assessment has been finalised then such information should be deleted.

5. Information from drug and alcohol testing
This can only be undertaken for health & safety reasons or post incident and with a full impact assessment made prior to undertaking such tests which should be based on a clear policy.

The objective is to assess for drugs and alcohol use on the basis of being safe at work rather than for illegal usage in the employee’s private life unless this were warranted (e.g. undermining confidence in law enforcement if a Police Officer were taking drugs).

Key to this is to be clear as to what is being tested for and what impact that such substances could have on the employee’s work performance. Therefore the criteria for selecting employees should be justified, properly documented, adhered to and fully communicated (e.g. if random testing is the organisational norm it must be truly random and not based on specific suspicions unless there is an option for this to happen).

In turn only relevant groups should be tested (e.g. drivers and not white collar workers for alcohol). Tests should be undertaken only by suppliers with sufficient technical quality who are competent in the field of drug testing and employers should provide a retained second sample to the employee if requested. A dispute resolution procedure should be made available.

6. Information from genetic testing (GT)
While still in its infancy as an approach, the degree of information available from such tests has meant that the Information Commissioner believes that this could become more commonplace in the future.

At this stage however, it is recommended that employers do not use new or historical GT as a predictor of an employee’s health as it is too intrusive and could prevent them from undertaking this for personal benefit as a result. They do concede though that it could be used as a last resort where it will enable workplace adaptations to be planned and where the Human Genetics Commission has been advised.

The message of the Code is clear: all employers will have to carefully scrutinise a range of policies, processes and record keeping systems to ensure compliance with the Act. Not forgetting that employees will have access to all such records unless the information is deemed to be harmful, the training of line management or coaching on all aspects of record keeping in the health arena will need to be formalised with a single, separate database of information being held.

The new breed of out-sourced sickness absence management suppliers have based their businesses on being compliant with Data Protection and many will have formal protocols and methodologies already in place. Organisations that don’t outsource will be advised to conduct a review of employee health record keeping and management.

For further details please contact Paul Avis at:

No Image Available
Annie Hayes


Read more from Annie Hayes

Get the latest from HRZone.

Subscribe to expert insights on how to create a better workplace for both your business and its people.


Thank you.