Proportionately – UK ICO releases draft employee well being info steering | Hogan Lovells

What occurred

In 2021, the ICO confirmed that it might revise the Employment Practices Information Safety Code to replicate authorized modifications and technological developments since its publication. Up to date steering could be on-line and topic-specific.

Draft steering on the dealing with of employee well being info is now out there, which is open for session till 26 January 2023. That is the second particular steering doc printed by the ICO, following the draft steering on worker monitoring launched earlier in October 2022.

The orientation undertaking

The primary message of the rules is that well being info is among the many most delicate private info an employer will deal with about their employees. Whereas employees may fairly be anticipated to share well being information with their employer, to allow employers to handle illness absence, make occupational well being suggestions, make sure that staff obtain sick pay and different entitlements and to implement inner guidelines and requirements, the quantity of knowledge shared ought to be proportionate. A ‘one measurement suits all’ strategy to amassing and processing well being information is unlikely to be acceptable.

Listed below are some key factors from the information:

• The significance of fastidiously contemplating the quantity of well being info an employer ought to acquire. That is prone to range from job to job, it’s authentic to gather extra detailed well being info from those that work in hazardous environments or whose jobs require a excessive degree of bodily health. If an employer orders a medical report on a employee, it won’t all the time be needed for the report to supply particulars of the employee’s situation. It might be sufficient for an employer to know if the employee is match to return to work or if changes are wanted.
• The truth that excessive ranges of safety should apply to well being information, which can imply that it should be saved separate from normal worker data. Employers ought to undertake a “must know” coverage to make sure that details about a employee’s well being standing is barely accessible to healthcare professionals and others who want entry to this info to satisfy their very own obligations, such because the responsibility to guard the employee or others. .
• A distinction is made between absence data that don’t comprise details about a employee’s well being standing and illness data that do. Wherever potential, the steering recommends the usage of absence registers as an alternative of illness registers, as that is much less intrusive to a employee’s privateness. Nonetheless, the rules acknowledge that employers could must course of illness data to satisfy their well being and security obligations, adjust to obligations to make cheap lodging for folks with disabilities, or make sure that staff don’t are usually not unfairly dismissed for causes of capability.
• Acknowledge that it might usually be good observe to hold out a Information Safety Influence Evaluation (DPIA) earlier than processing health-related info. In some circumstances this might be a requirement. A DPIA is prone to be significantly essential if an employer performs medical checks.

Medical checks

The part of the rules coping with medical checks is prone to be of explicit curiosity, though it largely confirms the established place.

• It might be potential to check employees, together with for medication and alcohol, in accordance with information safety necessities, however provided that testing is important and justified. Testing is extra prone to be warranted in response to an incident involving employee conduct than on a random foundation. If employers conduct testing as a part of a recruitment train, it ought to be restricted to candidates that an employer intends to nominate.
• Testing could also be justified whether it is meant to forestall a big well being and security threat or to confirm a employee’s health for responsibility. Much less intrusive technique of attaining an employer’s targets, resembling laptop checks designed to measure coordination and response instances, ought to usually be used rather than invasive medical procedures within the first place.
• Random drug or alcohol testing ought to usually be restricted to employees performing safety-critical capabilities. Even when an organization is in a security-critical business, random testing ought to be restricted to these whose jobs pose a safety threat. Random testing of all employees “will not often be justified”. To adjust to transparency necessities, employers should inform employees of drug or alcohol checks, the medication they are going to be testing, the extent of alcohol that will end in disciplinary motion and the potential penalties of a violation of a drug and alcohol coverage.