Protecting data, protecting health

Part 4 of the Employment Practices Data Protection Code was published late last year. It sets out best practice for employers, enabling them to comply with the provisions of the Data Protection Act 1998 (DPA) regarding acquiring, dealing with and releasing information about workers’ health.

The code explains that it is concerned with “personal information”, defined as information about a living person, which affects the privacy of his personal or family life and business or professional capacity. It is capable of identifying a person, whether or not it is stored with other information in the organisation’s possession.

In 1991, it was confirmed that there is a basic common law duty on the employer to preserve confidential information given by employees. In Dalgleish v Lothian Borders Police Board [1991], it was held that employees’ names and addresses were confidential. The professions have long required confidentiality about patient/client information to be the ethical foundation of the working relationship. The law is clear that this ethical duty extends to occupational health practitioners.

The application of Part 4

The DPA sets out conditions governing the way an employer is permitted to collect, store and process sensitive personal data, including information on health and disability. Once a job candidate or an employee has consented to provide personal data, the code applies. The employment spectrum includes current and former successful and unsuccessful job applicants, current and former employees, as well as agency, casual and contract workers.

Records kept by the OH team are considered in law as sensitive data, as they contain health information covering a wide range of general matters that crop up in routine appointments, including telephone consultations, results of drug and alcohol tests, and any health information required to be kept by legislation or in anticipation of litigation.

Any personal information provided by a worker to an OH professional in the course of a consultation could be construed as personal data, whether through a counselling session, the completion of a health questionnaire at interview stage or during the course of a work assignment. Clearly, where fitness to work is assessed in relation to taking up or returning to employment, or in considering reasonable adjustments where the Disability Discrimination Act 1995 applies, personal data will be processed.

The new part of the code recommends how employers can meet obligations under the DPA, explaining the steps that must be taken to ensure that data is stored and accessed under strict conditions and specifying how medical data is dealt with.

The starting-point is consent from the data subject, and the code makes it clear that consent must be explicit. Not only must consent be given, it must be on the basis that the data subject knows what they are consenting to and how the information given will be used.


With the advent of helpline services, there are likely to be increasing numbers of complaints about whether or not consent has been obtained from the data subject to the collection and storage of data. The code refers to consent being “explicit” and “freely given”, otherwise it cannot be relied upon. The worker must be permitted to refuse consent “without penalty” and to withdraw consent once given. Consent should be renewed from time to time. The code states explicitly that, “blanket consent obtained at the outset of employment cannot always be relied on.”

Commonsense features

Sickness and injury records are often mixed with general absence records, but the code suggests that they be separated – for example, by an additional password. Information about the nature of an illness may not necessarily be relevant when it is the length of the absence that concerns the employer. The code states that the law may be changed to cover aspects of the way sickness and injury records are kept. In the meantime, the best practice is to deal with these records as sensitive data and afford them the relevant degree of security to avoid access and/or misuse.

The code points out that the ‘league tables’ of sickness absence of individual workers “should not be published because the intrusion of privacy in doing so would be disproportionate to any managerial benefit.”

Records kept for OH schemes contain sensitive personal data. The code repeats the basic thesis that managers do not need medical details about individual workers or members of their families.

On a practical level, an employee may consent to such disclosure if it makes absence or claims on an OH scheme more understandable to management and assists all parties. The code confirms that consent to disclosure in such circumstances should be in writing, and it would be sensible to indicate not only consent but the nature of the explanation that has been given to the data subject on which the consent is based.

Quality and security standards in many organisations require that e-mails and telephone conversations are monitored, and the code points out that if any confidential information is retrieved accidentally, the accidental recipient should delete it and keep no record. Staff should be informed that where confidential information is accidentally retrieved, the recipient is bound by the utmost confidentiality in respect of the acquired knowledge, a breach of which will lead to disciplinary procedures.

Confidentiality rules

OH practitioners will find no surprises in Part 4 of the code, and may be relieved to see it resolve some of the stand-off issues between OH and HR, offering detailed support for complying with the letter and spirit of the law.

The Employment Tribunal recently supported the stance taken by an OH nurse, with a decision anticipating the contents of the code. In Cooke v West Yorkshire Probation Board, Cooke refused the HR manager’s demand to see the health screening form of a person who had recovered from hepatitis and had been passed fit for work. Nevertheless, the HR manager took the file and read the confidential medical information.

Cooke complained and eventually claimed constructive dismissal. The tribunal found that the principal reason for dismissal was because Cooke had made a protected disclosure. There is no report of any action taken by the Information Commissioner on the clear breach of the DPA.

Further information

The Employment Practices Data Protection Code may be downloaded from the Information Commissioner’s website on

Guidance on Ethics for Occupational Physicians, Faculty of Occupational Physicians, 5th Edition, May 1999 ISBN 1-860160112-X

Linda Goldman is a barrister at 7 New Square, Lincoln’s Inn. She is head of training and education for Advisory, Consulting & Training Associates and Virtual Personnel. Joan Lewis is the senior consultant and director of Advisory, Consulting & Training Associates and Virtual Personnel, employ-ment law and advisory service consultancies, licensed by the General Council of the Bar under BarDirect. Tel: 020 8943 0393

Supplementary guidance

Although the supplementary guidance to Part 4 of the code is essential reading, it does no more than clarify the standards of excellence to which the profession aspires. It sets out the general considerations applicable to information about workers’ health and concludes with a helpful list of answers to frequently asked questions.

Highlights of the supplementary guidance

  • Medical tests and records thereof must take place in accordance with code guidelines
  • Persons authorising tests should have received training
  • Where tests are justified within the disciplinary policies and procedures or the employer’s code of acceptable or required conduct, all rules and standards must be known to those eligible for testing
  • Non-intrusive tests (such as cognitive or behavioural tests, where alcohol or drug abuse is suspected) may be preferable to blood or other tests since it is the effect on behaviour, appearance and demeanour that affects the individual’s ability to work
  • Covert testing should be avoided if such practices involve processing of personal data and such tests may contravene the DPA
  • Persons contracting to work abroad may require extensive testing that is not required for routine employment in the UK and should be informed of the reason for any tests
  • Unqualified persons only need information about the impact of a condition on a person’s ability to work
  • A high level of security should be applied to storage of sensitive personal data – this may need to be higher than security applicable to general employment records, which should preferably be kept separate from health records
  • ‘Need to know’ access should be restric-ted to information that enables managers to fulfil managerial responsibilities
  • Safety representatives have a legal right of access to information required for fulfilment of their functions but informa-tion should not identify any worker unless specific consent has been given or the name must be disclosed by law (for exam-ple, Reporting of Injuries,
  • Diseases and Dangerous Occurrences Regulations 1995)
  • Questionnaires should be relevant for the purpose and only interpreted by those qualified to draw meaningful conclusions from the information obtained
  • Care should be given to the design of questionnaires so as to avoid disability discrimination
  • Full medical records will rarely need to be disclosed to an employer

Core principles of the code

  • Employers should be aware that the mere obtaining of health information is intrusive
  • Workers have a legitimate expectation that their employers will respect their privacy with regard to their health information (this is a basic human right under Article 8 of the European Convention on Human Rights, incorporated into the Human Rights Act 1998)
  • Collecting and holding such information must be done with a clear purpose and justified by real benefits

Comments are closed.