Fears that employers will need individual employees’ permission to keep
their sickness records are largely unfounded, experts claim.
The latest instalment of the code of practice on data protection, released
last month, caused concern by stating that sickness records, as opposed to
absence records, were "sensitive personal data" under the Data
Protection Act 1998 and therefore subject to strict conditions on use.
The Act allows employers to keep such data without obtaining consent
however, if it is necessary for them to comply with legal requirements.
"This is definitely something that has been missed," said Diane
Sinclair, lead adviser on public policy at the CIPD. "Keeping sickness
records to meet regulatory requirements in relation to SSP or disability
discrimination, for example, is allowed."
The records management code itself makes clear that keeping records to
ensure staff are not dismissed unfairly for absences is also permissible
without consent.
"Though the Act itself does not put it beyond doubt, this final code
puts out the very clear message that as long as employers keep and use sickness
records in a reasonable manner, they can justify this in terms of their legal
obligations and will not need individual consent," said Lucy Baldwinson,
professional support lawyer at Allen & Overy.
The Lord Chancellor is now planning amendments to the DPA to close the gap
between statute and practice.
Implementation of the code will prove to be a huge administrative burden on
HR because most employers will need to completely overhaul their absence
management systems, Sinclair warned. "We are not entirely happy about the
separation between personal and sensitive personal data," she said.
"This practice may already exist in some companies where occupational
health departments know why a staff member is off sick, while the HR team only
know how long they have been absent.
"But many companies will need to change their practices."
Warren Wayne, partner at Boodle Hatfield, advised employers to keep sickness
records and absence records absolutely separate. For sick pay purposes, for
example, payroll needs access only to absence records, not the reasons for
absence.
"Managers should be permitted to have access to sickness records so
they can investigate persistent short-term illness or long-term illness absence
issues. This information should only be available to those who reasonably
require it as part of their duties (including HR departments)," he added.
Find out more on Employment Practices Data Protection CodePart 2 at www.dataprotection.gov.uk
What does the code say?
– Distinguish between sickness data,
which is "sensitive", and absence data, which is not
– Ensure keeping sickness records can be justified by reference
toat least one of sensitive personal data conditions in DPA (see page 53 of
code)
– Devise separate systems for sickness and absence records and
restrict access to sickness records on a need-to-know basis
– Conduct risk analyses when deciding whether to keep data on staff
and for how long
– Provide workers with an annual copy of their basic employment
record
– Eliminate irrelevant or excessive data from files on a regular
basis
– Incorporate confidentiality clauses into employees’ contracts
of employment
– Establish procedures and rules for removing staff records
from systems
