The Information Commissioner has published the first three
parts of a four-part code on Data Protection. The final section, on health
records, is yet to be published. In anticipation of this, Shona Findlay, a
solicitor at McGrigor Donald, examines current best practice in relation to
employment health records
Q Do health records fall under the ambit of the Data Protection Act 1998?
A Yes. The extension of the scope of data protection legislation to
include manual records means that many health records are caught by data
protection for the first time.
Employers hold a variety of health records. Sickness, accident and absence
records are commonly held by employers, and will fall within this definition.
Information on disabilities or particular health conditions may also be held on
file, and are also covered by the Act.
Q Are employers allowed to hold this information under the Act?
A Yes. The Information Commissioner recognises that sickness,
accident and absence records are an essential way of monitoring attendance
levels and assessing whether staff can undertake the work they are employed
for. Such records also provide employers with important health and safety
Q Is there a distinction between sickness, accident and absence records?
A Yes. Sickness and accident records contain details of the illness,
condition or accident suffered by the worker. Absence records, however, may
explain the reason for the absence as ‘sickness’ or ‘accident’, but do not
include any reference to specific medical conditions. In the case of generic
absence records, it is only necessary to comply with general processing
criteria under the Act.
If it can be shown for example, that the processing is necessary for the
performance of the employment contract, or that it is necessary to hold absence
records to monitor staff attendance levels,then the employer will be complying
with the requirements.
The Information Commissioner recommends that sickness and accident records
be separated from absence records, and that sickness and accident records
should not be accessed where records of absence could be used instead.
Q What additional criteria do employers have to satisfy under the Act
when holding or using sickness or accident records?
A Information relating to a physical or mental health condition falls
under the definition of ‘sensitive personal data’ in the Act. Therefore,
additional criteria has to be met in relation to sickness and accident records
before an employer’s obligations under the Act can be fulfilled.
Employers should only hold and use workers’ sickness and accident records if
they have the explicit consent of the worker, or if one of the other conditions
for processing sensitive personal data under the Act is satisfied. This is
problematic as it is arguable that consent may be invalidated as it cannot be
freely given in the context of an employment relationship. Therefore, employers
seeking to rely on consent alone may be in breach of the Act.
Recognising this problem, the Information Commissioner has stated that
employers keeping and using sickness records in a reasonable manner are likely
to satisfy one of the other sensitive data criteria in the Act. Such a criteria
may be ‘performing any right or obligation imposed by law’ as it would include
ensuring the health and safety of staff, or preventing discrimination on the
grounds of disability. It is hoped that future revisions to the law will place
the issue beyond doubt.