Most small businesses now have a social media policy in place but new research finds that there...
The Data Protection Act sets out specific principles for the collection and use of workers' health information. So what health information can you collect and what can you use it for while still respecting their right to privacy?
It seems straightforward enough to ask job candidates to fill in a health questionnaire. However, under the Equality Act 2010 the circumstances under which you can ask health-related questions before offering a job are limited. Any information you collect legitimately, for example to decide whether an applicant can carry out a function that is essential to the job, is regarded as sensitive information under the Data Protection Act (DPA), which means that certain rules apply, limiting the circumstances in which you can process health information.
The Information Commissioner's latest guidance, the DPA Employment Practices Code, covers the thorny issue of workers' health details in depth. The Employment Practices Code and a special small business guide are available to download on the Information Commissioner's Office website.
The words of warning are:
- Collect and hold workers' health details only if it brings real business benefits - and be absolutely clear what they are (see below).
- Gather only the information you need, eg information in a medical report on a sick employee should be limited to information required to establish fitness to work.
- Make it clear to the person why you want these details.
- Ask for the person's consent, which must be freely given - a blanket consent given by a worker at the beginning of employment is not always sufficient. If applying for a report from a worker's GP, get the worker's specific consent to your application.
- Use the data only for the purpose given to the person.
- Make the person aware that they have right of access to their details which you hold.
- Ensure the data is transmitted and stored securely, usually separately from other personnel records. If you don't the workers concerned may have the right to compensation.
- Ensure personnel authorising collection of, or handling, the data are authorised to do so by the business, and aware of Data Protection rules, including the fact that interpretation of medical information should only be carried out by a suitably qualified health professional.
- Make sure managers only have access to the extent of health information necessary to carry out their management responsibilities, and the information given to them should be limited to those details necessary to establish fitness to work.
- Keep the details only for as long as you need them.
There are special rules for workers in occupational health schemes. In particular, workers giving information to health professionals under the scheme are entitled to confidentiality. This means that, for example, if you monitor workers' email or telephone conversations, it should be made clear that they should not use your work email or telephone system to contact your occupational health scheme. You may wish to give them access to an alternative, unmonitored email system or telephone line. Take advice.
Employers must have good reason to ask for health details and the details requested should relate to the worker's job and the work environment. Main reasons would be health and safety at work, to satisfy other legal obligations (eg suitability to join an occupational pension or health insurance scheme), and for the employer to avoid liability for unfair dismissal under discrimination law. For example, under the Equality Act, the employer can fall foul of discrimination claims if they do not know that a job applicant is disabled and therefore fails to consider 'reasonable adjustments' that ensure the disabled applicant is on an equal balance with other applicants.
The means of gathering the information should be as non-intrusive as possible. For example, information should only be collected at the stage when there is a good chance of an applicant being offered a job; and a health questionnaire is less intrusive than a medical test.
Information and testing
Unless you are collecting information as part of an occupational health and safety programme that the workers have volunteered for, information asked for, or any medical test, should be limited to that required to:
- Establish the worker is fit to carry out the job.
- Avoid significant risks to the health and safety of other workers.
- Decide whether a worker is fit to return to work after being off sick, or entitled to sick pay (or other health-related benefits).
- Stop discrimination or decide whether there is a need to make 'reasonable adjustments'.
Only a very physically demanding job or a particular work situation should require a medical test. Alcohol or drug testing would have to be warranted by extreme circumstances. And you would also need to consider following up with a disciplinary process.
Information collected for one purpose cannot be used for another purpose without the worker's consent.
Whatever the information you collect, or testing you carry out, keep a record of the business purpose justifying the testing, and write down:
- Who will be tested.
- What they will be tested for.
- How often.
- What will happen as a result of the testing, whether results are positive or negative.
Any information that is obtained that is not relevant to the purpose for which information is being gathered, or testing carried out, must be permanently deleted, whether it is irrelevant at the time, or becomes irrelevant subsequently. Health information should therefore be periodically reviewed.
If in doubt, take legal advice.