Data protection in the workplace - detailed guidance on processing workers' health data published

Morton Fraser Legal Director Alan Delaney
Alan Delaney
11 October 2023

The guidance will assist employers to understand and comply with their obligations under the UK GDPR and the Data Protection Act 2018.

Following a consultation which took place at the turn of the year, the Information Commissioners Office ("ICO") has published detailed guidance for employers on handling workers' health data.

This forms part of the ICO's approach to releasing advice to employers on specific topics of particular interest (rather than having one overarching Code of Practice). Earlier in the year, the ICO published Q & As for employers on handling subject access requests. Specific guidance on monitoring at work is presently being finalised, having been published in draft in October 2022.

The new guidance on health data is intended to provide greater regulatory certainty for employers, protect workers' data protection rights and help employers to build trust with workers around the processing that is undertaken. 

What can you expect from the guidance?

The guidance provides well-structured advice with links to further detail, for those who need it.  The guidance starts with an explanation as to why and how workers health data should be used fairly, and moves on to look at specific topics including:

  • handling sickness and injury records;
  • the use of occupational health schemes;
  • the use of medical examinations and drugs and alcohol testing;
  • the use of genetic testing;
  • carrying out health monitoring; and
  • when workers health information can be shared.

There are also very useful checklists at the end of each section and links to these are repeated at the end of the guidance.  The checklists provide an overview and quick guide to help employers think about what they need to consider whenever they are collecting or using workers' health information.  While the checklists could form a "starter for ten" for employers, with the opportunity to get more detail on a particular area from the body of the guidance, it is advisable for employers to read the guidance in full so that any necessary updates can be made to existing Privacy Notices or Data Protection policies.


The content of this webpage is for information only and is not intended to be construed as legal advice and should not be treated as a substitute for specific advice. Morton Fraser LLP accepts no responsibility for the content of any third party website to which this webpage refers.  Morton Fraser LLP is authorised and regulated by the Financial Conduct Authority.