Employers must make sure they are acting in line with the Data Protection Act 2018, which incorporates the European Union’s General Data Protection Regulation (GDPR), when collecting any data from their employees.
Gathering information on an employee’s health would be considered as ‘sensitive data’ and lawfully allowed if it is for workplace structures, such as a wellbeing programme.
Employers must, however, ensure they take the following steps when collecting this personal data.
Firstly, right of information: staff members must be informed about their rights and for what purposes their health-related information is being processed. Placing a privacy notice on the intranet so staff have easy access to this information would be recommended.
Secondly, rights of access: staff members have the right to access their health information to be able to check it is accurate and they must be informed on how they can exercise this right.
Thirdly, retention period: organsiations should only keep the information on their files for as long as needed and retention periods should be established.
Finally, data security: it should be processed by health professionals who are bound by their obligations and anyone with access to it should be reminded about their confidentiality obligations. Therefore, HR should not have direct access to the information and only health professionals within the organisation should.
Employers are allowed to process personal data drawn from technology, but they must perform a careful balancing act between employees’ rights to privacy and their own interests. They must also provide evidence that have complied with their data protection obligations, such as transparency, fairness, necessity and proportionality.
If they don’t, they can face hefty fines under GDPR, in the most serious cases this fine could be up to 20 million euros (£18 million), or 4% of an organisation's annual turnover.
Hayat Rafique-Fayez is employment lawyer at Slater and Gordon