Employee’s health information is a sensitive type of data, and employers have a legal responsibility to protect it. However, there are certain situations where employers may need to share this information with third parties.
Legal Basis for Sharing Worker Health Information
The General Data Protection Regulation (GDPR) is the main law governing data protection in the UK. The GDPR does not prevent employers from sharing employee health information, but it does require them to have a lawful basis for doing so. There are a number of lawful bases that may be relevant, depending on the circumstances.
One common lawful basis is consent. Employees can give their consent to their employer sharing their health information with a third party. However, consent must be freely given, specific, informed, and unambiguous. This means that employees must understand what information is being shared, who it is being shared with, and why it is being shared. Here’s how to ensure informed consent:
- Provide a clear and concise privacy notice explaining how health information is collected, used, and shared;
- Use plain language that is easy for workers to understand;
- Obtain consent in writing, preferably through a separate form; and
- Make it clear that employees have the right to withdraw their consent at any time.
Another lawful basis for sharing employee health information is a legal obligation. Employers may be required to share employee health information with a third party by law.
For example:
- Reporting occupational injuries and illnesses to the Health and Safety Executive (HSE);
- Complying with a court order; or
- Responding to a public health inquiry.
Specific Examples of Sharing Worker Health Information
There are several situations where employers may need to share employee health information for a legitimate purpose:
- Occupational health referrals: Employers can share employee health information with occupational health providers to assess fitness for work or make reasonable adjustments.
- Disability accommodations: Employers may share employee health information with relevant personnel to provide reasonable accommodations for workers with disabilities.
- Insurance claims: Employers may need to share employee health information with insurance companies when processing work-related accident or illness claims.
- Fitness to perform specific duties: In certain roles, employers may need to share limited health information to assess fitness for safety-critical tasks.
Sharing Health Information with Family in Emergencies
Data protection law allows organisations to share personal information, including health information, in an urgent emergency situation. This is to prevent loss of life or serious physical harm. However, employers should only share the minimum amount of information necessary to address the emergency.
Here are some factors to consider before sharing an employee’s health information with family members in an emergency:
- Does the employee have next-of-kin information on file? If so, this should be the first point of contact.
- Is the employee unconscious or otherwise unable to communicate? If so, sharing limited health information with family may be necessary to allow them to make informed decisions about the employee’s care.
- Has the worker previously expressed a preference for not sharing their health information with family? Employers should respect the employee’s wishes whenever possible.
Consequences of Non-Compliance with Data Protection Law
The Information Commissioner’s Office (ICO) is responsible for enforcing data protection law in the UK. Employers who fail to comply with the GDPR can face significant fines, up to a maximum of £20 million or 4% of annual global turnover (whichever is higher). Additionally, workers whose data protection rights are infringed may bring legal action against their employer.
Importance of Keeping Records of Employee Health Information
Employers are required to keep accurate and up-to-date records of employee health information. These records should be kept secure and only accessed by those who need to know. Employers should also have a clear policy on how long to retain employee health information before securely disposing of it.
For HR & employment law advice contact us today for a free consultation on 0333 888 1360.