Skip to content

Can You Process Health Data in Your Business?

Table of Contents

You must comply with strict UK data protection laws when handling employee health data, such as managing sick leave or maternity leave. The UK GDPR and the Data Protection Act 2018 (DPA 2018) establish crucial rules for processing health data. Your business must understand and comply with these rules to avoid negative consequences such as data protection law enforcement action. This article outlines key considerations for employers under these laws when processing health data.

Understanding the UK Data Protection Law Regime

The UK’s data protection is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (‘DPA 2018’).

These laws set out how your business should process personal data. The UK GDPR forms the critical legal framework, and the DPA 2018 adds UK-specific provisions, especially concerning sensitive data such as health information and criminal records.

What Information Constitutes Health Data?

Health data, classified as a special category of personal data under the UK GDPR, includes any information related to an employee’s physical or mental wellbeing, such as illnesses, medical conditions, treatments, or medical assessments. Due to its sensitivity, this data requires stricter protections and compliance with specific rules.

As an employer, you might need to process health data for several reasons, including but not limited to the following:

  • managing sick leave, monitoring staff absence, or assessing an employee’s fitness for work; 
  • ensuring a safe working environment, such as by conducting risk assessments or making adjustments for employees with disabilities; and 
  • complying with employment laws related to sick pay, workplace adjustments, or health and safety regulations.
Continue reading this article below the form
Need legal advice?
Call 0808 196 8584 for urgent assistance.
Otherwise, complete this form and we will contact you within one business day.

Key Issues to Consider When Processing Health Data

Processing health data involves several legal and practical considerations to ensure compliance with UK data protection laws. 

Here are some critical obligations to keep in mind:

Establishing Legal Grounds for Health Data Processing

To lawfully process health data, you must establish:

  • a Lawful Basis Under Article 6: Your business needs to determine a lawful basis, such as fulfilling a legal obligation (e.g., health and safety laws), performing a contract (e.g., managing sick leave), or pursuing legitimate interests (e.g., ensuring workplace safety). You should document and justify your decision, particularly when balancing necessity and proportionality; and
  • an Additional Condition Under Article 9: As health data is a special category, you must also meet an additional condition under Article 9 of the UK GDPR. Suitable conditions for businesses include processing for employment law purposes, obtaining explicit consent, or processing for occupational health purposes.

While explicit consent is an option under Article 9, obtaining valid consent in an employment context can be challenging due to the power imbalance between you and your employees. Consent must be freely given, specific, informed, and unambiguous. As such, consider relying on other legal bases that are more appropriate and sustainable in an employment setting. 

You should document your decision-making process when determining the legal grounds for processing health data to demonstrate compliance if your activities are challenged. Moreover, you should take legal advice if you need clarification on this in an employment context. 

Maintain Transparency and Respect Employee Rights

You must openly and honestly communicate with employees about how you process their health data. Explain why you collect the data, who will access it, and under what circumstances.

Transparency is vital, and you should provide this information in a way that is easy to access and understand, using clear and plain language.  You could include it in a staff privacy notice you issue to staff to read and understand.

You should also ensure that when you take specific actions involving health data, such as a medical test, the employee fully understands what health information you will collect, why, how you intend to use it, and their rights under data protection law.

Other UK GDPR Responsibilities

When processing health data, you must comply with various other vital obligations, including transparency. For example, you should apply data minimisation principles to collect and process only the health data necessary for the specific purpose. 

You should also implement robust security measures to protect health data from unauthorised access, loss, or destruction. These measures could include encryption, access controls, and regular security audits. 

Front page of publication
GDPR Essentials Factsheet

This factsheet sets out how your business can become GDPR compliant.

Download Now

You should also conduct a Data Protection Impact Assessment if the health data processing activity risks individuals’ rights and freedoms. As a result, processing employee wellbeing data comes with a range of serious obligations to which you should pay attention. 

Processing health data is highly complex and challenging for businesses to navigate. While these are some key compliance action points, there may be many more you need to consider. 

Health data is high-risk, so your business must get this right. Seeking legal advice can help you fully understand your obligations under the UK GDPR and DPA 2018.

A data protection lawyer can help you determine exactly which obligations you need to comply with when processing your staff’s health data, helping you avoid potential pitfalls and ensuring your business remains compliant with stringent data protection law rules. 

Key Takeaways

If your business processes health data, particularly sensitive personal data about employees, it is crucial to understand and comply with your legal obligations under data protection laws. Given the sensitivity of this type of personal data, there are a range of careful considerations and rules to follow. If you need clarification about your obligations, you should seek legal advice.

If you need assistance understanding the rules for processing employee health data, LegalVision’s experienced data privacy lawyers can help as part of our LegalVision membership. For a low monthly fee, you gain unlimited access to lawyers who can answer your questions and draft or review your documents. Call us today on 0808 196 8584 or visit our membership page.

Frequently Asked Questions

1. What is the UK GDPR?

The UK GDPR is the key data protection law in the UK. It dictates how businesses handle personal data and provides a framework for data protection and privacy rights. 

2. What are Special Categories of Personal Data?

Special categories of personal data include sensitive information such as medical data, racial or ethnic origin, political opinions, religious beliefs, or genetic and biometric data. These categories of personal data require stricter protection under the UK GDPR.

Register for our free webinars

Protecting and Enforcing Your Brand

Online
Protect your brand from misuse and infringement. Register for our free webinar.
Register Now

Deal Structures 101: Understanding Equity, ASAs and Convertible Notes

Online
As a startup founder, understand your capital raising options. Register for our free webinar today.
Register Now

Common Legal Pitfalls for SaaS and Online Businesses

Online
Protect your online or SaaS business from common legal pitfalls. Register for our free webinar.
Register Now

GDPR Compliance Essentials for SMEs

Online
Ensure our business is compliant with GDPR and build trust with customers. Register for our free webinar.
Register Now
See more webinars >
Sej Lamba

Sej Lamba

Read all articles by Sej

About LegalVision

LegalVision is an innovative commercial law firm that provides businesses with affordable, unlimited and ongoing legal assistance through our membership. We operate in Australia, the United Kingdom and New Zealand.

Learn more

We’re an award-winning law firm

  • Award

    2024 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2024 Law Firm of the Year Finalist - Modern Law Private Client Awards

  • Award

    2023 Economic Innovator of the Year Finalist - The Spectator

  • Award

    2023 Law Company of the Year Finalist - The Lawyer Awards

  • Award

    2023 Future of Legal Services Innovation - Legal Innovation Awards