Health information about employees is a real grey area. Many practices are
widely accepted even though there is a good case that they do not satisfy a
Schedule 3 condition, and in the example given there also appear to be
problems with Principle 3 in terms of justifying that the information sought
is relevant and not excessive. Frequently there is also a breach of the
transparency requirements of Principle 1, when employers do not spell out
adequately why they are asking for the information or how they are going to
use it.
The Information Commissioner appears to have ducked the really interesting
questions altogether.
In the original draft of Part 4 of the Employment Code of Practice it said:
"This part of the Code does not directly address the routine keeping of
sickness or accident records about workers. This is covered elsewhere. See
Part 2, Employment Records, page 22 ..."
This paragraph is missing from the final version, and a new section 3.2 has
been added, dealing with Sickness and injury records. Since Part 4 of the
Code significantly post-dates Part 2 we should probably assume that the
section in Part 4 represents current thinking by the Commissioner. However,
Section 3.2 does not answer the question of whether it is legitimate for
employers, as nearly all do, to ask questions about workers' health or to
maintain sickness absence records. All it says is "Check current practices
... against the sensitive data conditions in the Code" and "See
Supplementary Guidance ... which explains more about the sensitive data
conditions."
So we turn to the Supplementary Guidance where the advice boils down to, in
most cases, meeting either the second Schedule 3 condition (legal right or
duty in connection with employment) or the first (consent). The legal right
clearly could be argued in the case of health and safety but not, I think -
and the Guidance gives no examples of this either - in the case of absence
management or non-specific enquiries about random aspects of employees'
health.
That leaves consent, where the Guidance stresses that there must be no
penalty for refusing consent, otherwise it is not freely given.
Ergo, no employer can force their employees either to provide health
information (unless there is a clear requirement in terms of health and
safety or some other legal duty), or to allow information about their health
to be kept (over and above that required for SSP, for example).
So anyone presented with a form such as that described would be entitled to
refuse to provide any of the information unless a clear explanation was
given as to how it was necessary in order for the employer to meet their
legal duties.
If the job offer was withdrawn as a result, they could take the employer to
court for compensation for a breach of Data Protection.
Paul Ticher
0116 273 8191
22 Stoughton Drive North, Leicester LE5 5UB
I hereby require any recipient of this message not to use my personal data
for direct marketing purposes.
----- Original Message -----
From: "Jon Leonard" <[log in to unmask]>
To: <[log in to unmask]>
Sent: Monday, January 24, 2005 9:19 AM
Subject: Medical Records form
> Dear all
>
> I work for HBS supporting Lincolnshire County Council. I am not
> actually a member of the DP list but I am covering for Data Protection
> in David Forbes' absence. One of the queries he has received concerns a
> medical form which is sent out.
>
> I have attached the form for your reference and the concerns raised
> about it are below:
>
> "When I was offered my current job here at LCC it was on the condition
> that I had satisfactory references and that I was also fit enough, I had
> complete a Well Work Employee Occupation Health form (see attached). The
> form consisted of 64 medical questions which is obviously very personal.
> Although I did not agree with the form I completed it anyway as I
> really wanted the job and I didn't want to disadvantage myself in
> anyway.
>
> I thought that the attached form was breaching principals 1 and 3 of
> the Data Protection Act?
>
> I think that it is probably a valid point as although some of the
> questions may well be relevant to some jobs, all of the questions are
> not relevant to all jobs. The point about filling in the form is
> interesting because as people have usually been offered a job before
> they see this form they may feel that although they disagree with
> filling the form in they may well do so rather than querying the form as
> they feel that this may jeopardise the job they are being offered."
>
> My own feelings are that the form does not reference the DP Act and the
> nature of the wording compels you to fill in the details even though you
> would feel uneasy doing so.
>
> I have access to David's e-mails so replies to this list will be read.
>
> Thanks in advance for your help.
>
> Jon
>
>
> ----------------------------------------------
> Jon Leonard
> Senior Analyst/Programmer
> Applications Support Team
> IT Division
> HBS Business Services/LCC
> Tel: 01522 83 ext. 6155
> Fax: 01522 516016
> -----------------------------------------------
>
>
> **********************************************************************
> "No contracts may be concluded on behalf of HBS Business Services Group
Limited (HBSGL) by means of email communications.
>
> Any information or opinions contained in this message that do not relate
to the official business of HBSGL are neither given nor endorsed by it.
>
> HBSGL reserves the right to monitor and intercept emails sent and received
on our network.
>
> Internet email is not 100% secure. You must be aware of this lack of
> security when emailing us. HBSGL does not accept responsibility for
changes made to this message after it was sent
>
> This footnote confirms that this email message has been swept by
> MIMEsweeper for the presence of computer viruses. www.mimesweeper.com
> <http://www.mimesweeper.com>
>
> Although HBSGL have taken these steps to ensure that this email and any
attachments are free from any virus, in keeping with good computing practice
you should make sure that they are actually virus free.
>
> This email and any files transmitted with it are confidential and intended
> solely for the use of the individual or entity to whom they are addressed.
> If you have received this email in error you may not take any action based
on it, nor should you copy or show this to anyone; please reply to this
email and highlight the error to the sender, then delete the message from
your system."
>
> **********************************************************************
>
>
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> All archives of messages are stored permanently and are
> available to the world wide web community at large at
> http://www.jiscmail.ac.uk/lists/data-protection.html
> If you wish to leave this list please send the command
> leave data-protection to [log in to unmask]
> All user commands can be found at : -
> http://www.jiscmail.ac.uk/help/commandref.htm
> Any queries about sending or receiving message please send to the list
owner
> [log in to unmask]
> (all commands go to [log in to unmask] not the list please)
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
>
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
All archives of messages are stored permanently and are
available to the world wide web community at large at
http://www.jiscmail.ac.uk/lists/data-protection.html
If you wish to leave this list please send the command
leave data-protection to [log in to unmask]
All user commands can be found at : -
http://www.jiscmail.ac.uk/help/commandref.htm
Any queries about sending or receiving message please send to the list owner
[log in to unmask]
(all commands go to [log in to unmask] not the list please)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
