GDPR for HR Newsletter March 2023 | Data protection guidance on processing health data
Published on 13th Mar 2023
Welcome to this month's snapshot of developments, cases and insights relating to privacy in the workplace
ICO guidance on handling workers' health data
The Information Commissioner's Office's (ICO) consultation on its draft guidance on handling the health information of workers ended on 26 January 2023. This guidance follows the ICO’s recent consultation on its draft monitoring at work guidance. These consultations are the first part of an ongoing project for the ICO to replace its employment code of practice with new guidance.
The guidance:
- Reiterates that gathering information about workers’ health is intrusive and is highly intrusive where the information is particularly sensitive. If employers want to collect and use information regarding workers’ health, they need to be very clear about why they are doing so. The ICO notes that, while workers will reasonably expect to share a proportionate amount of health data, they can legitimately expect that their employers will respect their privacy when doing so.
- Encourages organisations to consider whether there are more targeted ways of collecting health data that would deliver more acceptable outcomes for workers.
- Reminds organisations to be clear about the purposes for processing health data and make such information available to workers.
- Reminds organisations that consent is one of the lawful bases for the processing of personal data, but warns that UK law sets a high standard for consent and people must have a genuine choice over how their data is used. As such, it may be difficult for organisations to rely upon consent to process health data about its workers.
- Recognises that it would be good practice to carry out a data-protection impact assessment before processing health data. This, however, may only be applicable to employers who intend to process health data that is likely to pose a high risk to workers (such as conducting medical tests).
- Reminds organisations to ensure that appropriate security measures are in place to protect workers’ health information and that access to such information should be restricted as appropriate on a need-to-know basis.
In the news
WhatsApp and DSAR cases
In a recent case FKJ v RVT and others, the High Court refused to strike out a claim for misuse of private information brought by the claimant against her ex-employer, who dismissed her for misconduct, The claim arose from the managing partner having obtained 18,000 of the claimant's private WhatsApp messages which were used as evidence against her in employment tribunal proceedings. The claimant claimed he had 'hacked' into her WhatsApp account to gain access.
The defendants' strike out application was dismissed. The judge concluded that it was without merit and an attempt to stifle the claimant's claim. Notably, the defendants' argument that the claimant's privacy claim would face significant problems on the merits was rejected, and the judge said that, on the facts, it could not be seriously contested that the claimant had a reasonable expectation of privacy in relation to the WhatsApp messages. A useful case to cite when access to WhatsApp messages is being considered.
In RW v Österreichische Post AG, the European Court of Justice provided clarification on the right of access to personal data and information in relation to data subject access requests (DSARs). The court ruled that the data subject's right of access to information about the processing of their personal data under article 15(1) of the General Data Protection Regulation must be interpreted as meaning that it will extend, where the data subject requests, to the identification of the specific recipients to whom their personal data are disclosed. Not good news for those on the receiving end of a DSAR!
How is artificial intelligence combatting burnout? 'We’re bringing in AI in order to bring back humanity'
Grace Kintsugi, co-founder and CEO at Kintsugi, has developed an AI-powered mental health tool platform that can detect depression and anxiety using short audio clips of someone's speech. The company is launching a three-month pilot scheme with one of the US' largest health insurance companies enabling employees to leave voice notes – an "audio journal" of their feelings.
UK government reignites data protection reform
The UK government published a second iteration of the Data Protection and Digital Information Bill (the first iteration was published in July 2022 and has now been withdrawn). The bill is designed to reform UK data protection law post-Brexit, and this second iteration makes relatively few substantive changes to the first version (published last summer), although there are some useful changes, including on record-keeping and international transfers and on scientific research. While the bill proposes wholesale changes to the UK's privacy framework, those can be characterised as an evolution not a revolution. Overall the bill aims to reduce the administrative burden on businesses, promote innovation and reform the Information Commissioner's Office.
Dipping into Data: spring 2023 series
Our "Dipping into Data" series consists of monthly 30-minute webinars on legal, regulatory and commercial considerations around the use of data (whether personal or otherwise), including data privacy, other data regulation, intellectual property, competition and contract issues. The first of our webinars was on the ICO's updates to guidance on direct marketing (you can register and rewatch here) and the second was on a new era for UK and EU data regulation (you can register and rewatch here). Our next webinar of the series is "A focus on health data" on Monday 27 March 2023. Find more information and a link to register for the webinar here.