Lots of useful guidance available this month: from the DWP about using fit notes; requirements for employers with regard to right to work checks; and understanding the UK GDPR and DPA legislation to protect your employees' data.

Health at Work: DWP updates guidance on fit notes

The Department for Work and Pensions (DWP) has updated three pieces of guidance on fit notes, for patients and employees, employers and line managers, and healthcare professionals respectively. This guidance is to explain actions required if you are given a fit note by an employee. It gives advice on what different sections of the fit note mean and how you can use it most effectively to support the health and wellbeing of employees in your organisation. You can view the guidance for employers and line managers here. There is also a checklist and set of case studies to accompany it.

Right to Work Checks: Employers are no longer required to verify a digital CoA with the ECS

The Home Office has updated its guidance for employers carrying out right to work checks on or after 17 October 2023. It removes the requirement for employers to verify a digital Certificate of Application (CoA) with the Home Office Employer Checking Service (ECS) for outstanding EU Settlement Scheme (EUSS) applications made on or after 1 July 2021. The online right to work checking service will also not direct employers to verify a digital CoA with the ECS. This requirement has also been removed from the right to rent guidance for landlords.

Data Protection: UK government approves the UK-US data bridge

From 12 October 2023, UK businesses will be able to export personal data to US entities who are certified under the UK Extension to the EU-US Data Privacy Framework (DPF), without the need to conduct a Transfer Risk Assessment, and without needing to enter into the relevant standard contractual clauses or to implement supplementary measures. While this only covers some US organisations in certain circumstances, it is nonetheless a welcome development. You can read more about this from the Information Commissioner here.

Data Protection: An employer's guide to understanding UK GDPR and DPA 2018

The ICO has recently updated its guidance to understanding GDPR and DPA and explains the importance of an employer's compliance with Retained Regulation (EU) 2016/679 (UK GDPR) and the DPA 2018, particularly in the context of processing a worker's health information. As a worker's health data is considered particularly sensitive and is therefore provided a special level of protection under UK GDPR, the Guidance emphasises that there are specific rules an employer is obliged to follow when dealing with such data. The Guidance considers:

  • how an employer can use a worker's health data fairly (in essence, providing valid justifications for gathering and using health information, ensuring transparency in the process when communicating the necessary privacy information to workers and documenting all decisions made throughout the process); and
  • how an employer can lawfully process a worker's health data. In lawfully processing a worker's health data, the Guidance specifies that a 'lawful basis' under Article 6 of Retained Regulation (EU) 2016/679, the UK GDPR, must be identified. It further details the additional, stricter requirements needed to process special category data under Article 9 of Retained Regulation (EU) 2016/679, the UK GDPR (which encompasses health information).

To assist employers in navigating the legal sphere surrounding the management of health data, the guidance helpfully identifies the six lawful bases for handling personal data and provides common examples for when these bases might be applicable. The six lawful bases identified are contract, legal obligations, legitimate interests, vital interests, public task and consent. However, as mentioned above, the employer must also adhere to the requirements under Article 9 and identify a special category condition for processing health data.

The guidance outlines the 10 conditions which an employer might wish to rely upon and any additional conditions required to satisfy Article 9. The typical workplace scenarios identified revolve around the lawful and good practice procedures an employer should apply when it comes to sharing a worker's health data, administering sickness absence documentation and managing information concerning a worker's impairment or disability. The Guidance is helpful in that it directly answers key questions an employer may have in the context of health data, such as 'How do we handle sickness and injury records?' and 'What if we use medical examinations and drugs and alcohol testing?'. The Guidance clearly outlines the relevant legal requirements and provides good practice advice for each of these common questions.

To assist employers further in ensuring compliance with data protection rules in the context of a worker's health data, the ICO has also provided several checklists which can be easily accessed by employers whenever they are required to process such information. The checklists can be found here and relate to circumstances involving genetic testing, occupational health schemes, health monitoring, sickness and injury records, and sharing a worker's health information.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.