• The lawful basis for processing such health data - The ICO warns that it may be difficult for employers to rely upon consent to process health data about workers because of the power imbalance that exists between employers and workers. If workers have no genuine choice over how employers use their information, then consent cannot be relied on as a lawful basis for processing.  However, data protection laws allow for employers to process health data where they are required to do so by statutory employment law requirements – so in most instances, consent is not required.
• Data minimisation - Employers should be thinking carefully about how much health information they actually need to collect, as this is likely to vary between job roles. The ICO explains that it would be legitimate to collect more detailed health information from those working in hazardous environments, workers whose jobs require high level of physical fitness, or those dealing with clinically vulnerable individuals.
• Data sharing – The ICO recommends that employers should adopt a "need to know" policy to ensure the health information is only shared with and accessible to those who actually need to access it.
• Security – High levels of security should apply to health data, which may require it to be kept separately from general employee records.

It also provides guidance on data protection impact assessments (DPIAs), pointing out that given the sensitive and potentially intrusive nature of processing workers' health information it may, in some instances, be a requirement (rather than just good practice) to carry out a DPIA prior to processing any of the information. This will be in instances where the employer intends to process health data that is likely to pose a high risk to workers, such as when conducting medical tests. The guidance on medical testing largely confirms the established position but serves as a useful reminder to employers of the instances where it may or may not be considered necessary and justified to test workers.

The document reminds employers that they should also be aware of their obligations under employment law, health and safety law and other legislation, as well as any applicable industry standards. For example, employers may need to process sickness records to comply with their duty to make reasonable adjustments for workers with disabilities or to ensure employees are not unfairly dismissed for capability reasons.

If a worker on long-term sickness absence is apprehensive about providing health information to an employer, an employer seeking to commission a medical report could consider limiting the information requested to information solely on the worker’s fitness for continued employment in their role. In line with the data minimisation principle, the report could provide an assessment of whether or not the worker is fit to return to employment, whether they should be redeployed, or whether adjustments need to be made to the workplace to accommodate their condition. This avoids having to disclose further sensitive medical details of the worker’s condition which are not required by the employer.