07795 214 663

Confidentiality and Consent

Information about your employee’s health can include:

  • The name of their health condition.
  • A description of their symptoms.
  • A description of their medical treatment and its effectiveness.
  • A prognosis for their recovery.

The Data Protection Act 2018 places a duty on you and your occupational health provider to:

  • Obtain explicit consent from your employee to process information about their health.  
  • Protect the confidentiality of this information.

Additional Acts and codes of practice are written for health professionals and guide how they are able to process information about your employees’ health:

  • Access to Medical Reports Act 1988.
  • Access to Health Records Act 1990.
  • Information Government Alliance. Records Management Code of Practice for Health and Social Care 2016.
  • Ethics Guidance for Occupational Health Practice 2018.

1. The Information Commissioner’s Five Employer Essentials

The Information Commissioner’s Office have published an ‘Employment Practices Code’ providing a detailed interpretation of the Data Protection Act for employers processing employee health information1.  The code can be summarised into 5 key points as follows (italicised text are verbatims copied over from the Code document):

Employers should bear in mind that health information can be particularly sensitive, that its obtaining can be particularly intrusive and that significant intrusion will not normally be justified unless the employer’s business is at real risk of serious damage.

In practice, before processing employee health information, you should have:

  • Evidence that the information has been manifestly made public by your employee or;
  • A court order to process the information for the establishment, exercise or defence of legal claims or;
  • Employee consent and at least one other lawful basis for processing.

Employee Consent.  To be valid:

  • Consent must be Explicit. meaning the worker must have been told clearly what personal data are involved and have been properly informed about the use that will be made of them.  Explicit consent must be affirmed in a clear statement (whether oral or written)2.
  • The worker must have given a positive indication of agreement, e.g. a signature or tick box opt in.
  • Consent must be Freely given meaning the worker must have a real choice whether or not to consent and there must be no penalty imposed for refusing to give consent.

The Royal College of Physicians Ethics Guidance for Occupational Health Practice3 includes the overriding principle of ‘no surprises’, where your employee is “absolutely clear about the process and what will be reported about them”.  The Work Wellness process ensures ‘no surprises’ by obtaining your employee’s explicit consent, at the start of the referral process, to;

  • The completed management referral form, because it contains confidential information about your employee and the purpose for which this information will be processed (i.e., the questions you are asking Work Wellness to answer).  The completed management referral form includes the completed form itself together with any other documents containing health information which accompany it such as; sickness absence history, fit notes, minutes of return to work, welfare or other meetings, record of adjustments already implemented, etc.
  • The possibility that later in the process:
    • Work Wellness may request copies of GP / treating specialist letters and reports from your employee.
    • Work Wellness may request a medical report from your employee’s GP or treating specialist.
    • Work Wellness may commission a specialist examination / assessment.
    • You may share the assessment report, on a need to know basis, with other managers who need to act upon its contents.

…and once the process is underway

  • Obtaining more explicit consent, in compliance with the Access to Medical Records Act 1988, should we decide to request a medical report.
  • Offering your employee the opportunity to request the correction or deletion of confidential information contained in the assessment report prior to its release to you.
  • Reminding your employee that they can withdraw their consent for the assessment report to be released you.

Lawful Basis.  Relying on consent is not enough because of an imbalance of power between yourself and your employee, so authorities including the ICO require that you should also have at least one other lawful basis for processing employee health information which are4:

  • To determine the worker’s entitlement to health related benefits, e.g., sick pay, permanent health insurance.
  • To determine a particular worker’s fitness for carrying out his or her job.
  • To comply with your legal obligation to control for health and safety risks to your employee or risks that the employee may pose to colleagues, customers and the public.
  • To comply with your legal obligation not to discriminate against workers.
  • Employers should ensure that the intrusion is no more than absolutely necessary and consider alternatives to minimise intrusion, e.g., can health questionnaires rather than tests be used?
  • Review any health questionnaires to ensure that only information that is really needed is collected.
  • Can access to health information be limited so that it will only be seen by medically qualified staff?
  • Is the processing for medical purposes, e.g. the provision of care or treatment, and undertaken by a health professional or someone working under an equivalent duty of confidentiality?
  • Ensure that wherever practicable only suitably qualified health professionals have access to medical details.

An occupational health practitioner should interpret the information and make recommendations to you:

  • Decisions on a worker’s suitability for particular work are properly management decisions but the interpretation of medical information should be left to a suitably qualified health professional.  Leave the interpretation of medical information to those who are qualified to do this.
  • Employers should seek information on the worker’s fitness for continued employment rather than medical details.
  • A medical report should contain only the information required for the employer to fulfil their legal responsibilities. If the employee has any health condition, the employer may only need to know:
    • Whether it constitutes a disability.
    • Will it impact the employee’s ability to perform a defined role.
    • If reasonable adjustments at work need to be made5.

In our experience, your employee is usually happy to consent to the disclosure of health information.  They will have already disclosed some information to you before you refer them for an occupational health assessment and in those instances when they have not, they rarely withhold their consent for Work Wellness to disclose relevant information in our assessment report.

We generally find that disclosing health information is helpful and productive for both you and your employee.  For example, just being able to put a name to a health condition:

  • Helps in locating:
    • Further information about the condition (such as how it can be treated and managed).
    • Support from others experiencing the same condition.
  • Suggests that the condition is medically understood, treatable and manageable which, in turn, can reduce feelings of helplessness and hopelessness in the face of disabling symptoms and their effects upon capacity to perform in a job6.
  • Improves your’s and other colleague’s understanding of the condition and acceptance of its symptoms as; real, palpable and worthy of adjustments and support.

Having said this, we also recognise instances where disclosure of health information will not be helpful or productive and may even damage the interests of your employee.

If your employee does not consent to the occupational health practitioner disclosing health information to you, the practitioner will instead, describe the information in terms of its functional effects, e.g., levels of; mobility, dexterity, vision, hearing, speech, continence, concentration, memory, learning and understanding.  For example;

  • “Severe depression and anxiety” may be described as: “your employee’s condition results in a significant reduction in mental and physical stamina and the ability to concentrate on problem solving and physical tasks.”
  • “Sciatica” or “Arthritis” may be described as: “your employee’s condition limits mobility and ability to sit for periods of more than 30 minutes. Any work carried out in a bent or awkward posture or lifting moderately heavy loads should be avoided.  Your employee should also be given the opportunity to move and stretch every 30 minutes”.

Occupational health practitioners should follow General Medical Council best practice guidance to give your employee the opportunity to check through reports before they are released to you and request the:

  • Deletion of confidential information which they do not wish to disclose to you.
  • Correction of factually inaccurate information.

The General Medical Council, Royal College of Nursing and Nursing and Midwifery Council agree on exceptional situations where occupational health practitioners should not maintain confidentiality, including:

  • Where the occupational health practitioner deems it unequivocally in the public interest, to protect the safety of others (e.g., a truck driver is epileptic or driving under the influence of drugs or alcohol, an employee is carrying a transmittable disease or has a mental health condition such that they may become violent).
  • Where the occupational health practitioner deems it clearly in the patient’s interest, to ensure their safety from themselves or others (e.g., high risk of suicide, victim of abuse).
  • Where instructed by law or a court order.
  • To safeguard national security or to prevent a serious crime.

In such instances health professionals will still only disclose the minimum necessary information.

The means of complying with data protection regulations and guidelines are complex.  Occupational health practitioners should be masters of this complexity and operate processes which are compliant without being overly restrictive and cumbersome.   In this way, an occupational health practitioner can help you minimise the cost of compliance.

For further information about maintaining confidentiality and other aspects of data privacy see our Privacy Statement (it can be accessed via a link in the footer of this page).

The ICO expect you to respect the confidentiality of information processed by occupational health:

  • If workers are allowed to use telephone or e-mail for confidential communication with their occupational health service, do not compromise this confidentiality by monitoring the contents of these communications.
  • If the retention of medical information is necessary only for the operation of an occupational health service, it should be kept in a confidential occupational health file.

 If commissioning a medical report on a sick employee:

  • Health information that is excessive, irrelevant or out of date should not be retained by an employer.  If the GP gives you more than you need you are obligated to delete what you don’t need.  Specific legal advice we have seen states that:
    • Requiring your employee to provide consent to their GP to release their medical records to you or to make a Subject Access Request to their GP in order to obtain their medical records and hand them over to you, is illegal under section 184 of the Data Protection Act.
    • GPs have been known to print out your employee’s entire medical record in response to a request for a GP report, such information is excessive and must be deleted immediately.
  • Patients are in control of any information released to an employer, and they have the right to review and ask for changes before it is submitted to an employer, including the withdrawal of consent.

Unless the general standard of information security in your organisation is sufficiently high, medical information about workers should be separated from other personnel information, for example by keeping it in a sealed envelope, or subject to additional access controls on an electronic system.

Despite the ICO conceding that you may request health information about your employee directly from their GP, the Royal College of Physicians Ethics Guidance advises medical professionals to discourage you from doing so because of the risks, explained in 6.3 above, that you may not be qualified to reliably interpret the information.

2. Commissioning GP and Specialist Reports

The Access to Medical Reports Act, Health Records Act and Records Management Code of Practice largely define the process for how your occupational health provider commissions reports containing information about your employee’s health from their GP or treating specialist.

The process incurs a cost and can take weeks or months to complete.  The British Medical Association acknowledge that GPs / specialists can be reluctant to support the process which can create points of failure where a process step depends upon their commitment.    Consequently, we would only recommend commissioning a report:

  • On the rare occasions we believe the employee is not disclosing health information which is likely to materially affect our assessment and recommendations and the assessment and recommendations are critical to the referring manager’s HR process.
  • On the even rarer occasions where the OH provider feels confident enough to suggest the GP / specialist considers an alternative diagnosis which might inform a more effective treatment strategy and improve your employee’s performance.

GP reportHere is a simplified and abridged representation of the process flow and pertinent comments on some of the process steps:

2. Obtaining your agreement to cost and timescale estimates is necessary to ensure you understand and are prepared to pay for the GP / specialist report and for OH provider time spent commissioning the report.

  • As a guide: the British Medical Association suggest GPs charge £133 for 30 minutes spent compiling a report from existing notes.
  • The OH provider is likely to record between 90 and 180 minutes of work throughout the end to end commissioning process.

3. Obtaining your employee’s ‘consent in principle’ is necessary for two reasons:

  • They will want to know why the OH provider is asking them to provide the contact details of their GP / treating specialist.
  • The next step is preparing the letter to their GP / treating specialist and that time spent could be wasted if the employee refuses explicit consent later in the process.

5. The OH provider is legally required to provide your employee with sight of the letter and to obtain their explicit consent to sending the letter to their GP / treating specialist.

7. The letter to the GP / treating specialist must carefully and unambiguously specify the questions which need to be answered.  This minimises the risk of their report being generic and / or repeating information already known.  Unfortunately, despite this care, the report can still be generic and / or repeat information already known.

8. The GP / treating specialist sometimes proceeds to write the report without providing a cost estimate and the amount of the accompanying invoice can exceed expectations (their initial estimate may not have considered the need to carefully consider and answer the questions specified in the letter).  On the other hand, the GP / treating specialist sometimes doesn’t send an invoice at all!

11. Usually, the report’s progress will need to be chased up at least once.

12. The GP / treating specialist are obligated to; offer your employee sight of their report before its disclosure to the OH provider, offer to correct or delete information prior to its disclosure and to remind your employee of their right to withdraw consent for disclosure of the report at any time up until its actual disclosure.

3. Pre-Placement Prohibition on Requesting Health Information

In order to minimise any opportunity to discriminate against disabled job applicants, Section 60 of The Equality Act places a general prohibition on requesting health information during the recruitment process, prior to making a job offer.  So you could make a job offer unaware that your new starter has a health condition which:

  • Renders them unable to perform a fundamental or intrinsic requirement of the job. Examples might include a Scaffolder with a disability which renders them unable to climb a ladder or an HGV driver who has un-correctable impaired vision.
  • Breaches your legal obligation to control risks to the health, safety and welfare of your new starter, colleagues, customers and the public. Examples might include an employee at risk of seizures or a severe allergic reaction which requires urgent action by designated colleagues (e.g., who know where to find and administer your employee’s EpiPen).
  • Breaches your legal obligation to make reasonable adjustments for a disability under the Equality Act.

Exceptions to the general prohibition:

The Equality Act allows a specific exception to the general prohibition in order to assess health conditions preventing the applicant from performing an intrinsic requirement of the job which cannot be accommodated with reasonable adjustments.  This specific exception helps you to avoid employing the scaffolder who is unable to climb a ladder or the visually impaired HGV driver.

The Equality Act also allows other exceptions to the prohibition.  They don’t relate to health assessment but we list them here for the sake of completeness:

  • If a particular disability is actually an occupational requirement of the job.
  • To identify the need for any reasonable adjustments during the remainder of the interview process (e.g., tests and case study exercises).
  • To monitor the diversity of people applying for the job.
  • To positively discriminate with respect to health, i.e., to treat disabled applicants better than non-disabled applicants.

Approaches to requesting health information.

You might screen out candidates / job applicants who fail to meet the intrinsic requirements of the job by:

  • Specifying the intrinsic requirements as screening questions on the job application form.
  • Ask for the relevant health information at interview.

However, these two approaches are prior to the job offer which means you are prohibited from requesting sufficient additional  information to assess whether the intrinsic requirement can be accommodated by reasonable adjustments.  Depending upon these approaches alone creates a risk of breaching your legal obligation to identify reasonable adjustments.

Instead, you might also make the job offer conditional upon the outcome of pre-placement screening.  This approach has two key advantages:

  • You can request additional health information to identify:
    • Needs for reasonable adjustments.
    • Pre-existence of health conditions which can also be caused or aggravated by the job.  This “baseline health information” might prove to be a valuable insurance in the event of any future claims for occupational injury.
  • The assessment is conducted by an experienced and qualified occupational health practitioner who is:
    • More likely to identify a need for adjustments.
    • Able to ensure the information requested complies with other applicable regulation, in particular the Data Protection Act.

Pre placement screening


Approaches to pre-placement health screening.

Health Questionnaires.

Questionnaire based screening is:

  • Sufficient for lower risk jobs (e.g., office-based).
  • Quick and cost effective, especially for; SMEs, companies outsourcing their occupational health needs and organisations with a widely distributed or remote workforce.
  • Recommended by the ICO in preference to a medical examination, or as a means of selecting individuals required to undergo a medical examination.

Medical Examinations.

Medical examinations can include:

  • Lung function and / or skin sensitivity testing for jobs involving baking, painting or insulating.
  • Audiometry testing for jobs on factory production lines.
  • Hand arm vibration (HAV) testing for jobs involving the operation of machinery.
  • Testing for isocyanate exposure.

Certain occupations are subjected to regulation and codes of practice which can include a requirement for specialist medical examinations.  They include:

  • Health care professionals.
  • Professional drivers (LGV, train, lift truck).
  • Flight crew.
  • Emergency services personnel (Police, Firefighters, Ambulance, Coastguard).
  • Food handlers.
  • Confined spaces workers.
  • Workers at heights.
  • Safety critical workers.
  • Offshore crew.

They are typically the highest risk jobs where specialist medical examinations can be worth the investment given the inherently higher materiality of breaches to your health and safety obligations.

A specialist medical process can take some time to conclude; good practice is to conclude within 6 weeks of your new starter taking up their job.

  1. Data Protection. The Employment Practices Code.  Information Commissioner’s Office.  November. 2011[]
  2. What is Valid Consent?  Information Commissioner’s Office web site.  Last checked 30th October 2020[]
  3. Ethics Guidance for Occupational Health Practice.  Faculty of Occupational Medicine of the Royal College of Physicians.  November 2018[]
  4. When is consent appropriate?  Information Commissioner’s Office.  Web site. Last checked on 29th September 2021[]
  5. When is it legal to access employees’ medical records? People Management. 2018.[]
  6. The personification of chronic physical illness: Its role in adjustment and implications for psychotherapy integration.  Journal of Psychotherapy Integration, 2013[]