Data protection code restricts random drug testing

The final part of the new data protection code1 could place employers that randomly test all employees, not just those in safety-critical positions, in breach of the Data Protection Act.

In a "good practice" section, the Information Commissioner states that testing for drugs and alcohol should be confined to those workers whose activities actually have a significant impact on the health and safety of others.

"Even in safety-critical businesses, such as public transport or heavy industry, workers in different jobs will pose different safety risks," the advice says.

It goes on to suggest that testing of all workers in a business will not be justified where only workers engaged in particular activities pose a health and safety risk. The draft code also advises that testing should be designed to detect impairment, rather than the illegal use of a substance.

Sensitive data

Medical information will almost always be "sensitive data" under the terms of data protection legislation - for example, the results of a worker's health questionnaire or information about a worker's disabilities or special needs.

The Data Protection Act sets out conditions on the processing of such sensitive data and employers need to meet at least one of these if they store, use, disclose or otherwise process information on employees' health. "The collection and use of information about workers' health is against the law unless a sensitive data condition is satisfied," the draft code states starkly.

For example, obtaining the consent of employees to processing will not satisfy the code unless it is explicit and "freely given". A second condition that employers might cite in support of processing is that it is necessary to enable the employer to meet its legal obligations, for example under health and safety law. Employers also need to be clear that the benefits gained from "processing" medical information justify the intrusion of workers' privacy, and the code encourages the use of an impact assessment for this purpose.

The draft code on workers' health is the fourth part of the Information Commissioner's Employment Practices Data Protection Code, and aims to give employers guidance on how to comply with data protection legislation when handling information on workers' health. It covers the operation of occupational health services, pre-employment medical examinations and genetic testing, in addition to drug and alcohol checks:

  • Occupational health schemes: if workers use telephones and emails to talk to the occupational health service, employers should not compromise their confidentiality by monitoring these communications;

  • Pre-employment medical testing: employers should consider less intrusive ways of finding out information on the health of potential recruits, by using questionnaires for example; and

  • Genetic testing: the draft code suggests that genetic testing is still in its infancy, and should not be used to make predictions about a worker's future general health.

    • Comments on this final part of the code are invited by 27 February 2004, and the commissioner intends to consolidate and publish all four sections in the second quarter of next year. The code will not come into force until that date.

    Adhering to the code, and adopting its recommendations for best practice, will help employers protect themselves from challenges against their data collection practices, and could help meet other legal obligations, under the Human Rights Act 1998, for example.

    1. The Employment Practices Data Protection Code: part 4: Information About Workers' Health, Information Commissioner, December 2003, www.informationcommissioner.gov.uk.