The Information Commissioner issued Part 4 of the Data Protection Code of Practice (employment) dealing with Medical Records and health information in December 2004. At the same time he also issued Supplementary guidance to Part 4 of the Code along with Guidance for small businesses to Part 4 of the Code.

The general principle established by Part 4 of the Code is that an employer should only collect information relating to the health of individual workers if express, freely given, consent has been provided by the worker(s) concerned or the collection is necessary to enable compliance with the employer's legal obligations, notably with a view to preventing breach of health and safety regulations and/or anti-discrimination rules. Collection of medical records and health information relating to individual workers not covered by the above is likely to be unlawful and a breach of the Data Protection Act 1998.

In spite of its name the guidance for small businesses is more of a small guide for business (and a very well written one) than a guide for small businesses. Anyone coming to the Code for the first time would be well advised to start (after reading this note!) by looking at it as it provides an excellent summary of the general position.

In addition to direct relevance to privacy for medical Records and health information, Part 4 of the Code is of general importance. The opening sections cover the same general ground as is covered in the opening sections of Parts 1 to 3 of the Code, but significantly updated, in particular to take account of the judgment in Durant v Financial Services Authority CA 2003 EWCA Civ 1746 on 8th December 2003 in which the Court of Appeal gave guidance on the proper (quite restricted) interpretation to be given to Data Protection Act phrases such as data subject, data controller, personal data and relevant filing system.

It should be noted that data protection issues relating to the storage/keeping of and access to sickness records are mainly dealt with in Part 2 of the Code (on "Employment Records") at pages 22-24 and 32 (see notes at Data protection/Code of Practice/general and parts 1 and 2 ) and by the Access to Medical Reports Act 1988 rather than by Part 4 of the Code of Practice.

The Information Commissioner's Office Technical Guidance Notes webpages are an essential source of practical information on all aspects of data protection.

See also notes at ACTS OF PARLIAMENT etc/Access to Medical Reports Act 1988 and also notes at Data protection/Code of Practice/general and parts 1 and 2 and/or Data protection/Code of Practice/Monitoring staff - part 3 and/or Data protection generally.