Cookies consent

We use cookies on this website. You can choose to accept them all or to opt out of some. You can change your consent at any time by opening this window again

I consent to cookies

We use cookies on this website. You can choose to accept them all or to opt out of some. You can change your consent at any time by opening this window again

I do not consent to cookies

If you choose this option, we will block all performance, targeting and persistent cookies. Many parts of this site will then not work.

Please read the full details in our Cookie Statement.

The ICO has published new guidance for employers on sharing personal data in mental health emergencies

The ICO has published new guidance for employers on sharing personal data in mental health emergencies

by Hannah Thomas
15 Mar 2024

The Information Commissioner’s Office (ICO), which is the UK regulator on data protection legislation, has published guidance which sets out recommendations for employers on the sharing of necessary and proportionate employee personal data with the relevant emergency services and health professionals, to mitigate against the risk of serious harm to the worker concerned or to others.

 

The ICO guidance defines a mental health emergency as a situation in which you believe that someone is at risk of serious harm to themselves, or others, because of their mental health. This can include the potential loss of life.

 

The guidance sets out that employers must:

 

  • Identify the correct lawful basis for processing and sharing personal data in circumstances where a mental health emergency occurs. The same data protection obligations apply to processing information about your workers’ mental health as their physical health. See our fact sheet on ‘data protection for employers’ on the FSB Legal and Business Hub for guidance.

 

The guidance additionally recommends that employers should:

  • Develop a policy on personal data sharing for mental health emergencies. The policy should describe the type of information involved, who they may need to share the information with and the security measures in place. Such a policy should be shared with all workers and training provided on handling personal data during a mental health emergency.

 

  • Ensure that details of next of kin and emergency contacts for workers are kept up to date through regular review. To enhance confidentiality of their mental health information, employers could consider allowing workers to provide separate emergency contacts for general emergencies, as compared to mental health emergencies.

 

It is important to ensure that any emergency contacts or details of the employee’s next of kin that the employee has provided to the employer are still up to date as, for example, sharing information in a domestic abuse situation could put the employee at further risk.

 

A policy on data sharing for mental health emergencies could be contained with the employer’s general data protection policy.  The guidance reflects the balance between the need to maintain employee privacy with the need to act decisively in situations where an individual’s mental health may pose a risk to themselves or others, which means that employers may find themselves needing to make a delicate judgement call.

 

Employers are not medical experts in relation to their staff and are not expected to give mental health or medical advice.  If the situation is non-urgent, and there is no risk of suicide or self-harm but the employee is in a state of general distress it is advisable to speak to the employee in confidence by suggesting that they seek appropriate professional or medical help.

 

A template data protection policy and employee emergency contacts form can be found on the FSB Legal and Business Hub. See also our Workplace Wellbeing Hub on the FSB website: https://www.fsb.org.uk/knowledge/fsb-infohub/workplace-wellbeing.html