The volume, variety and velocity of data available to companies about their employees is already significant and likely to increase. Employers hold data about employees that could be used to explore the relationship between workplace practice in their organisation and risks to employee health. However, there is significant uncertainty about whether employers subject to English law are permitted to use this data for this purpose, and even whether they may be under a legal obligation to do so. In this article, the question of whether employers are legally permitted or legally obliged to use employee data to identify associations between workplace practice and risk to employee health is answered through an analysis of two spheres of English Law: data protection law, and health and safety law. The authors establish a hypothetical case study concerning a company that wishes to use employee data in this way, to illuminate a set of detailed legal issues. In particular, the question of whether a reasonable and prudent employer is under an obligation under health and safety law to use the data and analytic tools at his or her disposal to assess risk and inform his or her actions is considered. Also addressed is the question of whether such processing would satisfy the data protection law principles of “lawful, fair, and transparent” processing and that of “purpose limitation”. A complex picture emerges. The analysis reveals that data protection legislation may not support a trend towards the re-use of employee data to enhance workplace health and safety; nor is there currently a clear mandate that responsible employers use data in this way. The line between useful insight into workplace practices and intrusion into employees’ privacy remains blurred.