Data privacy and protection and employee health information systems

Many companies have implemented electronic systems to manage employee health and safety record-keeping, and in this age of globalisation, some are seeking to extend these systems to their global operations.

For multinational companies to gather global employee health data, they must first navigate the rocky shoals of international data protection legislation. European Union member countries and the work councils in place at many EU companies are particularly concerned about the collection and sharing of sensitive employee data. What then, are the issues a company would encounter in a global occupational health (OH) and safety system roll-out, and how can they be overcome?

If we are collecting data on EU employees, must the data be stored on a separate computer server located in the EU, or can it be stored on a server overseas – for example, in the US? This issue is typically the first stumbling block.

EU Data Protection Directive

The 1995 EU Data Protection Directive 95/46/EC contains a general prohibition against the transfer of EU personal data outside the EU unless certain exceptions are met. These are:

Safe Harbour: The US Department of Commerce and the EU Commission have developed a ‘Safe Harbour’ framework. Safe Harbour enables EU personal data to be sent to US companies (except financial companies) that self-certify under the Safe Harbour framework. An eligible US company must have a company privacy policy that embodies the seven Safe Harbour principles, and they must submit a straightforward letter or certification explaining this.

Model contracts: The EU Directive provides that an EU company can send personal data to a company in another country provided there are contractual arrangements in the form prescribed by the European Commission between those two companies confirming the existence of data protection safeguards.

Binding corporate rules (BCR): BCR is a set of contractual clauses, policies or procedures that apply throughout a multinational company permitting the transfer of personal data not just between two companies (as with model contracts) but within the group of affiliated companies. However, the multinational company must obtain the consent of the Data Protection Authority in each EU country from which data will be exported.

Adequate Level of Protection: The EU Commission issued a decision on the basis of Article 25(6) of directive 95/46/EC that the privacy legislation in place in Switzerland, Canada, Argentina, Guernsey and the Isle of Man provides an “adequate level of protection”. As such, EU personal data can be sent to those countries without any additional measures.

There are valid reasons why a multinational may wish to combine employee health data from global sites on one server – for example, to run aggregate reports for all employees, or to be able to view critical information in the prior health record for an ex-pat employee transferring from an EU country. This would be possible only if the personal data is stored on a common server, typically in the non-EU country’s head office.

EU companies and their employees and work councils may have concerns about storing EU data in the US because of the USA Patriot Act. This statute, passed in the aftermath of the 9/11 terrorist attacks, gives US law enforcement agencies certain extraordinary rights of surveillance and access to personal data as part of counter-terrorism efforts. Due to concerns about the Patriot Act, EU companies and even US companies with EU affiliates sometimes enquire as to how their global data might be hosted in Canada or the UK instead of the US.

Processing personal data in the EU

The good news is that the transfer of EU personal data outside the EU is not overly challenging. The bad news is that the mere processing of personal data and employee health data in the EU is permissible only if stringent requirements are met.

Under the EU Directive, personal data must be processed “fairly”. In order for an EU company to collect personal data fairly, the affected staff must receive thorough notice as to what information is being collected, why it is being collected, who will have access to it, where it will be sent, and the rights of the employee with respect to their personal data file.

Under the EU Directive, employee health data is considered ‘sensitive’ data, and thus is subject to even more stringent protection than personal data. An EU company can process employee health data only if such processing is necessary either for compliance with employment law obligations or for medical prevention, diagnoses, or care, and if the treatment is conducted by a medical professional subject to an obligation of confidentiality or by another person subject to a similar obligation of confidentiality.

OH practitioners therefore can carry out audiometric testing, medical surveillance, clinical testing or drug testing for purposes of employment law compliance.

Doctors and nurses, both of whom have societal obligations of confidentiality, and non-clinical administrators who are subject to written confidentiality agreements, are covered by the exception and can also process sensitive health information. Under EU law, employers are allowed to gather employee health data for occupational and non-occupational procedures and examinations, including health and wellness, flu clinics, immunisations, travel clearance, medical examinations and disability case management conducted by medical professionals and other health clinic employees subject to confidentiality obligations. This information should be gathered and shared only on a strict “need to know” basis.

Employee consent

The restrictions noted above on the processing or transfer of personal data can all be overcome if there is explicit employee consent. However, obtaining employee consent is administratively cumbersome. It is also, somewhat surprisingly, dimly viewed by the EU Data Protection Authorities.

The EU Directive requires that consent for the processing of sensitive personal data, such as health data, must be an unambiguous, explicit, freely-given, specific and informed indication of the individual’s wishes.

This condition can be difficult to satisfy where the individual concerned is an employee. Some of the EU data protection authorities regard employee consent with scepticism, and do not consider that it is often possible for individuals to provide ‘freely-given’ consent in an employment context due to the supposed unequal bargaining position of employees compared to their employer.

Although it is not the case that employee consent can never be relied upon for the processing of sensitive personal data, it should be considered as a last resort and a condition that is best relied on in conjunction with other exceptions, such as those described above.

As an additional safeguard, the EU Directive also states that the EU company must implement “appropriate technical and organisational measures” to protect against unauthorised disclosure or access.


In this age of globalisation and offshore manufacturing, the health and safety of an organisation’s global workforce is of increasing importance. There are legal, moral and reputational reasons why a multinational company should be as vigilant in the protection of the health and safety of its global workers as those in the parent company’s head office, even if the local occupational health and safety legislation is less stringent.

A comprehensive employee health system will aid that effort. In this case, the tail should not wag the dog. Provided the company complies with all of the legislative safeguards and protections, a company may process employee health information in a global setting to protect the health and safety of its workforce.

Mark Wallace is president of Medgate ( and can be contacted at

Comments are closed.