Personnel Today
  • Home
    • All PT content
    • Advertise
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Equality, diversity and inclusion
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Shared parental leave
    • Redundancy
    • Maternity & Paternity
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
    • OHW Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • XpertHR
    • Learn more
    • Products
    • Pricing
    • Free trial
    • Subscribe
    • XpertHR USA
  • Webinars
  • OHW+

Personnel Today

Register
Log in
Personnel Today
  • Home
    • All PT content
    • Advertise
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Equality, diversity and inclusion
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Shared parental leave
    • Redundancy
    • Maternity & Paternity
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
    • OHW Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • XpertHR
    • Learn more
    • Products
    • Pricing
    • Free trial
    • Subscribe
    • XpertHR USA
  • Webinars
  • OHW+

General Data Protection RegulationLatest NewsData protection

How will the GDPR affect the processing of employee health information?

by Ruth Christy and Nicola Rochon 4 May 2018
by Ruth Christy and Nicola Rochon 4 May 2018

With the GDPR due to come into effect later this month, HR departments need to be careful when processing data relating to an employee’s health – even if they have the employee’s consent to do so. Ruth Christy and Nicola Rochon explain what employers should do.

Many employers include terms in their contracts or sickness absence policies requiring employees to consent to a medical examination. This is usually to enable an employer to gather information on fitness for work for long term absence, or possibly as part of a contractual sick pay scheme.

However, under the General Data Protection Regulation (GDPR) coming into force on 25 May 2018, and a new Data Protection Bill replacing the Data Protection Act 1998 (DPA), employers will need to make an important distinction between consent to a medical examination and their lawful basis for processing personal data in medical reports.

GDPR compliance

How to develop and implement a General Data Protection Regulation (GDPR) compliance programme

Podcast: How XpertHR can help you be GDPR ready

Obtaining a medical report amounts to processing personal data for the purposes of GDPR and information about an employee’s health is one of a number of “special categories of data” (sensitive personal data under the DPA).

According to both the current DPA and GDPR there must be lawful grounds for processing such information. To date, most employers have relied on employees’ consent to obtain the report and process the data, with the requirement for consent included in contract terms or policies.

Giving consent

However, the GDPR and official guidance clearly state that if there is an imbalance of power between the parties (giving the example of employer and employee) then consent will not be valid. Therefore from what we know so far, once GDPR comes into effect it will be almost impossible for an employer to rely on consent to process employees’ personal data, even if it is given specifically in relation to a particular medical issue.

In light of this, employers seeking to obtain medical reports need to identify another legal basis for processing the data and for processing “special categories” of data.

Legal bases could include being necessary for the performance of a contract, to comply with legal obligations, or for the employer’s legitimate interests. For special categories of data, employers are likely to rely on processing being, as the GDPR puts it, “necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of employment law”.

These bases often overlap. For example, it may be necessary to process a medical report to fulfil contractual obligations such as sick pay or to identify eligibility for permanent health insurance. In addition, the employer’s obligations in connection with employment law include not discriminating against a disabled employee, identifying reasonable adjustments, not unfairly dismissing and assessing fitness to return to work.

Once GDPR comes into effect it will be almost impossible for an employer to rely on consent to process employees’ personal data, even if it is given specifically in relation to a particular medical issue.”

The conundrum is that on a practical level, employers need consent from the employee to undergo a medical examination and to consent to the release of the report. However, this must be clearly separated from consent to process the data under GDPR, because consent for that can no longer be relied on.

Employers will need to review and update employment contracts, sickness policies and associated letters – to obtain consent for the examination/release of the report, but not for processing the data.

They should ensure the collection of medical information is necessary, and be aware that asking the employee to obtain and give the employer their medical records (i.e. via a subject access request), as opposed to commissioning a medical examination/report, may amount to a criminal offence under the Data Protection Bill.

Under the Bill, employers will also need an “appropriate policy document” explaining how they handle special categories of data.

Avatar
Ruth Christy and Nicola Rochon

Ruth Christy is a professional support lawyer and Nicola Rochon is a trainee solicitor in the employment law team at Blake Morgan LLP.

previous post
Morrisons case: employers’ responsibilities in preventing malicious data leaks
next post
Seven ways music can enhance employee wellbeing

1 comment

Avatar
Graham Herbert 12 Oct 2018 - 6:50 am

How do you view a company that keeps asking for paperwork to be filled out that already exist within a company, i.e. excessive requests to give the same information?

Reply

Leave a Comment Cancel Reply

Save my name, email, and website in this browser for the next time I comment.

You may also like

Queen’s Speech: Exclusivity contracts for low-paid workers to...

9 May 2022

Ikea France fined €1m for spying on staff

15 Jun 2021

Goldman Sachs orders staff to disclose vaccine status

11 Jun 2021

Rail staff falsely promised bonus in cyber security...

11 May 2021

Could a blockchain health record help HR handle...

15 Mar 2021

Employee surveillance: getting the balance right

22 Jan 2021

Ensure workers have right to privacy when work...

20 Jan 2021

Vaccination and data protection: What do employers need...

18 Dec 2020

Seven key employment law cases from 2020

17 Dec 2020

Uber sued for ‘automated’ dismissals

27 Oct 2020
  • Apprenticeships are the solution to your recruitment problems PROMOTED | Apprenticeships have the pulling power...Read more
  • What it really means to be mentally fit PROMOTED | What is mental fitness...Read more
  • How music can help to ease anxiety at work PROMOTED | A lot has happened since March 2020, hasn’t it?...Read more
  • Why now is the time to plug the unhealthy gap PROMOTED | We’ve all heard the term ‘health is wealth’...Read more

Personnel Today Jobs
 

Search Jobs

PERSONNEL TODAY

About us
Contact us
Browse all HR topics
Email newsletters
Content feeds
Cookies policy
Privacy policy
Terms and conditions

JOBS

Personnel Today Jobs
Post a job
Why advertise with us?

EVENTS & PRODUCTS

The Personnel Today Awards
The RAD Awards
Employee Benefits
Forum for Expatriate Management
OHW+
Whatmedia

ADVERTISING & PR

Advertising opportunities
Features list 2022

  • Facebook
  • Twitter
  • Instagram
  • Linkedin


© 2011 - 2022 DVV Media International Ltd

Personnel Today
  • Home
    • All PT content
    • Advertise
  • Email sign-up
  • Topics
    • HR Practice
    • Employee relations
    • Equality, diversity and inclusion
    • Learning & training
    • Pay & benefits
    • Wellbeing
    • Recruitment & retention
    • HR strategy
    • HR Tech
    • The HR profession
    • Global
    • All HR topics
  • Legal
    • Case law
    • Commentary
    • Flexible working
    • Legal timetable
    • Shared parental leave
    • Redundancy
    • Maternity & Paternity
    • TUPE
    • Disciplinary and grievances
    • Employer’s guides
  • AWARDS
    • Personnel Today Awards
    • The RAD Awards
    • OHW Awards
  • Jobs
    • Find a job
    • Jobs by email
    • Careers advice
    • Post a job
  • XpertHR
    • Learn more
    • Products
    • Pricing
    • Free trial
    • Subscribe
    • XpertHR USA
  • Webinars
  • OHW+