With the GDPR due to come into effect later this month, HR departments need to be careful when processing data relating to an employee’s health – even if they have the employee’s consent to do so. Ruth Christy and Nicola Rochon explain what employers should do.
Many employers include terms in their contracts or sickness absence policies requiring employees to consent to a medical examination. This is usually to enable an employer to gather information on fitness for work for long term absence, or possibly as part of a contractual sick pay scheme.
However, under the General Data Protection Regulation (GDPR) coming into force on 25 May 2018, and a new Data Protection Bill replacing the Data Protection Act 1998 (DPA), employers will need to make an important distinction between consent to a medical examination and their lawful basis for processing personal data in medical reports.
GDPR compliance
Obtaining a medical report amounts to processing personal data for the purposes of GDPR and information about an employee’s health is one of a number of “special categories of data” (sensitive personal data under the DPA).
According to both the current DPA and GDPR there must be lawful grounds for processing such information. To date, most employers have relied on employees’ consent to obtain the report and process the data, with the requirement for consent included in contract terms or policies.
Giving consent
However, the GDPR and official guidance clearly state that if there is an imbalance of power between the parties (giving the example of employer and employee) then consent will not be valid. Therefore from what we know so far, once GDPR comes into effect it will be almost impossible for an employer to rely on consent to process employees’ personal data, even if it is given specifically in relation to a particular medical issue.
In light of this, employers seeking to obtain medical reports need to identify another legal basis for processing the data and for processing “special categories” of data.
Legal bases could include being necessary for the performance of a contract, to comply with legal obligations, or for the employer’s legitimate interests. For special categories of data, employers are likely to rely on processing being, as the GDPR puts it, “necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of employment law”.
These bases often overlap. For example, it may be necessary to process a medical report to fulfil contractual obligations such as sick pay or to identify eligibility for permanent health insurance. In addition, the employer’s obligations in connection with employment law include not discriminating against a disabled employee, identifying reasonable adjustments, not unfairly dismissing and assessing fitness to return to work.
Once GDPR comes into effect it will be almost impossible for an employer to rely on consent to process employees’ personal data, even if it is given specifically in relation to a particular medical issue.”
The conundrum is that on a practical level, employers need consent from the employee to undergo a medical examination and to consent to the release of the report. However, this must be clearly separated from consent to process the data under GDPR, because consent for that can no longer be relied on.
Employers will need to review and update employment contracts, sickness policies and associated letters – to obtain consent for the examination/release of the report, but not for processing the data.
They should ensure the collection of medical information is necessary, and be aware that asking the employee to obtain and give the employer their medical records (i.e. via a subject access request), as opposed to commissioning a medical examination/report, may amount to a criminal offence under the Data Protection Bill.
Under the Bill, employers will also need an “appropriate policy document” explaining how they handle special categories of data.
How do you view a company that keeps asking for paperwork to be filled out that already exist within a company, i.e. excessive requests to give the same information?
If there is a change in the risk of a role then it is a good idea to seek occupational health advice as to the suitability of the individual for the role, and advice on accommodations which might be required in the new role. So a new health questionnaire If the job is just in to a similar role eg admin roles then further OH advice is not required. Diane Romano-Woodward OH Advisor
I disclosed my health condition to my manager and senior supervisor in 2017 on the basis of it being confidential . I went off sick last year and my sick note detailing my health condition and why I was off sick was shared with a new manager that had joined the team. Would this consort as a breach of confidentiality, as I’d not given consent for it to be shared with anyone else? When I raised it with the manager I’d disclosed it to,she stated that it had to be done as part of reporting sickness to management.
How long can an occupational health company legally retain data gathered after the termination or expiry of a contract with a business?
I did a return to work 3 month ago and had to disclose my illness , my phone number and date of birth and national insurance number , I got a txt from my senior supervisor 3 month later stating I have to do the same return to work , I asked her why as I already y done it and she said someone has taken it out the folder , all my colleagues personally data has never been under lock and key and we have 6 supervisors from all different shifts going in that office , I am feeling reall distressed as to why any one would want to take that particular sheet .