What does the GDPR mean for personal data in medical reports?
This article first appeared in People Management on 8 May 2018.
Contracts or sickness absence policies often require employees to consent to a medical examination, for assessing fitness for work or maybe to fulfil contract terms such as sick pay or eligibility for permanent health insurance. Employers are aware that the GDPR coming into force on 25 May, and the new data protection bill replacing the Data Protection Act 1998 (DPA) will result in a change to many policies, documents, contracts and letters – but have they considered sickness absence policies?
The crucial point to note is that under the GDPR there will need to be a distinction between consent to a medical examination on the one hand and the lawful basis for processing the personal data collected via medical reports on the other. Previously, employers haven't had to make such a distinction and have bundled consent to be examined with the consent to process sensitive personal data. From what we know so far, this will no longer be possible.
Information about an employee's health is considered a ‘special category of data’ under the GDPR (sensitive personal data under the DPA), which an employer will need to process if it obtains a medical report. Processing special categories of data is prohibited unless one of a number of exceptions apply.
One of these is explicit consent but the GDPR and official guidance clearly state that if there is an imbalance of power between the parties (giving the example of employer and employee) then consent will not be valid. Therefore, it appears that once GDPR comes into effect it will be almost impossible for an employer to rely on consent to process employees' personal data, even if it is given in relation to a particular medical issue.
Tips for employers
Employers seeking to obtain medical reports therefore need to establish: a) another legal basis for processing the data; and b) an exception allowing them to process this ‘special category’ of data. Legal bases could include being necessary for the performance of a contract, to comply with legal obligations or for the employer's legitimate interests.
For special categories of data, employers are likely to rely on processing being “necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of employment law” (Article 9(2)(b) GDPR). For this, under the new data protection bill, employers will need an ‘appropriate policy document’ explaining how they handle special categories of data.
Employers could point to several overlapping lawful reasons – such as the contract (sick pay or to identify eligibility for permanent health insurance), or the employer's legal obligations not to unfairly dismiss, not to discriminate against a disabled employee, to identify reasonable adjustments where applicable and to ensure they are fit to return to work.
How does this work practically, because employers will still be asking for consent? On a practical level, you can't force an employee to attend a doctor's appointment or even agree to release the report to you. The answer is that this must be clearly separated from consent to process the data under the GDPR, because consent for that can no longer be relied on.
So the GDPR affects everything, including sickness absence policies, letters inviting employees to attend medical examinations and potentially clauses regarding medical examinations in employment contracts that may all refer to consent to process sensitive personal data.
The way the data protection bill is currently worded, asking the employee to obtain and give the employer their medical records (ie via a subject access request) as opposed to commissioning a medical examination/report may also amount to a criminal offence under the bill.
Under the GDPR, employers should ensure the collection of medical information is necessary, that they have a lawful ground for processing it and that they can point to an exception for processing special categories of data that is not consent. Employers should also keep an eye out for ICO guidance for employers, which is awaited on many topics, including this.