Since GDPR was enforced back in May 2018, (which seems light years ago now!) employers need to be extra careful in how they request and handle sensitive employee data, even where the employee has provided their written consent.
Before GDPR came along, you have been able to rely on an employee simply giving their written consent for a medical report to be obtained and the information received to then be used (‘processed’) in line with the company policy/contractual terms.
However GDPR states that consent may not be valid if there is an imbalance of power between two parties e.g. employee/employer, and this makes it now very difficult as an employer to rely on the employee consent alone as you may have done previously.
The key difference under GDPR is that employers need to clearly distinguish the difference between two areas:
1. consent to a medical examination; and
2. on what lawful basis they are relying on, in order to process any personal data they obtain.
Most company absence policies make reference to reserving the right to gain an employees’ consent to obtaining medical information if required. This is usually to help with managing long term sickness cases and, in some instances, where there is some bearing on company sick pay.
‘Processing’ under GDPR is defined as ‘necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or the data subject in the field of employment law’.
Be mindful that the act of obtaining a medical report amounts to ‘processing’ personal data under GDPR and information that relates to an employees’ health is classed as ‘special category/sensitive personal data’ under the DPA and as such there must be lawful grounds for processing any such information under both GDPR and the DPA rules.
This means that when handling ‘special category data’, you must demonstrate a second legal basis for processing data that you obtain. This basis could be;
where it is necessary for the performance of a contract;
to comply with legal obligations; or
for the employers’ legitimate interests.
Taking medical information as the example, if you are managing an individual who has is a health condition, it may be necessary to process a medical report for several reasons; to fulfil contractual obligations with sick pay or use this to enabling checking eligibility for permanent health insurance. It may also be legitimate to process such information to ensure that you are not discriminating against an employee with a disability and such information would help to identify any reasonable adjustments or assess fitness for work etc.
To summarise, from a practical perspective, you need distinctly separate consent from an employee to a) undergo a medical examination/request a report and b) to consent to the release and processing of the report.
It is really important to ensure the collection of any medical information is necessary, and if you need to request a medical examination/report, that you are clear as to the specific health issue and are not requesting an individuals’ full medical records, as this could now amount to a criminal offence under the Data Protection Bill.
You should have reviewed and updated all of your employment contracts, sickness policies and associated letters as part of your GDPR preparations in relation to obtaining consent for the examination/release of a medical report. You should also have a separate policy for processing data, explaining how you handle ‘special category data’.
If you aren’t sure whether the clauses within your absence management policies and requesting medical information are correct or have the clarity required, we can help. Get in touch and we’ll review your policy for free.
Please note our blog posts contain general information and are intended as guidance only and should not be taken as an authoritative or current interpretation of the law. Please ensure that you obtain advice tailored to your individual situation before taking action. These posts apply to the UK only.