Partner Sue Dowling, in our Employment Law team, explains data protection issues surrounding employers storing medical certificates or fit notes.
Data protection law is intended to ensure that, where organisations hold or process information about individuals, they do so securely and only use and retain that information where there is a legitimate basis for doing so and the approach they adopt is proportionate.
For some organisations, the thought of understanding and following data protection law may well be a daunting one. The current law surrounding data protection which derives from the EU General Data Protection Regulation more commonly known as GDPR is complicated. The GDPR was incorporated into UK law by the Data Protection Act 2018 and the rules established remain unaffected by the UK’s departure from the EU. Failure to comply with data protection can result in heavy fines in theory up to 20 million Euros or 10% of turnover not to mention serious reputational damage.
Certainly employees are now much more aware of their rights - in a recent case, a large supermarket was forced to settle after it was revealed they had “lost” an employee’s employment records, including sensitive medical documents and the employee pursued a data breach claim
While the rules may seem complex and in some cases counter intuitive, employers need to take data protection seriously. If you are unsure about your obligations regarding data protection, it is important that you seek legal advice.
In this blog article, we look at the issues surrounding employers storing medical information including fit notes. To do so, we first need to look at some of the definitions which apply.
What does ‘processing’ mean?
‘Processing’ data includes the recording, storing, retaining and filing any data about a living individual.
What is health information?
During the course of an individual’s employment, employers will wish if not need to process certain data concerning their employees’ health; for example, if an employee is signed off sick, an employer will wish to process and store medical certificates and fit notes. In light of COVID-19, even storing information such as Coronavirus symptoms qualifies as processing health data.
Processing health information?
As well as complying with the main GDPR principles, employers must also ensure the following rules when processing health information:
- That a lawful condition for processing personal data under Article 6(1) of the Retained Regulation (EU) 2016/679 applies, and
- That a specific condition for processing special category data under Article 9(2) of the Retained regulation (EU) 2016/679 applies.
A lawful basis for processing the information?
In order to process information regarding an employee’s health, employers must first show that there is a ‘lawful basis’ for doing so. In relation to the medical certificates and fit notes, employers may rely on ‘legitimate interest’ as a basis for processing the data contained within them. An employer can claim to have a legitimate interest in managing the ill-health of their employees in order to manage their obligations to the employee in terms of pay, monitor productivity, the impact on other employees and the commercial viability of the business.
A possible justification for processing such health data is ‘consent’. However, relying on “consent” in an employment context is problematic because consent must be freely given and there is an imbalance of power between the employer and employee and also because consent can be withdrawn by the employee after it has been given.
Identifying the basis which you have for processing health data is important but so is thinking about the justification for keep it and for how long.
Documenting and recording your approach is both a useful discipline and a potential defence as organisations need to be able to show that they have properly considered which lawful basis applies to the processing of different data. These records should be readily available - if the Information Commissioner’s Office (‘ICO’) receives a complaint, organisations will need to produce records to demonstrate on which lawful basis they have relied in order to process the data.
A specific basis for processing it?
As we have said, there are special rules for processing information relating to an individual’s health, as it is more sensitive than other data. Therefore, as well as the general lawful basis (above) for processing data, the law places an extra set of restrictions on the processing of sensitive data. There are 10 legal bases for processing sensitive data (too many to go into in one blog post…) but in relation to medical notes and fit notes organisations must ensure that processing such information is necessary for the ‘obligations and rights in the field of employment law’.
How long can information be kept?
Data protection law sets no specific period for the retention of employees’ personal data, but one of the key GDPR principles is that personal data should not be kept longer than is necessary in the context of the basis on which you are asserting that it is necessary to process or use it .
What happens if there has been a data protection breach?
If you believe there has been a data breach, it is important to make a report to your company’s data protection officer and they can then decide whether to make a report to the ICO. The ICO may investigate the report and decide whether any action should be taken against the company.
If you have any questions regarding Data Protection or are not sure whether you are processing employees’ data lawfully, please contact our specialist Employment Law team. We will be happy to assist you.
For further information or legal advice, please contact law@blandy.co.uk or call 0118 951 6800.
This article is intended for the use of clients and other interested parties. The information contained in it is believed to be correct at the date of publication, but it is necessarily of a brief and general nature and should not be relied upon as a substitute for specific professional advice.