How will the GDPR affect the processing of employee health information?

With the GDPR due to come into effect later this month, HR departments need to be careful when processing data relating to an employee's health - even if they have the employee's consent to do so. Ruth Christy and Nicola Rochon explain what employers should do.

Many employers include terms in their contracts or sickness absence policies requiring employees to consent to a medical examination. This is usually to enable an employer to gather information on fitness for work for long term absence, or possibly as part of a contractual sick pay scheme.

However, under the General Data Protection Regulation (GDPR) coming into force on 25 May 2018, and a new Data Protection Bill replacing the Data Protection Act 1998 (DPA), employers will need to make an important distinction between consent to a medical examination and their lawful basis for processing personal data in medical reports.

Obtaining a medical report amounts to processing personal data for the purposes of GDPR and information about an employee's health is one of a number of "special categories of data" (sensitive personal data under the DPA).

According to both the current DPA and GDPR there must be lawful grounds for processing such information. To date, most employers have relied on employees' consent to obtain the report and process the data, with the requirement for consent included in contract terms or policies.

However, the GDPR and official guidance clearly state that if there is an imbalance of power between the parties (giving the example of employer and employee) then consent will not be valid. Therefore from what we know so far, once GDPR comes into effect it will be almost impossible for an employer to rely on consent to process employees' personal data, even if it is given specifically in relation to a particular medical issue.

In light of this, employers seeking to obtain medical reports need to identify another legal basis for processing the data and for processing "special categories" of data.

Legal bases could include being necessary for the performance of a contract, to comply with legal obligations, or for the employer's legitimate interests. For special categories of data, employers are likely to rely on processing being, as the GDPR puts it, "necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of employment law".

These bases often overlap. For example, it may be necessary to process a medical report to fulfil contractual obligations such as sick pay or to identify eligibility for permanent health insurance. In addition, the employer's obligations in connection with employment law include not discriminating against a disabled employee, identifying reasonable adjustments, not unfairly dismissing and assessing fitness to return to work.

The conundrum is that on a practical level, employers need consent from the employee to undergo a medical examination and to consent to the release of the report. However, this must be clearly separated from consent to process the data under GDPR, because consent for that can no longer be relied on.

Employers will need to review and update employment contracts, sickness policies and associated letters - to obtain consent for the examination/release of the report, but not for processing the data.

They should ensure the collection of medical information is necessary, and be aware that asking the employee to obtain and give the employer their medical records (i.e. via a subject access request), as opposed to commissioning a medical examination/report, may amount to a criminal offence under the Data Protection Bill.

Under the Bill, employers will also need an "appropriate policy document" explaining how they handle special categories of data.