Tel: 0345 644 8955 (TPS Registered)

Medical Information and GDPR

Over the last couple of weeks I seem to have spent a lot of time dealing with employees’ health. If an employee is unwell employers are expected to do what they reasonably can to gain an understanding of the condition with a view to making reasonable adjustments if the employee is able to work and gaining a prognosis for return to work if the employee can’t work. That means getting some medical information.

Even where employees cooperate in the process it can be a very slow and frustrating process. Where employees don’t cooperate (and the two I’ve been dealing with recently are not),it becomes even more painful.

Then there’s the impact of GDPR and the Data Protection Act 2018 to consider. Getting a medical report amounts to processing personal data for the purposes of GDPR and information about an employee’s health is one of several “special” categories of data.

Most companies will have terms in their contracts or sickness absence policies requiring employees to consent to a medical examination.

It’s generally agreed that consent will not be valid as a basis for collecting and processing data because the consent is not genuinely given but required as part of the contract. In the case of asking an employee to give permission to write to his or her medical advisor or to see the company’s own GP, consent will be acceptable.

But you must make the distinction between an employee giving consent to a medical examination and the lawful basis for you to process personal data in medical reports.

There must be lawful grounds for processing such information. Under the DPA 1998 most employers relied on employees’ consent to both obtain the report and process the data.

Post-GDPR while you can collect data using consent, it will be almost impossible for a business to rely on consent to process employees’ personal data, even if it is given specifically in relation to a medical issue.

If you want to get a medical report, you must identify another legal basis for processing the data. Valid legal reasons include being necessary for the performance of a contract, compliance with legal obligations, or for the employer’s legitimate interests.

For special categories of data, most employers are likely to rely on processing being “necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of employment law”.

Sometimes the bases overlap. For instance, it may be necessary to process a medical report to fulfil contractual obligations such as sick pay or to identify eligibility for permanent health insurance. You must also ensure that you don’t discriminate against a disabled employee, make reasonable adjustments and don’t dismiss unfairly.

Before you start trying to collect personal data, ensure the collection of medical information is necessary.

It’s enough to give anyone a headache, but make sure that you have the protective framework in place. If you haven’t done so, review and update employment contracts, sickness policies and associated letters – to obtain consent for the examination/release of the report, but not for processing the data. Ensure you have an appropriate policy document explaining how you handle special categories of data.

If you have HR queries and problems, get in touch!

Sign up for our free resources and free weekly tip - subscribe here.

Phone 0345 644 8955
LinkedIn Russell HR Consulting


Although every effort has been made to ensure the accuracy of the information contained in this blog, nothing herein should be construed as giving advice and no responsibility will be taken for inaccuracies or errors.

Copyright © 2019 all rights reserved. You may copy or distribute this blog as long as this copyright notice and full information about contacting the author are attached. The author is Kate Russell of Russell HR Consulting Ltd.

Got any HR queries?

Contact us