In this article, Deirdre Crowley and Finín O’Brien, Matheson, look at data protection issues relevant to the processing of personal data in the context of employment medical assessments.

Employers may need to refer employees for medical examination, or obtain a medical report about an employee for a variety of reasons.  This may occur, for example, as part of the recruitment process, as part of a routine periodic health assessment, when managing long-term absence (or investigating short-term absence), or to determine the extent to which an employee is fully or partially fit to partake in an investigation or employee disciplinary process.

While employment law considerations may be to the fore of employers’ minds in such cases, it is important not to lose sight of the data protection issues in play. We are seeing a recent upward trend in employees raising contentious data subject access request that from time to time when unresolved result in onward complaints to the Data Protection Commission. We are also seeing an upward trend in these cases including a claim in the Circuit and High Court for a breach to privacy resulting in a compensation claim (Article 82 GDPR, Section 117 Data Protection Acts 2018). One hidden additional potential issue here is the possibility of a regulatory inspection from the Data Protection Commission where they have concerns in relation to data processing activities in the employment context.

Employment law considerations ⚓︎

Where an employer wishes to have a medical assessment completed in respect of an employee, it is important, in the first instance, to review the employee’s contract of employment and any company policies and procedures dealing with medical assessments.  Employers should ensure that they are legally and contractually permitted to conduct the medical assessment and that any assessment is carried out in compliance with the employer’s own standards and protocols.

Employee Personal Data ⚓︎

In order for medical practitioners to properly conduct an examination, employers may have to share with them certain personal information about the employee.  Such information might include, for example, previous sick leave absences, medical certificates, underlying medical conditions, or details of previous workplace accidents.  This information can be particularly sensitive and it is not uncommon to see issues arise where an employee is unhappy with the manner in which their information is shared by an employer with a medical practitioner (or vice versa).  Employers need to approach such scenarios with caution to ensure that they do not expose themselves to a potential data protection claim by an aggrieved employee. Of note in 2019, the Cyprian Data Protection Regulator fined an employer €82,000 for the improper processing of special category data in the employment context.

Legal basis for processing personal data in employment ⚓︎

Employers in Ireland have a statutory right to process personal data relating to employment and social welfare matters (Section 46, Data Protection Acts 2018). While the type of data this right captures is not expressly defined, it is operationally accepted that this includes name, address, email address, PPS number, immigration data (where relevant and necessary) and bank details. In addition, employers have  a legal basis to process health data for the purposes of occupational health (Section 52, Data Protection Acts 2018).

Consent is generally not accepted as a legal basis to process personal or special category data in the workplace unless exceptional circumstances arise.  This is primarily due to the imbalance of power between an employer and employee.

Indeed, the Greek Data Protection Authority recently imposed a fine of €150,000 on a large accounting firm, where the firm sought to rely on consent as the legal basis for the processing of its employees’ personal data.  It found that the consent of data subjects in the context of employment relations cannot be regarded as freely given due to the clear imbalance between the parties.

As a result, an employer needs to rely on another ‘legal basis’ in order to process employee personal data.  Article 6 of the General Data Protection Regulation (the “GDPR”) sets out the other potential legal bases for processing, the most relevant of which are where:

• the processing is necessary for the performance of the contract to which the employee is subject (eg, his or her contract of employment); or
• the processing is necessary for the purposes of the ‘legitimate interests’ of the employer.  For example, an employer may need to know whether an employee is fit and able to work.

The ‘legitimate interests’ of the employer cannot however be overridden by the rights and freedoms of the employee.  The Cypriot GDPR fine of €82,000 was imposed on the employer due to the employer’s failure to demonstrate that its legitimate interests prevailed over the rights of the employees when applying certain automated systems to sick leave data.[1]  This offers a warning for employers to approach the processing of sick leave and other health data with extreme caution, taking all measures to comply with their GDPR obligations. It is also a cautionary warning in relation to the use of AI driven automated decision making in the employment context.

The Irish Data Protection Commission (the “DPC”) recognised in a 2012 case study that an employer has a legitimate interest in knowing how long an employee is likely to be on sick leave, and in knowing whether an employee will be capable of doing particular types of work.[2]  In all cases where personal data is being processed, an employer should ensure that they have selected an appropriate legal basis under Articles 6 and 9 GDPR and Section 52 of the Data Protection Acts and importantly, that a record of the rationale for the use of the relevant lawful basis is provided.

Importantly, when processing special category data, the employer must ensure that “suitable and specific measures” are taken to safeguard the rights and freedoms of the employee.  Such measures may include:

• limitations on access to the personal data undergoing processing within a workplace (in order to prevent unauthorised disclosure);
• strict time limits for the erasure of personal data;
• specific training for those involved in processing operations; and
• having regard to the nature, scope and purposes of data processing and the likelihood of risk (and severity of the risk) to the employee.

As such, it is wise for employers to approach the processing of employee health data, including transferring such information to medical practitioners, with caution.  Employers should ensure that an appropriate legal basis is in place and should also implement adequate confidentiality and security protections.

Transparency ⚓︎

Under Article 13 GDPR, employers are required to communicate certain information to employees in circumstances where employers collect and process their personal data.  This is generally achieved by way of a privacy notice.  Privacy notices provide important information to employees about what information is collected and how it is processed.

Employers should review existing privacy notices in order to ensure they adequately explain to employees how their personal data will be collected, shared and retained in the context of medical assessments.  For example, medical assessments will usually involve ‘special category’ data and, consequently, privacy notices should explain the basis for processing that information.  Similarly, privacy notices should include information on the recipients of data (eg, independent medical practitioners) and how long any medical reports might be retained by the employer.

The DPC has also stressed the importance of informing employees of the purpose of the medical examination.  In this regard, it is helpful for the employer to inform the employee in writing of:

(i)            the purpose of the medical examination;

(ii)           the information that may be provided to the medical practitioner; and

(iii)          the legal basis on which the employer is processing the employee’s health data.

This information could be included in a privacy notice or in the letter notifying the employee of the requirement to submit for a medical assessment.

It is important for the employer to remember that where one purpose is given for the processing of personal data (eg, to assess whether the employee is fit to perform his employment duties), the employer may not subsequently be able to utilise the data for another purpose.  For example, an employee might be informed initially that his or her personal information will be processed for the purpose of assessing his or her fitness to work.  The employee is not informed however that the data may be used for any other purpose.  In the event that the employment relationship deteriorates and the matter escalates to court, an employer may find itself in difficulty if it has not explained to the employee that such data may be used for the purpose of legal proceedings.[3]

Any communication with employees should therefore be carefully considered and sufficiently encompassing.  Privacy notices should be drafted in such a way to ensure that employees are properly informed of how their data may be used in future.  This will have the benefit of ensuring that employees are not taken by surprise by subsequent processing which may occur in the employment context.

Relationship between the Employer and the Medical Practitioner ⚓︎

Under the GDPR, a controller is someone who determines how and why personal data is processed.  A processor, on the other hand, is a third party that processes personal data on behalf of the controller.  Joint controllers are two or more p[people or entities that determine the means and purpose of the data processing functions. The DPC has emphasised that whether an entity is a controller, processor or joint controller is a question of fact which should be assessed on a case-by-case basis.

Conclusion ⚓︎

While the DPC has yet to impose any GDPR fines and penalties on employers in Ireland, the fining practices of other national authorities demonstrates that employers need to be wary as regards the processing of employee personal data.  This is particularly the case where a medical assessment of an employee is being completed.  Employers should carry out a data protection review of their internal procedures, policies and notices dealing with medical assessments, in order to ensure they are meeting all their legal obligations.