When can an employer process health data under the GDPR
5 min read
Author: Ann Bugeja
The COVID-19 pandemic has drawn attention to the processing of health data and when such data may be processed, especially in light of the fact that employers are obliged to implement mitigation measures to ensure the safety of employees at the work place. In this article we will analyse some instances where health data may be processed by an employer.
Health data is considered to be a special category of personal data under the General Data Protection Regulation (‘GDPR’). The GDPR defines the special categories of personal data in Article 9 and prohibits the processing of any these types of personal data unless such processing is necessary for the list of conditions set out in Article 9(2) of the GDPR or any laws enacted by Member States.
As follows, within the context of an employment relationship, health data may be processed where such processing is necessary for the assessment of the working capacity of the employee subject to such personal data being processed by or under the responsibility of a professional subject to the obligation of professional secrecy by law.
Sick Leave Entitlement of Employees
An employer needs to track the outstanding balance of sick leave that an employee is entitled to at law and this in turn means that an employee must inform an employer of when he is sick and thus needs to utilize some of his sick leave balance. It is important however, that the employer’s knowledge is limited to the fact that an employee is sick and is thus not fit for work and no further details as to the health condition of the employee should be known by the employer.
It has been widely established that employers should not process health data, and that should there be the need to process health data, a doctor should do so on behalf of the employer. Thus, an employer must ensure that employees within the human resources department are only aware of whether an employee is fit for work or not fit for work and of the updated balance of sick leave available to employees. When asking for medical certificates to be provided by employees, such certificates should only indicate whether an employee is fit or not fit for work and establish the days of sick leave required and should not include any health data.
How can an employer confirm whether an employee is really sick?
Sometimes, employers send doctors to check up on employees who have called in sick in order to confirm whether such employee is really sick. In order for this to be in line with the principles of data protection established within the GDPR, an employer must ensure that where necessary, a data processing agreement is signed between the employer and the doctor. Such agreement would need to clarify in which instances the doctor will be processing on behalf of the employer and in which instances the doctor will be acting as a controller when doing his/her job as a doctor.
It is important to note that the doctor should generally not share any health data with the employer and in fact should only confirm whether the employee is fit or not fit for work and the number of days of sick leave required if at all. Health data may only be shared between the doctor and the employee in exceptional and specific circumstances.
There may be a situation where an employee is being seen by two different doctors who might not agree as to the number of days of sick leave which the employee needs in order to recover and be considered fit for work again. Thus, in order to avoid such situations, when an employer engages a doctor to confirm whether the employee is really sick, it is recommended that a policy is established wherein it is set out that the company doctor’s decision and opinion will prevail over any other doctor’s opinion. By way of example, this will ensure that the employer is not faced with conflicting opinions where one doctor would recommend three days of sick leave and the other doctor recommends one day of sick leave.
Can an employer monitor the temperature of employees attending the workplace?
Prior to processing any personal data, an employer must ensure that he is relying on a relevant legal basis to process that personal data as established within the GDPR. Recital 46 of the GDPR establishes that some types of processing may serve both grounds of public interest and the vital interest of the data subject such as when the processing is necessary for monitoring an epidemic.
Therefore, given the present times where an employer is obliged to ensure employee safety at the workplace, it is lawful for an employer to monitor employees’ temperatures when they enter the workplace.
However, it is recommended that a policy is established which respects the principle of proportionality and data minimisation. For example, it is recommended that employers do not keep a log of the temperatures recorded and that the rationale behind such temperature checks is explained to employees.
Can an employer disclose that an employee has been infected with COVID-19?
Employers should inform staff about the fact that a colleague may have COVID-19 and take the necessary protective measures but should not communicate more information than necessary.