Claire Wright, Quality & Data Privacy Manager at MHR, examines how GDPR will impact the lawful management of employee health records
The EU’s General Data Protection Regulation is predictably throwing up many questions about how organisations should collate, manage and process sensitive employee data to enforce compliance and prevent a potential costly breach.
With fear-based articles about the exponential costs of a breach littering social news feeds, the importance of GDPR readiness is getting lost or ignored, which in itself is creating an unknown and potentially costly business risk.
Whilst there are other regulations and codes of conduct that relate to the processing of health and/or medical information, which should be considered, it is necessary also to meet the requirements of the GDPR. Health data is a category of sensitive data under GDPR and the conditions for processing sensitive personal data must still be met.
These have been a requirement of the UK Data Protection Act since 1988 and prescribe that:
There must be a legal basis for processing;
The individual must be aware of how their data is being processed;
The individual must be aware of and able to execute their rights in accordance with how and when their data is processed;
The data must be accurate, up to date and kept secure;
The data must not be used for a new or separate purpose without the above being met.
Consent comes with challenges
With regard to health records, consent is the legal basis heavily relied upon for processing, but this comes with its challenges.
It is the definition of consent and recording of consent that the GDPR has strengthened. What historically was considered best practice would now be made conditional under GDPR. To be valid, consent must be explicit, demonstrated by an affirmative action of the individual; and be clear, easy to understand, recorded and capable of being withdrawn upon valid request from the individual. Depending on company size, structure and current processes, this could be a minor or major administrative obligation.
It is important that attention is drawn to one slight, yet pertinent, change in definition. Currently the definition refers to data ‘regarding health’; within GDPR, it changes to ‘concerning health’.
Greying the lines of clarity somewhat, could an email message saying John Smith is asking for ‘paracetamol’ be concerning health? In its raw form, you could argue yes, but he could be asking for someone else.
Let us put our professional and reasonable hats back on for a moment and keep in mind the changes when reviewing your current practices against the GDPR requirements, as there may be an instance where this does require changing.
So, ask yourselves: Do you know how and why you process health data, not just within your HR department but within the wider management and employee population? How are return-to-work interviews conducted and recorded? How are sick notes processed? Are absences discussed in open environments? Who has access to medical records? Do your employees understand why their health data is collected and used? Have they provided explicit consent? Is this recorded?
Need to revisit current processes It is important to revisit your current absence and health management processes and policies to ensure that the GDPR conditions of consent are met and to educate and provide adequate resources and training to individuals within your organisation or those who process this information on your behalf. This is a key requirement in protecting the individual and yourselves against a breach.
MHR specialises in helping organisations to embrace the operational and strategic challenges of modern business, covering talent management, HR, payroll and business analytics. MHR is helping to drive the performance of businesses employing over 6% of the UK workforce.
With over 30 years of experience, MHR provides entirely UK-based solutions and services, injecting best practice processes into the entire employment lifecycle, from recruitment to succession planning. This enables customers to transform their business by removing administrative burdens, by reducing operational costs and by retaining and developing business critical talent in line with corporate goals.