The EU’s General Data Protection Regulation, due come into force in May 2018, is predictably throwing up many questions about how organisations should collate, manage and process sensitive employee data to enforce compliance and prevent a potential costly breach. Claire Wright, quality and data privacy manager at MHR examines how GDPR will impact the lawful management of employee health records.
With constant fear based articles littering our social news feeds about the exponential costs of a breach, the importance of GDPR readiness is getting lost or ignored, which is in itself creating an unknown and potentially costly business risk.
It is key to understand that health data remains a category of sensitive data under GDPR and the conditions of processing sensitive personal data must still be met. These have been a requirement of the UK Data Protection Act since 1988.
The conditions prescribe that:
· there must be a legal basis for processing;
· the individual must be aware of how their data is being processed;
· the individual must be aware of and able to execute their rights in accordance with how and when their data is processed
· the data must be accurate, up to date and kept secure
· the data must not be used for a new or separate purpose without the above being met.
In regards to health records, consent is the legal basis heavily relied upon for processing but this comes with its challenges.
It is the definition of consent and recording of consent that the GDPR has strengthened. What historically was considered best practice would now be made conditional under GDPR. To be valid, consent must be explicit, demonstrated by an affirmative action of the individual, be clear, easy to understand, recorded and there be the capability to be withdrawn upon valid request from the individual. Depending on the size, structure and your current processes this could be a minor or major administrative obligation.
It is pertinent that attention is drawn to the slight, yet poignant change in the definition. Currently the definition refers to data ‘regarding health’, within GDPR it changes to ‘concerning health’.
Greying the lines of clarity somewhat: Could an email message to say John Smith is asking for ‘paracetamol’ be concerning health? In its raw form, you could argue yes but he could be asking for someone else.
Let us put our professional and reasonable hats back on for a moment, keep in mind the changes when you are reviewing your current practices against the GDPR requirements, there may be an instance where this does require changing.
So, ask yourselves: Do you know how and why you process health data? Not just within your HR department but the wider management and employee population? How are return-to-work interviews conducted and recorded? How are sick notes processed? Are absences discussed in open environments? Who has access to medical records? Do your employees understand why their health data is collected and used? Have they provided explicit consent? Is this recorded?
It is important to revisit your current absence and health management processes and policies to ensure that the GDPR conditions of consent are met. Not forgetting to educate and provide adequate resources and training to those individuals within your organisation, or those who process this information on your behalf. This is a key requirement in protecting the individual and yourselves against a breach.
Please note this article is GDPR specific, there are other regulations and codes of conduct in relation to the processing of health and/or medical information, which should also be considered.