GDPR week 3 - Medical records and consent

Health information is "special category data" under the GDPR and the employer will need to show a lawful basis for processing it.

Under the Data Protection Act employers have typically relied on consent to process medical information about their employees. Whilst explicit consent is a lawful basis for processing medical records and reports under the GDPR as we explained in week 9 it is generally not appropriate to rely on consent in the employment context. So if consent is not an option, what is?

The most likely lawful reason in this context is that the processing is necessary for the performance of rights and obligations in connection with employment, for example: 

  • Administering sick pay;
  • Providing access to health insurance or permanent health insurance benefits;
  • Making reasonable adjustments for disabled employees;
  • Considering medical evidence before dismissing an employee on the grounds of capability to ensure a fair dismissal.

Where an employee genuinely volunteers health information it may be appropriate to rely on consent but employers must bear in mind that consent can be withdrawn and if it is and there is no other legal basis to process the data, it should not be retained.

You also need to bear in mind that under the Access to Medical Records Act (“AMRA”), consent will still be required to obtain a medical report about an employee. One off reports from Occupational Health providers, company doctors and specialists may not strictly be covered by AMRA but it is usual nonetheless to seek specific consent from the employee.

If the employee has not already been given a Privacy Notice this should be done prior to the data being obtained and it is advisable to provide employees with a specific privacy notice for the medical records.

Should you require any guidance on this issue please do not hesitate to contact Claire Hollins or your usual Weightmans contact.

Share on Twitter