The initial implementation of GDPR has (hopefully) been put into place, says Helen Hall, Legal Director of DLA Piper. However, GDPR is not a one-off tick box exercise. And one of the more challenging HR data areas is managing staff incapacity given the use of health information. So, what do you need to know?
Compliance requires challenging preconceptions and culture as to what information employers should have, freedom to use and share it and how to manage it. Although initial implementation of GDPR was a major project, it was never going to be a one-off exercise. It’s a process that involves creating a framework and behaviours to support a new way of handling information going forward.
Compliance regarding HR data is particularly challenging given the volume of data, significant “sensitive” or “special category” data and the relatively informal way it is often collected, shared and stored (emails as an example). In helping businesses to prepare I have come across many HR departments who assert they retain tight control over HR personal data only to talk to managers and other departments to find vast amounts of information is also held on email, spread sheets, local folders etc including health information. And much of it is currently retained indefinitely.
One of the challenging HR data areas is managing staff incapacity given the use of health information. This of course is “special category” data under GDPR (sensitive data” under the current rules).
Remember, personal data is very broad. Most if not all information employers hold about employees will be personal data. Processing includes everything done with personal data – from collecting information to storing, reading, using it for analysis or decisions, sharing it internally or externally and destroying it. All processing of health information must meet the GDPR requirements for special category data.
Consent from employees
Central to the significant challenge related to health information is that, under GDPR, consent from employees or candidates will rarely be a valid legal basis for holding or using personal data. This is because of the imbalance of power between employers and employees and candidates. Consent will rarely be considered sufficiently freely given to be valid. This is a very different position to the current normal UK practice of using generic consents within employment contracts as the basis for most, if not all, processing.
To collect or use health information employers must first show an A6 GDPR legal basis. Examples would be:
- Legal obligations e.g. ensuring a fair dismissal or paying SSP;
- Contract compliance e.g. provision of contractual pay and benefits; or
- Legitimate interest provided this is not overridden by the rights and freedoms of employees and candidates as data subjects.
In addition, employers must also demonstrate an additional A9 GDPR legal justification. The most relevant ones for health information are:
- Processing “necessary” for compliance with legal obligations related to employment law. This will enable the use of health information to follow a fair absence management procedure through to dismissal to ensure a fair dismissal, avoid disability discrimination, make reasonable adjustments, pay statutory sick pay, comply with health and safety obligations and the duty of care. However, under the Data Protection Bill there are some additional safeguard requirements which are likely to be required before employers can rely on this (see below).
Assessment of working capacity by medical professionals such as occupational health. This however only applies to those professionals with professional confidentiality obligations. It enables OH practitioners to use health information to assess working capacity but not employers to hold or use the health information.
Vital interests of the data subject or another where they cannot give consent. This will cover a medical emergency.
Explicit informed consent
This is subject to the difficulties in employee or candidate consent being valid as explained. Employers would need to show the processing was clearly voluntary and that there were no adverse or perceived adverse consequences of refusing. It may be the only option in some cases but should be used as a last resort and only where specific consent forms emphasising the voluntary nature of the processing, explaining exactly what data will be used for what purpose, and setting out what the consequences of giving or not giving consent are.
The most common ground relied on will be employment law compliance. This will cover a significant proportion of truly “necessary” processing. However, under the Data Protection Bill some additional safeguards were proposed that employers will be required to follow:
Employers will need to have a documented internal policy relating to health information which they will have to maintain and disclose to the ICO if requested. This policy must set out the employer’s procedures for ensuring compliance with the A5 core data protection principles (fair and lawful processing, purpose limitation, adequacy and minimisation, accuracy, retention and security). It should also include information regarding retention and erasure.
Employers with 250 or more employees are required to have an A30 record of personal data and it is recommended all employers have this record to support compliance with the GDPR requirements to have the right framework in place (design) and be able to demonstrate compliance (accountability).
The employment law compliance justification should cover return to work interview records, medical reports use of health information where necessary to support employees to remain in work, for health and safety and formal absence management procedure records.
This will not however cover for example things like management reports, league tables, reporting reasons for absence where the detail does not need to be shared or recorded, use of health information for contractual (rather than statutory) benefits, most pre-employment medical forms or procedures going beyond what can credibly be argued to be “necessary” for employment or health and safety compliance.
In these cases employers should review and try to cut down the recording, use and sharing of health information. For example:
- using eligibility for statutory sick pay as a trigger for paying company sick pay rather than processing health information for this purpose;
- using the fact of absence only wherever possible;
- cutting down or stopping pre-employment checks beyond those strictly required for health and safety carried out via a third party specialist provider or purely seeking to identify any reasonable adjustments required;
- ensuring all health information for other benefits are shared directly between the third party benefit provider and employee rather than via the employer so that the benefit provider can obtain and rely on a consent without the restrictions on validity of employer consent;
- stripping out details of reason for absence wherever possible;
- ensuring sharing is on a strict need to know basis related to roles and what is needed to comply with legal obligations;
- minimise use of emails and where emails are used not using them as a document management system – saving necessary information in the proper place and deleting the email from the email system.
It is of course essential that employers comply with the A5 core data protection principles (see above) and other GDPR requirements. Practically, that includes considerations such as:
- Being careful not to use information for secondary purposes unless it is clearly lawful;
- Ensuring adequate information on which to make a judgement or decision;
- Ensuring no more information than needed;
- Ensuring accuracy including giving employees the chance to challenge accuracy;
- Not keeping medical reports or absence management procedure records for longer than necessary;
- Keeping information secure – restricting access, being careful how it is transferred (e.g. not scanning and emailing fit notes with no password or printing to open printers), sharing on a true need to know basis, being particularly careful when travelling or remote working.
- Ensuring adequate safeguards (such as EC approved model contract clauses) are in place for international transfers (including where information is stored on systems hosted out of the EU);
- Ensuring agreements are in place with providers who receive health information from the employer which meet the A28 GDPR requirements for processor agreements or, for providers who are controllers, have adequate safeguards generally;
- Ensuring relevant security breaches (including disclosure to the wrong recipients etc) are reported to the ICO under the A33 data breach reporting requirements where necessary.
It is also important to ensure compliance with individuals’ rights including the right to information (Privacy Notices), access, correction, restriction, erasure etc.
The worst case scenario fines for breaches of GDPR are eye watering at £20,000,000 or 4% of global group turnover. While an employment related breach is unlikely to reach these levels, the ICO receives many complaints from employees. This could act as a gateway to wider audit or investigation. In addition, employees can take their own enforcement action or sue for compensation.
There is also a link between privacy and employment rights. Employees may raise privacy compliance concerns and seek whistle blower protection. Employees are likely to be able to resign and assert constructive dismissal if there is a material breach of privacy rights. And, as time moves on, employment tribunals are more and more likely to take into account privacy compliance in considering whether there has been an unfair dismissal or unlawful discrimination.