Disclosure of health data in the context of occupational medicine and assessment of working capacity
Within the context of an employment relationship, an employer may engage a medical practitioner to render house-visit services, to conduct a medical examination and to report back to him about the health status of the employee who reported sick for work.
Processing of Special Categories of Personal Data
In terms of article 9(1) of the General Data Protection Regulation (the “Regulation”), data concerning health constitutes processing of special categories of personal data. As a general rule, the processing of special categories of personal data is prohibited unless one of the derogations set out under article 9(2) of the Regulation is satisfied. Article 5(1) of the Regulation lays down the principles relating to processing and, consequently, any legitimised processing activity shall be carried out within the parameters of such principles, in particular the principle of purpose limitation, data minimisation and storage limitation.
Lawfulness of the Processing
Within the context of the subject matter, the Regulation provides for two (2) legal grounds, on the strength of which, the controller may rely to legitimise the processing activity, article 9(2)(b) and article 9(2)(h). In the case of article 9(2)(b), the Regulation is providing for a derogation whereby the employer, for the purposes of carrying out certain necessary obligations and exercising specific rights in the field of employment, is permitted to process special categories of data pertaining to the employees. On the other hand, Article 9(2)(h), whereas it constitutes a valid legal ground for employers to process data concerning health when having to assess the working capacity of an employee, specifies that such processing has to be carried out by or under the responsibility of a practitioner subject to the obligation of professional secrecy or by another person who shall also be subject to the obligation of secrecy. It is evident that, the intention of the legislator on the provision of Article 9(2)(h) was that, when carrying out a specific assessment of the working capabilities of an employee, a report of such assessment would be produced and, in this spirit, the Regulation binds the employer with the additional safeguards provided under Article 9(3).
Personal data which may be processed
In so far as to which personal data shall be reported by the medical practitioner to the employer about the health status of the employee, this Office considers that generally, the medical practitioner shall provide a ‘fit/unfit-for-work’ report following a medical assessment of the employee’s working capacity. Notwithstanding this, there may be some exceptions, whereby the medical practitioner may be required to submit further information relating to the health status of the employee, in particular after assessing the potential risks linked with the medical condition or illness. In such case, the medical practitioner shall carefully exercise reasonable discretion to report to the employer about the extent of the health status of the employee in line with his professional duties.
The employer, following receipt of health data from the medical practitioner, shall within his capacity as a separate data controller acting within his own right, determine which personal data, if any, he shall process after taking into account the principles of processing and the appropriate safeguards that the Regulation imposes when special categories of data are processed.
Data Retention Periods
Amongst the safeguards that the controller (both the medical practitioner and the employer) shall comply with, is the principle of storage limitation in accordance with article 5(1)(e) of the Regulation. The general principle of storage limitation provides that personal data shall not be kept for a longer period than is necessary, taking into account, the purposes of processing. This Office’s general line of advice is that the controller shall determine a justifiable retention timeframe of the personal data processed after taking into consideration, inter alia, any legal and operational requirements to which it may be subject. Whereas retaining personal data for an indefinite period should be considered as the exception and not the rule, in similar cases, more rigid justifications will be required.
The relationship between the employer and the medical practitioner
In these circumstances, the Regulation does not provide for any specific requirement to regulate the relationship of separate controllers by means of a contract. Nevertheless, both parties may decide, from a commercial and legal point of view, to bilaterally agree on certain conditions to be included in the service contract in order to ensure that any personal data disclosed from one controller to the other, is invariably processed in accordance with, inter alia, the applicable legal grounds and the principles of processing. From a data protection perspective, this Office advises that an agreement should be in place, providing for the minimum requirements set out under article 28(3) of the Regulation, to cover those limited processing activities that involve a controller-processor situation.
Article by Ian Deguara, on 29th July 2020