PRINT
IT
RESELLER.UK
43
GDPR
Claire Wright
The EU’s General Data Protection
Regulation is predictably throwing
up many questions about how
organisations should collate, manage
and process sensitive employee data
to enforce compliance and prevent a
potential costly breach.
With fear-based articles about the
exponential costs of a breach littering
social news feeds, the importance of
GDPR readiness is getting lost or ignored,
which in itself is creating an unknown and
potentially costly business risk.
Whilst there are other regulations
and codes of conduct that relate to the
processing of health and/or medical
information, which should be considered, it
is necessary also to meet the requirements
of the GDPR. Health data is a category
of sensitive data under GDPR and the
conditions for processing sensitive personal
data must still be met.
These have been a requirement of the
UK Data Protection Act since 1988 and
prescribe that:
n
There must be a legal basis for
processing;
n
The individual must be aware of how
their data is being processed;
n
The individual must be aware of and
able to execute their rights in accordance
with how and when their data is
processed;
n
The data must be accurate, up to date
and kept secure;
n
The data must not be used for a new or
separate purpose without the above being
met.
Consent comes with challenges
With regard to health records, consent is the
legal basis heavily relied upon for processing,
but this comes with its challenges.
It is the definition of consent and
recording of consent that the GDPR
has strengthened. What historically was
considered best practice would now be
made conditional under GDPR. To be valid,
consent must be explicit, demonstrated by
an affirmative action of the individual; and
be clear, easy to understand, recorded and
capable of being withdrawn upon valid
request from the individual. Depending
on company size, structure and current
processes, this could be a minor or major
administrative obligation.
It is important that attention is drawn
to one slight, yet pertinent, change in
definition. Currently the definition refers
to data ‘regarding health’; within GDPR, it
changes to ‘concerning health’.
Greying the lines of clarity somewhat,
could an email message saying John Smith
is asking for ‘paracetamol’ be concerning
health? In its raw form, you could argue yes,
but he could be asking for someone else.
Let us put our professional and
reasonable hats back on for a moment and
keep in mind the changes when reviewing
your current practices against the GDPR
requirements, as there may be an instance
where this does require changing.
So, ask yourselves: Do you know how
and why you process health data, not just
within your HR department but within
the wider management and employee
population? How are return-to-work
interviews conducted and recorded? How
are sick notes processed? Are absences
discussed in open environments? Who
has access to medical records? Do your
employees understand why their health
data is collected and used? Have they
provided explicit consent? Is this recorded?
Need to revisit current processes
It is important to revisit your current absence
and health management processes and
policies to ensure that the GDPR conditions
of consent are met and to educate and
provide adequate resources and training to
individuals within your organisation or those
who process this information on your behalf.
This is a key requirement in protecting the
individual and yourselves against a breach.
Claire Wright, Quality & Data Privacy Manager at MHR, examines
how GDPR will impact the lawful management of employee
health records
GDPR:
what are the implications for
managing employee health data?
What
historically
was
considered
best practice
would now
be made
conditional
under GDPR
MHR specialises in helping organisations to embrace the operational and strategic challenges of modern
business, covering talent management, HR, payroll and business analytics. MHR is helping to drive the
performance of businesses employing over 6% of the UK workforce.
With over 30 years of experience, MHR provides entirely UK-based solutions and services, injecting best
practice processes into the entire employment lifecycle, from recruitment to succession planning. This enables
customers to transform their business by removing administrative burdens, by reducing operational costs and
by retaining and developing business critical talent in line with corporate goals.
