What you should know about health data in the workplace
Health data refers to personal information (also called personal data) that relates to the health status of a person. This includes both medical data (doctor referrals and prescriptions, medical examination reports, laboratory tests, radiographs, etc.), but also administrative and financial information about health (the scheduling of medical appointments, invoices for healthcare services and medical certificates for sick leave management, etc.). Health data is considered sensitive data and is subject to particularly strict rules and can only be processed by health professionals who are bound by the obligation of medical secrecy. Furthermore, the organisation shall take the necessary security measures to ensure that the health data is protected and not subject to any unauthorised disclosure.
At EU-level, EU institutions and bodies collect and process health data of staff and sometimes members of their family for several purposes, such as pre-recruitment medical examination, annual medical visits, sick leave management, request to work part time to care for a seriously ill or disabled family member, etc.
What are the main data protection issues?
Data quality - It is important not to process more personal data than necessary. How? By only collecting relevant - and not more information than necessary - in the first place. In addition, health data (such as medical certificates and other medical data) should be handled only by the medical service of the organisation- not by the HR department. The latter should only receive the administrative data necessary to process the sick leave (for example the number of days of sick leave).
Right of information - Staff members must be informed about their rights and for what purposes their health-related information is processed. Such information must be specifically communicated to staff members when a new procedure is introduced and made permanently available for example via the intranet of the organisation. This ensures that staff members have access to the information at all times.
Right of access - Staff members have the right to access their medical files and other health-related information to be able to verify whether it is accurate and to rectify any inaccurate or incomplete information. They must also be informed on how they may exercise their rights.
Retention period - Organisations must make sure that information relating to health is not kept on their files for longer than necessary. Clear retention periods must be established. These can vary in accordance with the reason for processing the health data.
Data security - Given the sensitivity of health data, it should only be processed by health professionals who are bound by the obligation of medical secrecy and all HR staff dealing with administrative or financial procedures in this respect should sign a specific confidentiality declaration and they should be reminded of their confidentiality obligations regularly. Furthermore, organisations should carry out a risk assessment and develop, where necessary, specific security measures on access control and management of all the information processed in the context of health data.
The following non-exhaustive list is a selection of documents for further reading:
EDPS prior-check Opinion: