Health Data in the Workplace

Opinion of 3 August 2007 on a notification for prior checking on the modification of the data processing operations concerning "gestion du temps" and "medical records" (Case 2007-373)

In his opinion, the EDPS expressed that the EIB would be in breach of certain provisions of the Regulation (lawfulness of the processing, data quality principle, processing of special categories of data) unless it ensures that staff members are requested to provide their freely given, unambiguous consent to the OHC physician's access to data regarding their uncertified medical leave. When requesting consent, it must be ensured that the staff member clearly understands that consent can be withheld or subsequently withdrawn at any time, without any justification, and with no adverse consequences. It must also be made clear that providing this information will only serve the purposes of prevention.

Opinion of 27 July 2007 on a notification for prior checking on the "Management of crèches and childcare facilities" (Case 2007-148)

This dossier deals with the management of "crèches and after-school childcare services in Brussels", undertaken by the Commission's Crèche and Childcare Service. The persons concerned are the children of the staff of the European institutions, those children's parents and persons authorised to collect and drop off children.

Processing is the subject of a prior check since, as part of assessing and selecting children to be admitted to crèches and childcare services based on the criteria set out in internal regulations, the collection of health and administrative data constitutes information on the state of health of the person concerned and their personality.

One recommendation by the EDPS is that if, in future, a waiting list is drawn up for the childcare services, the Commission should guarantee that the medical record is collected only after the child has been admitted to the outdoor or after-school childcare facilities. A further recommendation is that, instead of inquiring about civil status, the Commission should ask whether the family is a one or two-parent family (one or both parents has/have responsibility for the child) or should, at least, inform the parents that data collection on their marital status is not relevant/necessary for the purpose of data processing. It was stressed that the Commission should guarantee protection of the rights of the persons concerned in this kind of processing by means of a clause to be added to the service contract concluded with the company which runs the two private crèches. The EDPS has also recommended that the contract concluded with the childcare company explicitly include provisions on the roles of the controller and the sub-contractor respectively and include provisions on the requirements governing the confidentiality and security of the processing.

Opinion of 27 July 2007 on a notification for prior checking related to Administration of the Accidents and Occupational Disease Insurance (Case 2007-157)

The EDPS has issued an opinion on the management of the scheme which concludes that on a general basis the scheme complies with the principles established in the data protection regulation.  However the EDPS did make some recommendations mainly as concerns raising awareness among non-medical PMO.3 staff regarding medical secrecy, the need to make more visible the privacy statement in the appropriate web site so that EU staff members are properly informed of the processing of their personal data. The EDPS also suggested that the web site for the scheme should ask EU staff members to send medical reports in sealed envelopes marked with the terms 'confidential' and/or 'to be opened by addressee only' and that guidelines should be issued by PMO 3 in order to ensure that inadequate, irrelevant and non excessive information is not provided in medical reports.

Opinion of 27 July 2007 on a notification for prior checking regarding the dossier "Asbestosis: screening and follow-up - 'Asbestos' database (Medical service and psychological/social measures BXL)" (Case 2004-227)

• spécifie que les personnes en charge du traitement ne puissent pas utiliser ces données à d'autres fins. Le même principe est applicable aux autres éventuels destinataires mentionnés. En plus, le CEPD recommande que dans le cadre de transferts à d'autres institutions, seules les personnes habilitées à connaître des données relatives à la santé, soumises au secret professionnel, soient destinataires des dossiers médicaux.
• ne permette pas un refus général d'accès aux notes personnelles des médecins figurant dans le dossier médical.
• autorise la personne concernée à demander que son dossier médical figurant dans la base de données "Asbestos" soit complet, en ce sens qu'elle puisse demander que soient ajoutées à son dossier des informations telles que l'avis contradictoire d'un autre médecin ou une décision de la Commission sur un élément du dossier médical, pour garantir la présence d'informations mises à jour. Par conséquent, le CEPD considère que la réponse à la question 5 de la "Déclaration de confidentialité" devrait ajouter cette possibilité.

Opinion of 24 July 2007 on the notification for prior checking regarding social, financial and practical assistance (Case 2007-304)