4_Thought: Occupational Health Providers and Sensitive Data

For some organisations — particularly those with outgoing B2C marketing comms — the advent of the General Data Protection Regulation (GDPR) felt like a short jolt of compliance checks, opt-in emails and database tidying. For many, however, it's an ongoing process of adapting, self-assessment, accountability and professional diligence.

Data relating to personal health is a highly protected area under the GDPR — understandably so — but it's also vital to the success of effective occupational health support, so needs to be accessed by the qualified parties.

An Occupational Health team, by the very nature of what they do, will hold considerable personal and sensitive data — for example, details of health issues, specialist reports and any special needs or disabilities.

Generally, companies providing Occupational Health are Controllers of the data they receive and create through the patient-clinician relationship. As with all who process personal and sensitive data, a lawful basis to process this information is required.

Pexels Gabby K 5273559

The lawful bases for processing are set out in Article 6 of the GDPR. At least one of these must apply when processing personal and sensitive data:

(a) Consent: the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) Contract: processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) Legal Obligation: processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) Vital Interests: processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) Public Interest/Authority: processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) Legitimate Interests: processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. (This cannot apply if you are a public authority processing data to perform your official tasks.)

The Faculty of Occupational Medicine (FOM) advise the use of Article 6(1) (f) — processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party in the Private sector.

This is also followed by Article 9 (2) (h): processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems or services.

As we know, the Legitimate Interest (LI) basis for processing is the most flexible of the lawful basis provided for under the GDPR. As such, careful consideration is required prior to using LI as the purpose behind processing.

A Legitimate Interest Assessment (LIA) consisting of Purpose, Necessity and Balancing tests, should be completed. This will help demonstrate that LI is the correct lawful basis to be used and the processing is appropriately balanced against potential impact of the data subjects Rights and Freedoms.

It’s important for those in the provision of Occupational Health to recognise that choosing a lawful basis to process personal and sensitive data is not just a tick box exercise, but one that requires thought and understanding of data privacy.

It’s likely that most medium-to-large Occupational Health providers will have a data protection professional (ideally, an appropriately experienced DPO) to assist with all data privacy matters.

Smaller, clinically lead Occupational Health companies may need to seek advice and assign a DPO if not already done, to ensure they have all relevant Data Privacy requirements in place.

The need to process this data correctly is vital both to the legal integrity of a provider but also to the wellbeing and personal privacy of patients — and advice sought is always better than problems ignored. 4_ttude and our affiliates have deep experience working on data privacy issues in a range of scenarios, please get in touch to speak to us about how we can help.

Related Articles