GDPR: Obtaining an Employee’s Medical Report

There are numerous reasons as to why an employer may wish to obtain a medical report about an employee, or indeed a prospective employee. A medical report may be required before employment commences if health or physical ability is a relevant factor for the job; during the employment to determine whether reasonable adjustments may aid a disabled person in their job role; or during the course of litigation where a claim of disability discrimination or personal injury is made against the employer.

When making such a request the employer should be mindful of employees’ data protection rights and whether such a request may be in breach of these rights. Any request for a medical report should therefore be focused and limited to that which is directly relevant to the concerned employee. Superfluous requests for irrelevant information may run the risk of being discriminatory against the employee on the grounds of disability under the Equality Act 2010 and may also breach the employee’s data protection rights.

By obtaining, recording or holding an employee’s medical report an employer is in fact “processing” that employee’s data. In order to process an employee’s medical report an employer must have a lawful ground for doing so. At present, an employer has to obtain consent from the employee for disclosure of their medical report. This will no longer be sufficient come 25 May 2018 when the new rules come into force i.e. the GDPR and the Data Protection Bill. From this date a different approach will have to be taken as employers will not necessarily be able to reply on an employee’s consent.

The reason for this change stems from the perceived imbalance of power in the employer and employee relationship. An employee may reluctantly give consent as they fear reprisal or, in the case of an offer of employment, the risk of not being employed. The GDPR and the Data Protection Bill will impose more stringent rules on employers to ensure that this imbalance is not taken advantage of.

The GDPR and the Data Protection Bill should be read in conjunction with one another. Article 9 of the GDPR will prohibit the processing of an employee’s data which concerns their health, unless such processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the employer or of the employee in the field of employment law or a collective agreement. The Data Protection Bill provides that processing data concerning a person’s health may be carried out if it is necessary for the purposes of performing or exercising obligations or rights which are imposed or conferred by law on the controller or the data subject in connection with employment.  

Employers should review their current data processing practices in relation to employees’ medical reports and determine whether this is in line with the new rules. If employers have previously gained consent from employees this consent may no longer be valid from 25 May 2018 under the GDPR and the Data Protection Bill.

For further information on how to request employee’s medical reports; whether your current practices are compliant with the GDPR and Data Protection Bill; or how to draft offers to candidates, letters to employees or medical practitioners and employee consent forms please contact the Employment Team.