Employee health information under the GDPR
Employee health information under the GDPR

The following Employment practice note provides comprehensive and up to date legal information covering:

  • Employee health information under the GDPR
  • Why the employer processes health information
  • Complying with GDPR and DPA 2018
  • What is health information
  • Conditions for processing health information
  • Lawful conditions for processing personal data (Article 6)
  • Lawful processing condition—consent
  • Lawful processing condition—performance of contract and pre-contractual steps
  • Performance of contract
  • Pre-contractual steps
  • More...

An employer will usually wish to process, ie collect, use and record, data concerning an individual’s health (health information) in a number of different circumstances.

Before processing health information relating to a current or prospective employee or worker, the employer will need to consider whether that processing is lawful under Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA 2018).

In addition to the matters examined in detail in this Practice Note, the employer should also consider the following:

  1. if the employer wishes to obtain a medical report from an individual’s GP or specialist, or another medical practitioner responsible for the individual's clinical care, the requirements of the Access to Medical Reports Act 1988 (AMRA 1988). For further information, see Practice Note: Medical reports under GDPR and AMRA 1988—Access to medical reports—AMRA 1988

  2. that the employer may only ask health-related questions before offering work to an applicant for certain purposes. For further information, see Practice Notes: Medical reports under GDPR and AMRA 1988—Obtaining a medical report before an offer of employment is made—EqA 2010 and Employment events which give rise to prohibited conduct claims—Pre-employment enquiries about disability and health

This Practice Note examines:

  1. what is health information

  2. the data protection issues that arise in relation to the processing of health information by employers under Regulation (EU) 2016/679, GDPR and DPA

Related documents:

Popular documents