Whoever was hoping that I would stop talking about GDPR on 25th May; you’re out of luck!
Hopefully you’ve realised there are problems with consent in the employment relationship, in general. A lot of contracts that I see say that the employee will consent to disclosure of a medical report to their employer. With the GDPR and the changes around consent this is no longer valid, and the clause needs to change to require the individual to attend an examination, but you need an explicit consent form from the individual at the relevant time to enable you to see the report.
If you write to the employee explaining why you want to obtain a medical report, you will need to set out the basis for processing the data so for example, the right to manage the employment contract, to comply with legal obligations to administer sick pay or to make reasonable adjustments. The employee will then need to complete a consent form to go and if they refuse the employer is potentially going to be stuck having to make decisions in a vacuum without the benefit of medical advice.
It is still possible to include in the contract that attending a medical appointment is a reasonable request on the part of the employer so that failure by the employee to cooperate with that could be a breach of contract and give rise to disciplinary action, but care would have to be taken exercising a punishment where someone has the right not to consent to the processing of their data.
Under data protection law, health data is a special category of personal data. That’s permitted to be processed:
- a) For the purposes of preventative or occupational medicine;
- b) For the assessment of the working capacity of the employee;
- c) For the purposes of medical diagnosis; and
- d) For the provision of health or social care or treatment or the management of health or social care systems and services.
Processing has to be carried out by a health professional and in conditions of confidentiality. This enables occupational health to process the information.
Section 10 of the new UK Data Protection Act 2018 provides that processing is lawful where it is necessary for the performance of rights and obligations in connection with employment. This would cover ensuring you’re providing a safe working environment and looking after somebody’s health and safety, and making sure you weren’t discriminating against them on the grounds of disability obtaining sickness records as regards payment of sick pay and accident records etc. This will enable you to process the report when you receive it.