Let’s say that the employee has suffered from work related stress and was prescribed anti-depressants and had informed their employer about this (this will be data relating to special categories or sensitive personal data in old money). They’re now trying to get the employer to remove that data.

Under article 17 of the GDPR, an individual doesn’t have an absolute right to ask for erasure of data. The article includes a number of grounds, at least one of which has to be met for the right to apply, and it has to apply to the personal data to which the request for erasure relates. Although the employee may have withdrawn their consent to the employer continuing to process their data, it may still be necessary for the employer to process the data for example, the employer may have to comply with legal obligations around health and safety of employees and to defend any potential claims bought by the employee in the future, relating to their health like personal injury claims or claims of disability discrimination. The processing of the data, and continuing to retain it, may well fall within exemptions in article 9 of the GDPR (processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the data controller in the field of employment…law so far as is authorised by the law in a Member State).

The Data Protection Act 2018 Schedule 1 then sets out the specific in the UK national law around processing special categories of data and the safe pathways through the legislation. It repeats that processing for employment purposes is OK so long as when it does this ‘the controller has an appropriate policy document in place’. This basically means the Privacy Notice and Retention Policies you should already have set out to the employee concerned explaining their rights and telling them how long you are going to retaining their data for.