GDPR and Medical Information
12 June 2019

Consent – special personal data –medical information

Recently I have spent a lot of time dealing with employees’ health. Where an employee is ill employers are expected to do what they reasonably can to gain an understanding of the condition so that they can make reasonable adjustments if the employee is able to work and obtain a prognosis for return to work if the employee can’t work. Inevitably, that means getting some medical information.

It can be painful - even where employees cooperate in the data collection process. Where employees don’t cooperate (and my two sickies are not),it becomes even more frustrating.

We also have to take into consideration the GDPR and the Data Protection Act 2018. If you want to factor medical information about your employee into your management decision, it amounts to processing personal data for the purposes of GDPR and information about an employee’s health is one of several “special” categories of data.

Most businesses will have terms in their contracts or sickness absence policies requiring employees to consent to a medical examination.

As a rule, consent will not be valid as a basis for collecting and processing data because the consent is not genuinely given but required as part of the contract. In the case of asking an employee to give permission to write to his or her medical advisor or to see the company’s own GP, consent will generally be acceptable.

A distinction must be drawn between an employee giving consent to a medical examination and the lawful basis for you to process personal data in medical reports.

You must have lawful grounds for processing such information. Under the DPA 1998 most employers relied on employees’ consent to both obtain the report and process the data.

While you can collect data using consent, it will be almost impossible for a business to rely on consent to process employees’ personal data, even if it is given specifically in relation to a medical issue.

It’s important that you identify another legal basis for processing the data. Valid legal reasons include being necessary for the performance of a contract, compliance with legal obligations, or for the employer’s legitimate interests.

In most cases for special categories of data, employers are likely to rely on processing being “necessary for the purposes of carrying out the obligations and exercising the specific rights of the controller or of the data subject in the field of employment law”.

There is sometimes overlap. For instance, it may be necessary to process a medical report to fulfil contractual obligations such as sick pay or to identify eligibility for permanent health insurance. You must also ensure that you don’t discriminate against a disabled employee, make reasonable adjustments and don’t dismiss unfairly.

Do give proper consideration to whether the collection of medical information is necessary before you start trying to collect special personal data.

The demands of GDPR are enough to give anyone a headache, but make sure that you have the protective framework in place. If you haven’t done so, review and update employment contracts, sickness policies and associated letters – to obtain consent for the examination/release of the report, but not for processing the data. Ensure you have an appropriate policy document explaining how you handle special categories of data.

Sign up for our free resources and free weekly tip - subscribe here.

For help resolving all your HR queries and problems get in touch!

Phone 0345 644 8955


Although every effort has been made to ensure the accuracy of the information contained in this blog, nothing herein should be construed as giving advice and no responsibility will be taken for inaccuracies or errors.

Copyright © 2021 all rights reserved. You may copy or distribute this blog as long as this copyright notice and full information about contacting the author are attached. The author is Kate Russell of Russell HR Consulting Ltd.