Reports from an employee’s doctor can be sought when there is a need to establish an underlying condition or prognosis for an employee on long term sickness absence. However, an employee must give their consent to such a report and will have a right to review the report before it is provided to their employer.
Once collected, employers should ensure that the information is held securely and is kept for no longer than is necessary. Care should be taken so that an employee’s medical information is only disclosed to those people who need to know it for the reasons why it has been collected, and it is not disseminated more widely.
Where possible, records containing sensitive details of an employee’s medical condition should be kept separate from other information which is not sensitive personal data. Such information could be kept in password protected electronic files, or in a sealed envelope which is marked as “private and confidential” in a hard copy personnel file, to avoid such information being inadvertently disclosed or read.
An employee has a right under the DPA to demand a copy of any of their personal data held by their employers and confirmation of any recipients to whom the data has been disclosed. Clearly this can be helpful in establishing whether sensitive personal data concerning a medical condition has been inappropriately disclosed. If an employee feels such information has been misused or kept insecurely, they can seek redress from the Information Commissioner’s Office which can impose substantial fines on employers for serious breaches of the DPA.
An aggrieved employee can also claim compensation for damage or distress caused by the employer’s breach of the DPA. Damages awards in recent privacy cases have been significant. Where the employer’s actions undermine trust and confidence the employee can also resign and claim that they have been constructively dismissed.
The obligations attached to personal information are increasingly demanding for employers, and employees are becoming more informed and adept at exercising their rights. With the introduction of the General Data Protection Regulations next year, extending privacy rights and increasing the consequences of any breach, it is an issue that no employer can ignore.
Chris Weaveris associate in the employment law department at Payne Hicks Beach,?Orla Bingham is a solicitor in the employment law department at Payne Hicks Beach, and?Dominic Crossleyis a partner in the privacy and media department at Payne Hicks Beach.