Handling Employee Medical Data

What do employers need to know?

The rules around handling data have given businesses a new set of challenges ever since GDPR came into effect. However, with the pandemic changing the working landscape in so many ways, the handling and storage of medical data such as GP notes and reports are now at the forefront of discussion. 

Previously managing sick notes or medical reports were probably considered by most as personal data to be held in a personnel file whether that be hardcopy or digital. However, many businesses and HR professionals are now realising that the rules around medical data are much more complex than previously thought so much so, this will be a prevailing consideration when considering any internal infrastructure.

New ways of handling and storing data bring new challenges

System and data handling architecture within the business itself needs to be considered particularly around access to such sensitive personal information and how this access is controlled and monitored. With many businesses moving away from hardcopy files and locked filing cabinets, many are now moving to digital systems where at a click of a button you can access an entire employee’s history including medical information. Therefore it is considered essential to limit access and if possible to only one to two people to avoid the significant ramifications of any mishandling of medical data. 

Employers are encouraged to carry out annual reviews and assessment of internal security protocols to ensure that they are implementing and enforcing strict security in the handling and storage of medical data. 

Why are many businesses facing allegations of mishandling medical data?

This has become an emerging trend, particularly in light of the pandemic. For example, the chain of events triggered by a positive COVID could expose any weakness in data handling and storage policies if the area of data handling is not fully understood. 

For example if an employee tests positive for Covid-19; this inevitably triggers a sequence of events, discussions, meeting notes etc. that will contain sensitive medical data This could include something as ordinary as discussing a rota change or alerting any potentially exposed personnel. Without proper protocols in place a private matter can become a public expose and could see you answering allegations of a data breach. 

Practical steps for employers

Employers should ensure that any internal system meets regulation and requirements set out by the Information Commissioner’s office. There are several IT solutions to personnel data handling and these platforms offer functional features that allow you to control all permissions and data held with a birds eye view. These platforms are easily accessible and affordable and should be on any employers list of considerations 

There should also be a clear purge plan to ensure any data that is not required is deleted and not held unnecessarily. This will not only mitigate the release of a data leak it will provide a clear plan of action and instil discipline into managing large data sets. 

The ICO has advised that employers should ensure that they “keep sickness records containing details of a worker’s illness or medical condition separate from other less sensitive information.” 

This means medical information and sickness absence records should be treated differently with medical information requiring more stringent protection. 

The recorded dates of absence would be considered as personal data whereas the reasons for the absence would fall into the category of sensitive data. 

The ICO suggests that “this can be done by keeping the sickness record in a sealed envelope or in a specially protected computer file. Only allow managers access to health information where they genuinely need it to carry out their job”

Employees have an obligation to know how such sensitive data is received , stored, backed up and accessed and this is no mean feat particularly when a sick note is sent to an employer via email for example where an email or email chain containing such Medical Data should be stored separately. 

Employers, as Data Controllers, must therefore  take full responsibility  and ensure that any processing of personal data for which they are responsible complies with Data Protection rules. A failure to do so risks enforcement action, including prosecution and compensation claims from individuals. Even greater care must be taken where the data contains Medical Data. 

If you would like any help in developing a robust procedure for your employee medical data or for an audit of your current process please do not hesitate to contact the Real Employment Law Advice Team on 01983 897003.

Share This Article
Read More Articles
Any questions? Contact us

Appointments are available by telephone or via video call, so no matter where you are in England or Wales we can assist you.

The information contained in this blog post is provided for guidance and is a snapshot of the law at the time it is written. It is provided for your information only and should not be used as a substitute for obtaining legal advice that it specific to your particular circumstances.

The guidance should not be relied upon in any decision making process. It is strongly recommended that you seek advice before taking action.


Solicitor in Eastleigh | Solicitor in Salisbury | Solicitor Isle of Wight