Health data in the workplace

What you should know about health data in the workplace

Health data refers to personal information (also called personal data) that relates to the health status of a person. This includes both medical data (doctor referrals and prescriptions, medical examination reports, laboratory tests, radiographs, etc.), but also administrative and financial information about health (the scheduling of medical appointments, invoices for healthcare services and medical certificates for sick leave management, etc.). Health data is considered sensitive data and is subject to particularly strict rules and can only be processed by health professionals who are bound by the obligation of medical secrecy. Furthermore, the organisation shall take the necessary security measures to ensure that the health data is protected and not subject to any unauthorised disclosure.

At EU-level, EU institutions and bodies collect and process health data of staff and sometimes members of their family for several purposes, such as pre-recruitment medical examination, annual medical visits, sick leave management, request to work part time to care for a seriously ill or disabled family member, etc.

What are the main data protection issues?

Data quality - It is important not to process more personal data than necessary. How? By only collecting relevant - and not more information than necessary - in the first place. In addition, health data (such as medical certificates and other medical data) should be handled only by the medical service of the organisation- not by the HR department. The latter should only receive the administrative data necessary to process the sick leave (for example the number of days of sick leave).

Right of information - Staff members must be informed about their rights and for what purposes their health-related information is processed. Such information must be specifically communicated to staff members when a new procedure is introduced and made permanently available for example via the intranet of the organisation. This ensures that staff members have access to the information at all times.

Right of access - Staff members have the right to access their medical files and other health-related information to be able to verify whether it is accurate and to rectify any inaccurate or incomplete information. They must also be informed on how they may exercise their rights.

Retention period - Organisations must make sure that information relating to health is not kept on their files for longer than necessary. Clear retention periods must be established. These can vary in accordance with the reason for processing the health data.

Data security - Given the sensitivity of health data, it should only be processed by health professionals who are bound by the obligation of medical secrecy and all HR staff dealing with administrative or financial procedures in this respect should sign a specific confidentiality declaration and they should be reminded of their confidentiality obligations regularly. Furthermore, organisations should carry out a risk assessment and develop, where necessary, specific security measures on access control and management of all the information processed in the context of health data.

More information

The following non-exhaustive list is a selection of documents for further reading:

EDPS Guidelines:

EDPS Guidelines on the processing of health data in the workplace by EU institutions and bodies

EDPS Guidelines on the Rights of Individuals with regard to the Processing of Personal Data

EDPS prior-check Opinion:

Joint Prior Check Opinion on the processing of health data in the workplace (case 2010-0071).

EDPS Opinion on the processing of health data in the context of disability establishment and reasonable accommodation at the European Parliament (case 2015-0366)

EDPS Opinion on the EU Platform for rare diseases registration at the Joint Research Centre Ispra (case 2015-0982)

EDPS Opinion on the processing of health data at the European Securities and Markets Authority (ESMA) (case 2013-0927)

EDPS Opinions on the recruitment procedure for contract staff and trainees with a disability at the European Parliament (cases 2013-0607 and 2013-0608)

Related topics:

Leave management

Selection and recruitment of staff

Security measures for personal data processing