Processing of health data in the workplace
Opinion of 11 February 2011 on notifications for prior checking concerning the "processing of health data in the workplace" (Case 2010-0071)
Following the EDPS Guidelines on the processing of health data at workplace, the EDPS carried out a particularly challenging exercise in examining 18 notifications by 18 agencies, with their cover letters and other documents regarding each agency's processing operations on pre-recruitment examinations, annual check-ups and sick leave absences.
The EDPS analysed each agency's practice in relation to the data protection principles evoked in Regulation 45/2001 ("the Regulation") and evaluated whether each agency followed the EDPS Guidelines or not. In view of the similarities of the procedures, and of some similarities as presented by some agencies in terms of data protection practices, the EDPS decided to examine all notifications in the same context and issue one joint opinion. The EDPS in his joint opinion underlines an agency's practice which does not seem to be in conformity with the principles of the Regulation as well as with the EDPS Guidelines and provides the agency(ies) concerned with a relevant recommendation. Some good practices are also pointed out in the joint opinion.
The processing operations involve different categories of data subjects, namely members of permanent staff, temporary agents, contractual agents, national experts, trainees, candidates for any of these positions and visitors to the EU agencies. These processing operations are subject to prior-checking according to Article 27(2)(a) of the Regulation, since they concern the processing of medical data as well as administrative and financial data related to or in connection with health.
The joint opinion on health data highlighted three crucial issues.
First of all, the wide concept of "health data" and the impact of data protection principles of the Regulation on processing operations related to pre-recruitment examinations, annual check-ups and sick leave absences.
Second, several agencies omitted some important elements from their contracts with the external medical providers, notably security measures and data protection clauses in light of Article 23 of the Regulation.
Third, most agencies have not grasped the fundamental importance of a complete privacy statement. For the processing to be lawful, the controller should inform the data subject about all elements in Articles 11 and 12 of the Regulation related to the processing operations. This is especially true in those cases where the processing is based on the data subject’s consent.
Consequently, in light of the EDPS' recent policy paper on monitoring and ensuring compliance with Regulation 45/2001, the controller of each agency concerned is now invited to adopt specific and concrete measures in order to implement the EDPS recommendations regarding the processing of data related to health. This implies that in the context of the follow-up, each agency must provide the EDPS with documents which demonstrate that the EDPS recommendations have actually been implemented.