When is it legal to access employees' medical records?
People Management reports how It’s essential to have a medical report for an employee if you’re considering dismissing for capability reasons or looking at whether an employee has a disability and therefore requires reasonable adjustments at work.
Medical reports can be obtained from a doctor, or from Occupational Health, but it’s sensitive information and GDPR provides extra protections for sensitive data. Obtaining a report amounts to processing personal data under the GDPR, and according to the regulations there must be lawful grounds for processing the information.
What constitutes lawful grounds?
GDPR Article 6(1) identifies six lawful grounds for processing personal data:
- consent;
- contract;
- legal obligation;
- vital interests;
- public interest task;
- legitimate interests.
Consent may be the lawful ground to depend on when asking an employee to allow access to a medical report. Consent requires a positive opt-in, which means the employee cannot be sent a pre-ticked form presuming consent. You can’t force an employee to see a doctor, so regardless of the GDPR, obtaining consent is key.
Generally, a doctor would provide a report to the patient and this is only released to an employer with explicit consent. Patients are in control of any information released to an employer, and they have the right to review and ask for changes before it is submitted to an employer.