July

People Management reports how It’s essential to have a medical report for an employee if you’re considering dismissing for capability reasons or looking at whether an employee has a disability and therefore requires reasonable adjustments at work. 

Medical reports can be obtained from a doctor, or from Occupational Health, but it’s sensitive information and GDPR provides extra protections for sensitive data. Obtaining a report amounts to processing personal data under the GDPR, and according to the regulations there must be lawful grounds for processing the information. 

What constitutes lawful grounds?

GDPR Article 6(1) identifies six lawful grounds for processing personal data:

• consent;
• contract;
• legal obligation;
• vital interests;
• public interest task;
• legitimate interests.

Consent may be the lawful ground to depend on when asking an employee to allow access to a medical report. Consent requires a positive opt-in, which means the employee cannot be sent a pre-ticked form presuming consent. You can’t force an employee to see a doctor, so regardless of the GDPR, obtaining consent is key. 

Generally, a doctor would provide a report to the patient and this is only released to an employer with explicit consent. Patients are in control of any information released to an employer, and they have the right to review and ask for changes before it is submitted to an employer.

A 53-years-old nurse has been found guilty of two counts of fraud by false representation whilst working at St. George's University Hospitals NHS Foundation Trust, Tooting (London).

Whilst being signed off sick from her main role as a nurse on a neurosurgical ward at the hospital between August 2014 to May 2016, Coker took up roles with two nursing agencies, Pulse and Zentar.   However, suspicions were roused, sparking an investigation led by the Trust’s Counter Fraud Team. The NHS Local Counter Fraud Specialists (LCFS) team contacted the recruitment agencies, the Home Office and the police, and with the help of the matrons on the ward obtained Coker’s records.

After examining the records, it was confirmed that Coker worked through recruitment agencies whilst on sickness absence from her substantive nursing role. Following this, a disciplinary hearing took place in August 2016 and Coker was dismissed for gross misconduct, for working whilst off sick from her main role which goes against the trust’s policies and procedures.

In December 2016, Coker refused to respond to allegations that she had worked for two nursing agencies whilst she was sick from St George’s hospital.  The case was then referred to the Crown Prosecution Service (CPS). On 13 July 2018, Coker’s guilty pleas to two counts were accepted, and she was sentenced to 16 months imprisonment.

Coker who defrauded the NHS out of £32,745 was been sentenced to 16 months imprisonment.  On passing the sentence, Judge Hunter commented: “The offences involved a long period of stealing from the NHS knowing the NHS was short of funds and knowing that when money was taken innocent people would suffer.”

The Lithuanian Parliament finally passed the new Law on Legal Protection of Personal Data June 30. Lithuania was named among the EU outliers that failed to sort the national laws prior to the May 25 deadline.

The adopted law came into effect July 16. The State Data Protection Inspectorate and the Office of the Inspector for Journalist Ethics — both tasked with supervision and enforcement of the Law and the GDPR in Lithuania — are obliged to adopt implementing orders until July 15.

The law, which consists of 35 articles, is fairly concise, and mostly aimed at particularizing the powers of the supervisory authorities. Among other notable provisions are the following:

Territorial scope. The law applies to controllers and processors established in Lithuania, as well as to controllers following the Lithuanian law by virtue of the public international law. With respect to the businesses offering goods or services or monitoring of behavior of data subjects in the EU, the law applies only to those controllers and processors that have designated a representative in Lithuania. This seems to imply that if, for example, an Asian business targets data subjects in Lithuania, but has designated a representative in Germany, or is exempt from designating a representative (Article 27(2) of the GDPR) or hasn’t designated a representative in breach of Article 27 of the GDPR, it will not be under an obligation to comply with the law.