Healthcare benefits providers have access to significant medical information to assess employees’ eligibility for cover or benefits and act as a data controller for the purposes of the Data Protection Act (DPA).
Box: If you read nothing else, read this..
- Employers do not automatically have the right to access or use information held by benefits providers about their employees.
- Where given, information must be used only for the purpose for which it was obtained.
- Particular care should be given to the transmission and destruction of data.
Employers are also data controllers under the DPA in relation to information they acquire about their employees, but they do not automatically have the right to access or use information about their employees held by benefits providers.
The DPA regulates the collection, use and destruction of most information that an employer holds about employees. When employers receive information from benefits providers, they must take care to comply with the DPA. Medical information is sensitive personal data under the DPA, which means it is tightly regulated.
Core principles to ensure data protection compliance
The bedrock of DPA compliance is a set of core principles:
- Processing must be fair and lawful. Employees must know how an employer will use their data and only use it where one of a number of specific conditions is satisfied. This restricts an employer’s use of medical information primarily to circumstances where the employee has given specific informed voluntary consent, medical emergencies, or where the use of the information is necessary for the employer to comply with its obligations under employment law, including health and safety compliance and avoiding unfair dismissal or unlawful disability discrimination. Wider use risks breaching the DPA.
- Information should be used only for the purposes for which it was obtained. Care should be taken before using information that was gathered for benefits provision for wider management purposes.
- Information should be adequate, relevant and not excessive. Employers should ensure they do not have more information than they need, while ensuring they have enough data for informed decisions.
- Information must be accurate and up to date. Care should be taken where information received contradicts other information held, or if the employee disagrees with it. Employers have a responsibility to try to verify the accuracy if this is in doubt. Employers need up-to-date information (such as an updated GP or occupational health report) before making important decisions, rather than relying on old information from providers.
- Where information is no longer required or relevant, it should be securely destroyed. To ensure consistency, employers should have a standard policy for retention and should carry out regular reviews to remove information that is no longer required. Information retained as an exception should be noted, along with the reason.
- Employees’ individual rights in relation to personal data must be complied with. This includes an employee’s right to a copy of their data, to ask that inaccurate information be corrected, or to stop the use of information where processing causes distress that is not justified.
- There must be adequate security. Access to medical information should be restricted to those who need to know and care taken to avoid unauthorised access or use.
- Particular care should be taken when data is transmitted to avoid accidental disclosure or loss. Destruction should be secure. Additional restrictions apply to the transfer of information outside the European Economic Area (EEA), for example transfers of medical information to the US or Asia.
Employers that do not comply with the DPA may be exposed to: complaints to the Information Commissioner’s Office (ICO) from employees, resulting in an investigation by the ICO into the specific incident, or, potentially, a wider-ranging investigation into the employer’s data protection compliance; a fine if there is a serious breach of the Data Protection Principles; and a claim by employees in the courts if they can demonstrate they have suffered distress, and even a nominal actual loss, as a result of the breach.
In serious situations, employers could also face a constructive dismissal claim by an employee and, in exceptional circumstance, a criminal offence, for example if an employer obtains information by deception.
An employer risks breaching the DPA if, without consent, it uses information given by an employee to a provider to assess eligibility for cover, to make management decisions about the employee’s future. Employers would do better to seek separate, tailored, up-to-date information.
Helen Hall is legal director at DLA Piper