How to Obtain Employee Medical Records Legally

employee medical records

Employee medical records can be essential for employers. Access is these records can be essential when you need to consider dismissing someone for capability reasons. Additionally, if an employee has a disability, one might need access to these records in order to make reasonable adjustments.

Medical reports may be provided by occupational health or a doctor. It can contain very sensitive data protected by GDPR.

Although essential, there are rules for how to access employee records and there are legal consequences if not followed.

Pregnant Employee Receives £10,000

An NHS worker has recently been awarded £10,000 after a colleague accessed her confidential medical records. The colleague, although claiming to not look at the records, was found guilty in the tribunal. The tribunal ruled treatment was discriminatory.

The colleague claimed she had accessed the files in order to find the claimants address and send flowers. However, employment judge Adele Aspden stated “it makes no difference” if she intended to do something nice for the patient.

The NHS worker, Mrs Walker, later had a miscarriage. She would be off work for a period, returning in January 2020 with amended duties.

The tribunal stated that any patient including NHS employees has a right to expect that patient databases are respected by those with access to them. Additionally they would state that patients have entitlement for their records being accessed unless completely necessary.

Mrs Walker would receive £10,000 in compensation. This would comprise a £8,800 reward for injury to feelings and interest.

Lawful Grounds for Processing Personal Data

To obtain employee medical reports, one must process data in accordance to GDPR regulations. There are 6 lawful grounds for obtaining and processing personal data.

  • Consent
  • Contract
  • Legal obligation
  • Vital interests
  • Public interest task
  • Legitimate interests

Obtaining consent will require a positive opt-in. In short this means employers can not presume consent. Employers may depend on consent as a lawful ground to access data.

When Doctor’s provide employee medical records, workers can release these to an employer including explicit content. However, employees can control the information before it reaches the employer. Thus employees have a right to ask for changes and review documents before an employer receives them.

Article 9

Special categories receive extra protection under GDPR under Article 9. These categories refer to data which employers can use to unlawfully discriminate against workers. In these circumstances, employers must give specific reasons for processing the data. One reason might be that there is a legal obligation from an employer to identify reasonable adjustments for a disabled employee. This is as it can prevent discrimination to disabled employees or unfairly dismissals.

Pre- employment questionnaires that help determine whether to employ someone in these circumstances go against GDPR regulations and the Equality Act 2010. However, an employer can use these questionnaires in order to outline potential issues and allow for a doctor to make reasonable adjustments. Therefore, this is a valid reason to process medical data under GDPR.

Requesting Information

In order to understand what data an employer can request, employers must uphold several principles. One of which is data minimisation. This means the information is:

  • Adequate – sufficient for the purpose.
  • Relevant – has a link to the purpose.
  • Limited to only what is necessary – you must not hold more data than is necessary.

In situations where an employee has a health condition an employer may be required to know:

  • Whether it classifies as a disability.
  • If reasonable adjustments are necessary.
  • Whether it will impact the ability for a worker to perform a specific role. 

For more information and further HR support, contact us.