# Sharing  Sickness Report.



## Shaunac (16 Feb 2020)

My employer requested me to attend a private medical assessment which I did. The report was sent to my line manager naming all my conditions without my consent. He then sent it to a Consultancy company for some clarifications. Is the usual practice.

Thanks


----------



## Thirsty (16 Feb 2020)

Not an expert in this field; but I don't believe your medical information should have been shared with your line manager; having said that, the recommendations would have been. 

What do you mean by consultancy company? And who forwarded the report to them?


----------



## DeeKie (17 Feb 2020)

Shaunac said:


> My employer requested me to attend a private medical assessment which I did. The report was sent to my line manager naming all my conditions without my consent. He then sent it to a Consultancy company for some clarifications. Is the usual practice.
> 
> Thanks


No. Sounds like a GDPR breach


----------



## cmalone (17 Feb 2020)

The line manager / management would need to know implications of your condition as to how it would affect your ability to work ... unsure what issue is ..  did you just want line manager to know only that you were ‘sick’ ?


----------



## DeeKie (17 Feb 2020)

cmalone said:


> The line manager / management would need to know implications of your condition as to how it would affect your ability to work ... unsure what issue is ..  did you just want line manager to know only that you were ‘sick’ ?


That’s not correct. The manager is entitled to know that the person is not available for work and for how long. Whether iirs because of a sore foot or depression is not his concern.


----------



## cmalone (17 Feb 2020)

Well if it affects their ability to do the job - it’s the manager’s right. The employer can refuse to allow the person back to the job if they are unable to undertake duties. Example - lifting and the worker has a back injury. Similarly if they have a mental health issue that might need attention


----------



## DeeKie (17 Feb 2020)

The doctor is informed of the job when evaluating fitness to work. This is standard GDPR compliance territory, data minimisation. Plus the op has a concern about further data sharing which you haven’t addressed.


----------



## odyssey06 (17 Feb 2020)

cmalone said:


> Well if it affects their ability to do the job - it’s the manager’s right. The employer can refuse to allow the person back to the job if they are unable to undertake duties. Example - lifting and the worker has a back injury. Similarly if they have a mental health issue that might need attention



How is the manager qualified to make that decision from a list of medical conditions? That's that the medical \ occupational health specialist is for. The medical report should have clarified what duties could and could not be performed.


----------



## cmalone (17 Feb 2020)

the supervisor / manager does not make a medical determination. The supervisor will need to know what the medical condition is and how it might affect work duties or if any accommodation or assistance should be provided to the worker... in some cases a member of staff can be facilitated to return to work for ‘light duties’ etc


----------



## Leo (17 Feb 2020)

What does your contract say about the process? Did you see a copy of the report that was provided to the line manager?

Where a company refers an employee for such an assessment, it is generally to ensure the employee is fit to work and determine any accommodations required to work practices to ensure that the employee's health or well-being are not negatively impacted. Of course they also do it to cover themselves and satisfy the requirements of their insurance. 

It would be normal for the line manager to see a summary of the assessment. The report they see may include some pertinent medical details, but will mainly focus on the employee's fitness to work in the role, and detail any changes or supports that might be required in order to protect their health. Even pre-GDPR, these reports didn't go into detailed medical histories.


----------



## Purple (17 Feb 2020)

The doctor should not have shared a report giving your medical details. That was completely unethical and they should be reported to their professional body.
Your line manager should not have read the report and certainly should not have shared it. That was also wrong and a breach of GDPR.

The doctor should have given you the report and sent a letter/email to your employer stating whether you were fit or unfit to work and if you were unfit to work they should have said for how long etc. Under no circumstances should they have shared your medical details.


----------



## Sunny (17 Feb 2020)

Did you outline your medical history to the doctor doing the medical assessment? If you did and he shared this with your line manager, then I would suggest that you have a very strong case to complain. Even without GDPR. The fact that the manager then shared your data would set off red flags for me. Your company should have a policy as to how it deals with health information such as what can requested, how it will be used and how it will be secured. There is a reason why company's use Occupational Health professionals. Also worth remembering that under GDPR, just because you consented to the medical examination, the employer can not use that consent to use that health information as they see fit. Relying on general consent clauses in employment contracts won't work because GDPR recognises the imbalance of power between employer and employee. So companies need to be very very careful about how they use this data. 

First step, I would suggest asking to see your company's data protection policy in relation to health records.


----------



## Up Rovers (17 Feb 2020)

Shaunac said:


> My employer requested me to attend a private medical assessment which I did. The report was sent to my line manager naming all my conditions without my consent. He then sent it to a Consultancy company for some clarifications. Is the usual practice.
> 
> Thanks



Totally out of order on the part of your company and line manager.  The company must have been aware of what was happening when they engaged the services of another company to assess the report.

An Occupational Health Physician would need your written consent to forward your details to another medical specialist never mind anyone else.

You are entitled to a copy of any report issued about you to anyone.  Request copies of same and based on that decide how you wish to proceed as you have a very strong case.


----------



## Shaunac (17 Feb 2020)

Thank you all for your replies and I will follow up the advice given.  The Occupational Health Company that carried out my assessment clearly states that they will send the report to 'my employer' and that I should request a copy of the report from them or in writing from the Occupational Health Company. I did sign a form to agree to the examination but I was assured that it was confidential and I am writing to them today for clarification.   It will take me some time to get working on it but again thanks you for your help.


----------



## Sunny (17 Feb 2020)

Ask for a copy of the report and see what is included. Occupational Health Specialists are usually very careful with the reports and the data they share so I would be surprised if they included medical details that weren't relevant or went into detail about medical conditions. If they did, you have a complaint against them as well as the employer.

Just because you signed consent for the examination does not mean you consented to that data being used or shared incorrectly. Even if you consented for them to share it, it wouldn't matter unless the company could prove is was for a lawful and acceptable reason and only necessary information was shared. If the occupational health company or your employer shared the data or used the data in an inappropriate manner, they are in breach of GDPR. So you need to find out what information was shared and with whom. 

Going by your posts here, the company is exposed.


----------



## noproblem (17 Feb 2020)

Might the job you do have a bearing on what information needs to be known by managers, supervisors, other workers, etc?  To suggest the Co was out of order based on the little information given seems a little simplistic.


----------



## Purple (17 Feb 2020)

noproblem said:


> Might the job you do have a bearing on what information needs to be known by managers, supervisors, other workers, etc?  To suggest the Co was out of order based on the little information given seems a little simplistic.


Details of medical conditions can only be shared with the specific consent of the employee and only if specifically relevant to the job they carry out. The report sent to employer should contain as assessment of their ability to carry out their duties. It should not contain specifics of any medical condition. 
The OP stated that;


Shaunac said:


> The report was sent to my line manager naming all my conditions without my consent.


That's a clear breach of confidentiality and sharing the report within the employers organisation is a clear breach of data protection.


----------



## Sunny (17 Feb 2020)

noproblem said:


> Might the job you do have a bearing on what information needs to be known by managers, supervisors, other workers, etc?  To suggest the Co was out of order based on the little information given seems a little simplistic.



It doesn't matter. Managers are not entitled to detailed medical history. Nobody is. Certainly not other workers. That is why company's use occupational health specialists. They are there to decide what is relevant to be shared with employers. Any medical report should only contain enough details so the employer can fulfil its legal obligations i.e. if there is a disability, if it will impact the ability perform a role and if certain steps need to be taken to protect the employee. Revealing that the employee suffers back pain so needs an adjustable chair is fine. Revealing that an employee spent three months on anti-depressants after giving birth isn't. If the occupational therapist listed the OP's conditions that were not relevant to the job, there is a problem on that end but I would be surprised if that was actually the case. Even allowing for that, the fact the manager then shared the information is a complete breach of GDPR. Even if the OP gave consent, it would unlikely to be sufficient due to employer/employee relationship.


----------



## Purple (17 Feb 2020)

Sunny said:


> Even if the OP gave consent, it would unlikely to be sufficient due to employer/employee relationship.


This is an important point; since the employer/employee relationship is not a coequal one it is not possible for an employee to give consent to their employer to divulge their personal data to a 3rd party. There must be another reason which make such a divulgence necessary.


----------



## cmalone (17 Feb 2020)

Have you any conditions that affect your ability to do the actual job you are employed for - unsure regarding the context. Have you been off work ? Why would employer want you to attend the assessment ?


----------



## cmalone (17 Feb 2020)

https://www.hse.ie/eng/staff/jobs/eligibility-criteria/clerical-officer-grade-iii-jan-2017.pdf
		

Using this as an example the HSE expect you to be in a good state of health to undertake the role - if this changes they will obviously carry out a review -


----------



## RedOnion (18 Feb 2020)

cmalone said:


> if this changes they will obviously carry out a review


You seem to be interpreting the question differently to everyone else.

There was never a question about a right to carry out a review, or receiving a report about their fitness to work / not to work. That happens all the time.

The question is about the sharing of specific medical information, which is only allowed in very specific circumstances.


----------



## hunter1 (18 Feb 2020)

Shaunac said:


> Thank you all for your replies and I will follow up the advice given.  The Occupational Health Company that carried out my assessment clearly states that they will send the report to 'my employer' and that I should request a copy of the report from them or in writing from the Occupational Health Company. I did sign a form to agree to the examination but I was assured that it was confidential and I am writing to them today for clarification.   It will take me some time to get working on it but again thanks you for your help.



You should ask for a copy of the consent form you signed also.


----------



## Peanuts20 (19 Feb 2020)

An employer does have a right to know the nature of an employees illness in certain circumstances and this has been confirmed by the Data Protection Commissioner. This is restricted to grounds of Health and Safety (so for example, if an employee was diganosed with Coroanvirus an employer may have the right to know) or if the nature of the employees job meant the illness would put them or others at risk of injury.


----------



## Purple (19 Feb 2020)

Peanuts20 said:


> An employer does have a right to know the nature of an employees illness in certain circumstances and this has been confirmed by the Data Protection Commissioner. This is restricted to grounds of Health and Safety (so for example, if an employee was diganosed with Coroanvirus an employer may have the right to know) or if the nature of the employees job meant the illness would put them or others at risk of injury.


The employer has the right to know what measures they should take to ensure the health and safety of their other employees and customers but they do not have the right to know the details of an illness. For example if the employee has a contagious illness they the employer has the right to know that it is contagious but they have no right to know what the specific illness is.


----------



## Leo (19 Feb 2020)

Decent write-up on finding the right balance here.  More information from the OP would be required to make a call here, but of course they may not want to share that level of detail in case they are identified.


----------



## Peanuts20 (19 Feb 2020)

Purple said:


> The employer has the right to know what measures they should take to ensure the health and safety of their other employees and customers but they do not have the right to know the details of an illness. For example if the employee has a contagious illness they the employer has the right to know that it is contagious but they have no right to know what the specific illness is.



That's not correct. 

The exact quote from the 2013 DPC annual report states
_in certain very specific circumstances a doctor may be legally obliged to report certain illnesses to an employer for health and safety reasons and we recognise the need for this practice, particularly in the case of contagious diseases_


----------



## Purple (19 Feb 2020)

Peanuts20 said:


> That's not correct.
> 
> The exact quote from the 2013 DPC annual report states
> _in certain very specific circumstances a doctor may be legally obliged to report certain illnesses to an employer for health and safety reasons and we recognise the need for this practice, particularly in the case of contagious diseases_


Sure, if they have smallpox or something like that but other than "_certain *very specific* circumstances" _where they_ "*may *be legally obliged" _they just give a sick note stating that the person cannot attend work due to a contagious illness. They inform the employer in cases where there is a risk that other employees may be carrying a virus so that they can be tested. In practical terms, and in the context of this thread, that doesn't apply.


----------



## Leo (19 Feb 2020)

Purple said:


> Sure, if they have smallpox or something like that



That's my understanding too. It's all about proportionality and the duty of care of both the medical professionals performing the assessment and the employer. The flu virus is contagious, but there is no suggestion that an employer has a duty of care to warn other staff about the presence of that in the workplace, but in a workplace that may have staff who are pregnant, then the employer has to inform staff of the presence of potentially dangerous infections such as measles, mumps, etc..


----------



## josh8267 (19 Feb 2020)

Leo said:


> Decent write-up on finding the right balance here.  More information from the OP would be required to make a call here, but of course they may not want to share that level of detail in case they are identified.


I agree more Information is required before making a call, just remember line managers supervisors/employees can be personally held responsible for  not taking actions when its comes to Health and safety ,from time to time they have to make sure the  hold the correct end of the stick if they see something coming down the track they could be held responsible for if not correctly informed and take action so they are protected,


----------



## Sunny (19 Feb 2020)

josh8267 said:


> I agree more Information is required before making a call, just remember line managers supervisors/employees can be personally held responsible for  not taking actions when its comes to Health and safety ,from time to time they have to make sure the  hold the correct end of the stick if they see something coming down the track they could be held responsible for if not correctly informed and take action so they are protected,



It is not the managers call what information they need. That is why company's use doctors and occupational therapists. And if a manager or employer does get medical information for some reason, they should be VERY VERY careful what they do with it. Sharing it with a 'consultant company' for clarifications seems to me to be a pretty clear GDPR breach. If they wanted clarifications, they should have gone back to the assessor that did the assessment.


----------



## Leo (19 Feb 2020)

Sunny said:


> Sharing it with a 'consultant company' for clarifications seems to me to be a pretty clear GDPR breach.



Again, we don't know what information was shared with the consultants or what their relationship was. Some companies have retainers for HR / legal advice for situations like this where they don't have the expertise in-house. Asking another company what the appropriate response to an employee's medical situation does not constitute a GDPR if it was appropriately redacted.


----------



## Sunny (19 Feb 2020)

Leo said:


> Again, we don't know what information was shared with the consultants or what their relationship was. Some companies have retainers for HR / legal advice for situations like this where they don't have the expertise in-house. Asking another company what the appropriate response to an employee's medical situation does not constitute a GDPR if it was appropriately redacted.



I agree we don't have enough information but if medical records are being shared between manager/HR/Legal (in-house or on retainer), there has be a policy as they are processing the employees personal data. It doesn't matter if it is redacted or not. The employer still has to show they had a legitimate reason for processing the medical information and that the employee clearly gave specific and clear consent for it to be processed. And it this case, it doesn't appear to have happened. Consenting to do the examination and having the results shared with your employer would not be sufficient.  The employer must have provided a Data Protection Notice. Would be interesting to know what it says.


----------



## cmalone (19 Feb 2020)

No issue about privacy of data - that’s the law. However - if the condition affects work ability then the manager / hr has a right to know that a condition exists. I am aware of many staff who have ‘hidden’ conditions and this led to issues with their ability to work effectively - including significant mental health issues that could have easily been supported by the employer - manager if they were aware of same for the mutual benefit of all. I am also aware of people with hiv/ hep infections that do not affect their ability to work - so  manager  / employer has no Right to know, except to facilitate regular medical check ups , etc.


----------



## DeeKie (20 Feb 2020)

For some reason cmalone you keep trying to justify your first answer but you called it incorrectly. 

Also we know the employer is relying on consent so that’s a breach. 

There is no indication hear that OP falls into the extremely low number of marginal cases where the details the employer would be entitled to that might indicate an illness or condition.


----------



## DeeKie (20 Feb 2020)

Not only may the employee have an issue with regards to his employer, but there may also be an in appropriate disclosure by the examining doctor if the employee did not know he or she was going to disclose it to the employer. The examining doctor acts as a controller also.


----------



## Sunny (20 Feb 2020)

cmalone said:


> No issue about privacy of data - that’s the law. However - if the condition affects work ability then the manager / hr has a right to know that a condition exists. I am aware of many staff who have ‘hidden’ conditions and this led to issues with their ability to work effectively - including significant mental health issues that could have easily been supported by the employer - manager if they were aware of same for the mutual benefit of all. I am also aware of people with hiv/ hep infections that do not affect their ability to work - so  manager  / employer has no Right to know, except to facilitate regular medical check ups , etc.



They only have a 'right' to know under extremely limited circumstances. I presume at this stage we have all worked with people who have suffered from some sort of mental illness. Most people will volunteer this information to management and colleagues as it is very difficult to avoid it. However, the manager/employer does not have a right to know about it. If the employee is continuously out sick or is unable to perform the job as expected, then the employer can take steps but to suggest the someone has a 'right' to be told would imply that the employee could be in trouble for not disclosing it. This is not the case. Obviously there could be issues if something isn't disclosed during a pre-employment screening if asked directly. 

Vast vast amount of employer/employee relationships are built on trust. I certainly never worked in a place where I wouldn't have been comfortable sharing medical details if I needed support but the rules around medical information are there for a reason and I fully understand why people do not want general detailed medical information about themselves shared outside the medical profession who are governed by doctor/patient confidentiality.


----------



## Leo (20 Feb 2020)

Sunny said:


> there has be a policy as they are processing the employees personal data. It doesn't matter if it is redacted or not. The employer still has to show they had a legitimate reason for processing the medical information and that the employee clearly gave specific and clear consent for it to be processed.



If the employee's identity has been redacted from the information shared, GDPR no longer applies. The company is entitled to process and share such information as they see fit.


----------



## Sunny (20 Feb 2020)

Leo said:


> If the employee's identity has been redacted from the information shared, GDPR no longer applies. The company is entitled to process and share such information as they see fit.



No they are not. Medical information is classified as sensitive personal data. They are not allowed to process it as they see fit. They need clear consent as to how they are going to process the data and have a legitimate reason for doing it. Telling someone they have shared the data redacted or not without getting their clear consent is a breach of GDPR. Redacting the data doesn't change that. Giving consent to an medical exam is not giving consent to the company to process that data for GDPR. If the company is handling this data, they are required to have a policy document outlining how they will handle sensitive personal data.


----------



## Leo (20 Feb 2020)

Sunny said:


> Medical information is classified as sensitive personal data.



That is not correct, the legislation is very clear that such data is only covered where it is contains sufficient detail to identify the individual concerned. Once detail has been redacted from a file so that the individual is no longer identifiable, GPRD does not apply. 

It would be ridiculous to think that GDPR would prevent a company seeking advice from a specialist as to how they should handle a scenario where an unidentified employee contracts a contagious disease. The data protection commissioner ever went further in the 2013 report as referenced above.


----------



## Sunny (20 Feb 2020)

Leo said:


> That is not correct, the legislation is very clear that such data is only covered where it is contains sufficient detail to identify the individual concerned. Once detail has been redacted from a file so that the individual is no longer identifiable, GPRD does not apply.
> 
> It would be ridiculous to think that GDPR would prevent a company seeking advice from a specialist as to how they should handle a scenario where an unidentified employee contracts a contagious disease. The data protection commissioner ever went further in the 2013 report as referenced above.



It doesn't prevent it Leo but it's not as simple as that. There is a whole section on how sensitive personal data is collected, stored and shared. You are only talking about redaction when sharing data which is fine from a security point of view but it doesn't absolve the company from other parts of GDPR legislation. Just because the data is redacted doesn't mean GDPR doesn't apply. The legislation still applies. Article 6 and Article 9 still apply. A company can't just share redacted sensitive personal data anytime it wants. A company of two people in a small town. Secretary takes a medical exam. Manager has no idea what it means so sends it on to local doctor without any identifiable employee details and without asking for the employees consent. Doesn't take rocket science for the doctor to figure it out. I know it's not realistic but the legislation is in place to prevent things like this happening.  

The idea that companies can just process sensitive personal data as they see fit is dangerous even it is not identifiable.


----------



## Leo (20 Feb 2020)

Sunny said:


> Just because the data is redacted doesn't mean GDPR doesn't apply.



If the data does not clearly identify an individual, it does not fall under GDPR. 



Sunny said:


> A company of two people in a small town. Secretary takes a medical exam. Manager has no idea what it means so sends it on to local doctor without any identifiable employee details and without asking for the employees consent.



Do you honestly think that is the situation here? Companies with HR staff and line managers usually employ more than two people.


----------



## Sunny (20 Feb 2020)

Leo, you are missing my point. Redacting data doesn't suddenly mean sensitive personal data is not subject to GDPR. For the company, to even have the data in the first place before redacting it, they have to comply with GDPR. Putting black lines through an employees name doesn't mean that Article 6 and 9 don't apply. To suggest that a company can do anything with medical records as long as an employees name isn't identifiable is ridiculous. So my company could collect everyones medical history and announce a survey result that shows 16% of the company of depression. 24% have a history of asthma. 75 women have suffered mis-carriages. Because that is what you are saying when you are saying that a company can do what it sees fit as long as the identifiable data is redacted. Well, they can't. Because medical records are sensitive personal data and is a special category under GDPR legislation. Article 6 and 9 apply. Whether you black out my name or not.

Anyway, we will have to agree to disagree on this.


----------



## Leo (21 Feb 2020)

Sunny said:


> Leo, you are missing my point. Redacting data doesn't suddenly mean sensitive personal data is not subject to GDPR.



The legislation is clear in its definition of protected data being restricted to that which clearly identifies an individual. An outline of a medical case does not constitute protected data. That has been tested in the HSE, as GDPR now prevents them sending patient files from one department to another without explicit consent. However they can share detailed notes on specific cases so long as the individual patient involved is no longer identifiable. That has been cleared by the DPC as consultants regularly share detailed case notes in conferences, in-house training, or cross-function case reviews.

Regardless, there is no clarity in this case of exactly what data the company was given, or what they shared with the consultancy company. I very much doubt they were given detailed medical notes unless this was a case like the one the DPC detailed where the risk posed to other staff meant that sharing that individual's data was the appropriate course of action. 



Sunny said:


> So my company could collect everyones medical history and announce a survey result that shows 16% of the company of depression. 24% have a history of asthma. 75 women have suffered mis-carriages. Because that is what you are saying when you are saying that a company can do what it sees fit as long as the identifiable data is redacted.



That's not even close to what I'm saying, but on your assessment that a company can't share collated stats like that, perhaps you should complain about the HSE, CSO and other bodies publishing that same kind of data?


----------



## DeeKie (23 Feb 2020)

It’s very hard to see how sharing back information without a name would not just be pseudononymisation only, which is protected data of course.


----------



## cmalone (24 Feb 2020)

My interpretation of the employer’s right to information and duty to look after the employee’s welfare has been consistent. This solicitor has eloquently explained the whole scenario- RDJ solicitors -

[broken link removed]


----------



## Shaunac (29 Feb 2020)

I thank you all for the time spent on my question but I cannot give further information publically, and there is a lot, because I would be identified.


----------



## cmalone (29 Feb 2020)

We appreciate that - you should seek independent legal advice regarding the particular issue. Hope your condition is ok.


----------

