Occupational health GP gave a detailed report to my HR department.

[Ualtar]

Was referred by HR as I requested working from home andbhad support of disability officer . I've met Occ health doc a few times and I mentioned how I was concerned about a particular member of staff in HR who is known to gossip. He read out his previous report to them which listed my medication. I asked him why he had to tell them this but he said HR can have access to any information as they need to decide whether to allow me to work remotely so need details of my condition etc. I didn't think this was right but he basically told myself that I just needed to get my head around the fact that HR was entitled to know details of my issues ( which btw are extremely extremely private,only a handful of people in my private life even know them).
Even if that was the case, details of medication was entirely irrelevant and I really felt it was a breach of gdpr . The only reason he could have had for listing was to highlight that I wasn't taking a particular medication for my condition ( which is my choice as side effects were horrendous).

1. Medical Information and HR Access:​

• Limited Access: HR should only have access to the medical information that is strictly necessary for making decisions related to your employment, such as reasonable accommodations, sick leave, or fitness to work. They do not have an automatic right to see all of your medical information. The principle of data minimization under GDPR means that only the minimum amount of information necessary to achieve a specific purpose should be shared.
• Occupational Health as a Buffer: Occupational health professionals typically act as intermediaries. They assess your health and then provide HR with a summary of your fitness for work or recommendations for accommodations. The details of your medical condition, including specific diagnoses or medications, should not be disclosed to HR unless absolutely necessary for making employment-related decisions.

2. Consent and Data Sharing:​

• Explicit Consent: Typically, your explicit consent is required to share detailed medical information with HR. If detailed medical information, like the specifics of your medication, is not directly relevant to assessing your ability to work or determining accommodations, then sharing it without your explicit consent could be a violation of GDPR.
• Data Minimization: If the details of your medication are not relevant to your request for remote work, they should not have been included in the report to HR. The focus should be on what accommodations you need to perform your job, not on unnecessary medical details.

3. Legal Protections:​

• Right to Object: Under GDPR, you have the right to object to the processing of your personal data in certain circumstances. If you believe that your medical information has been unnecessarily or improperly shared, you can raise this with your employer and, if necessary, with the Data Protection Commission.
• Right to Rectification and Erasure: You also have the right to request that inaccurate or unnecessary personal data be corrected or deleted. If the information about your medication is irrelevant to your work situation, you may have grounds to request that it be removed from your HR file.