Sharing Sickness Report.

Leo said:

That is not correct, the legislation is very clear that such data is only covered where it is contains sufficient detail to identify the individual concerned. Once detail has been redacted from a file so that the individual is no longer identifiable, GPRD does not apply.

It would be ridiculous to think that GDPR would prevent a company seeking advice from a specialist as to how they should handle a scenario where an unidentified employee contracts a contagious disease. The data protection commissioner ever went further in the 2013 report as referenced above.

Click to expand...

It doesn't prevent it Leo but it's not as simple as that. There is a whole section on how sensitive personal data is collected, stored and shared. You are only talking about redaction when sharing data which is fine from a security point of view but it doesn't absolve the company from other parts of GDPR legislation. Just because the data is redacted doesn't mean GDPR doesn't apply. The legislation still applies. Article 6 and Article 9 still apply. A company can't just share redacted sensitive personal data anytime it wants. A company of two people in a small town. Secretary takes a medical exam. Manager has no idea what it means so sends it on to local doctor without any identifiable employee details and without asking for the employees consent. Doesn't take rocket science for the doctor to figure it out. I know it's not realistic but the legislation is in place to prevent things like this happening.

The idea that companies can just process sensitive personal data as they see fit is dangerous even it is not identifiable.

Sunny said:

Just because the data is redacted doesn't mean GDPR doesn't apply.

Click to expand...

If the data does not clearly identify an individual, it does not fall under GDPR.

Sunny said:

A company of two people in a small town. Secretary takes a medical exam. Manager has no idea what it means so sends it on to local doctor without any identifiable employee details and without asking for the employees consent.

Click to expand...

Do you honestly think that is the situation here? Companies with HR staff and line managers usually employ more than two people.

Leo, you are missing my point. Redacting data doesn't suddenly mean sensitive personal data is not subject to GDPR. For the company, to even have the data in the first place before redacting it, they have to comply with GDPR. Putting black lines through an employees name doesn't mean that Article 6 and 9 don't apply. To suggest that a company can do anything with medical records as long as an employees name isn't identifiable is ridiculous. So my company could collect everyones medical history and announce a survey result that shows 16% of the company of depression. 24% have a history of asthma. 75 women have suffered mis-carriages. Because that is what you are saying when you are saying that a company can do what it sees fit as long as the identifiable data is redacted. Well, they can't. Because medical records are sensitive personal data and is a special category under GDPR legislation. Article 6 and 9 apply. Whether you black out my name or not.

Anyway, we will have to agree to disagree on this.

Sunny said:

Leo, you are missing my point. Redacting data doesn't suddenly mean sensitive personal data is not subject to GDPR.

Click to expand...

The legislation is clear in its definition of protected data being restricted to that which clearly identifies an individual. An outline of a medical case does not constitute protected data. That has been tested in the HSE, as GDPR now prevents them sending patient files from one department to another without explicit consent. However they can share detailed notes on specific cases so long as the individual patient involved is no longer identifiable. That has been cleared by the DPC as consultants regularly share detailed case notes in conferences, in-house training, or cross-function case reviews.

Regardless, there is no clarity in this case of exactly what data the company was given, or what they shared with the consultancy company. I very much doubt they were given detailed medical notes unless this was a case like the one the DPC detailed where the risk posed to other staff meant that sharing that individual's data was the appropriate course of action.

Sunny said:

So my company could collect everyones medical history and announce a survey result that shows 16% of the company of depression. 24% have a history of asthma. 75 women have suffered mis-carriages. Because that is what you are saying when you are saying that a company can do what it sees fit as long as the identifiable data is redacted.

Click to expand...

That's not even close to what I'm saying, but on your assessment that a company can't share collated stats like that, perhaps you should complain about the HSE, CSO and other bodies publishing that same kind of data?

It’s very hard to see how sharing back information without a name would not just be pseudononymisation only, which is protected data of course.

My interpretation of the employer’s right to information and duty to look after the employee’s welfare has been consistent. This solicitor has eloquently explained the whole scenario- RDJ solicitors -

[broken link removed]

I thank you all for the time spent on my question but I cannot give further information publically, and there is a lot, because I would be identified.

We appreciate that - you should seek independent legal advice regarding the particular issue. Hope your condition is ok.