Confidentiality in the workplace is a sensitive issue, and this is particularly true in relation to information about health and medical conditions. Our guide looks at the law relating to disclosing medical information at work, and how to deal with and avoid breaches of confidentiality.
What is Health Confidentiality in the Workplace?
The law on confidentiality about health and medical data applies to everyone in the workplace. That means information disclosed by managers as well, as anything shared between work colleagues is covered under the Data Protection Act.
This means that every workplace should have policies around personal health related conversation in the workplace. All workplaces should make sure employees understand that disclosing medical information about a collegue without their permission would breach the Data Protection Act.
Data Protection Act 2018 & GDPR
Issues of medical confidentiality at work were previously covered by the Data Protection Act 1998. However this has since been replaced by GDPR Law.
The Data Protection Act 2018 is the UK’s legal framework which has been created to comply with GDPR Laws.
How Does GDPR Apply to Medical Information at Work?
The Data Protection Act 1998 includes health issues and confidentiality in its remit. Under the terms of the Act, health data is “sensitive personal data”.
GDPR governs how all personal data is treated. It classes medical data as a “special category” of data, and the processing of this data is not allowed unless you consent. It might also be allowed if you have already made the information about yourself public, or if it was needed to protect your interests at work.
However, this would not be because a manager felt your colleagues “needed to know”. But if your medical information needed to be shared with HR staff in order to make reasonable adjustments, or process sick pay entitlements, this would most likely be reasonable.
If you have concerns about how your workplace has used or shared personal data, you should contact ACAS. They will help you understand what is and is not allowed in your circumstances.
This article on worker’s health information and data protection law has a detailed overview.
My Manager Has Breached My Confidentiality – What Should I Do?
Your approach to a breach of medical confidentiality by your manager will vary depending on how serious it is. However, in the first instance you should document the breach in writing.
You may wish to write a clear and concise email to your manager outlining why you consider they have breached your right to confidentiality at work. Keep it factual, and do not allow emotion to creep into the email. If you are feeling emotional, it might be a good idea to leave your email as a draft and re-read it later.
Request a Solution
If there are any actions you feel should be taken to try and remedy the situation, these should be outlined.
For example, if your manager has disclosed a health condition to work colleagues it might be reasonable to request they speak to them and ask the disclosure is not repeated. You may wish to copy in HR to the email if you feel you might wish to take the matter further and raise a grievance.
If the breach is particularly serious, maintaining a paper trail of communications might help if you decide to take the issue to an employment tribunal.
It would be a good idea to have a conversation with ACAS before sending any communication. Understanding your rights will help in resolving the situation and keeping things constructive. Remember, you do have a clearly defined right to medical confidentiality
Storing Health Data at Work
Placing health data in a computer or file is legal if medical purposes require it. The person who processes the data must be a healthcare professional or someone who has a similar duty of confidentiality.
Storing medical data at work is also legal if a worker gives an employer permission to do so. Under GDPR law you have the right to access any data stored about you at work. Your workplace must also have a clear policy about how your data will be stored and processed.
if you feel your workplace has breached GDPR law in relation to your medical data – you should speak to your workplace data controller. If your workplace does not have a data controller, you should speak to your manager in the first instance.
After that, you may wish to report the matter to the ICO if you feel your concerns have not been addressed.
Disclosing Medical Information to an Employer
There is no obligation for a worker to give medical details to an employer. In practice, many workers will give this information out of courtesy and to fully explain any absences from work.
If they do so, they have a right to expect that the employer will not divulge the details to anyone. This means that your manager should not share information about your health with your co-workers unless you give permission.
Reasonable Requests for Medical Information
On occasion, an employer may need full medical details from a worker. Under some circumstances, this is reasonable.
The health and safety requirements of a workplace may be such that there are legitimate risks if an employer is not aware of workers’ medical background. Some health conditions can affect workplace safety, and should be shared.
If you are asked to share medical information, or are required to undergo a medical for work purposes your data should be kept confidential.
Reporting Ill Health
When calling in sick, you are not obliged to say exactly why you are unwell.
You can give a broad report of ill health. A worker has an obligation to perform a job. If something affects this performance, an employer has a right to know that poor health is the cause.
All you need explain to an employer is how a condition affects your work. You should also say when you’d to be back to full fitness. There is no need to mention the nature of the condition.
Occupational Health Professionals
An employer may ask an occupational health (OH) professional to speak to a worker who is ill. The duty of confidentiality that applies to a doctor or nurse also applies to an occupational health professional.
This means that a worker can speak to an OH professional in the knowledge that an employer will not learn the nature of an illness.
An OH professional does, of course, report back to an employer. Such a report should give details about a worker’s ability to function. It should say whether or not a worker’s state of health will improve and when. An OH report should not have any medical details unless a worker agrees in writing.
An OH professional may keep an additional record that gives full details about a worker’s health. An employer does not have an automatic right to gain access to this.
A worker must first give his or her written agreement. On the other hand, a worker has a right to see such a record at any time.
Health Confidentiality at Work FAQ’s
Hopefully the above article will have given a good overview of the law and best practises around health confidentiality at work. However, here are some commonly asked questions to help your understanding of how the law might apply to you and your work.
There are limited situations at work where your boss can discuss your medical information. It would be appropriate for them to talk about health issues with HR to ensure your wellbeing. However, discussing private health information with co-workers would breach your right to confidentiality at work.
Your employer or occupational health can ask for a report from your doctor, however this does not mean they will gain unrestricted access to your health records. They will be able to ask if a condition you have affects your role at work. The report might also state in general terms if you needed reasonable adjustments or if your condition constituted a disability.