Medical confidentiality in the workplace is a sensitive issue. If you disclose health information to your manager or HR, you have a right to privacy. There are also many situations where you are not legally obligated to disclose sensitive personal about your health to your workplace.
If you confidentiality is breached at work, it can cause a lot of stress and upset. We’ll look at your right to medical privacy at work.
We will also explore situations where you need to disclose a medical condition to your employer, and how you should approach letting them know.
What is Medical Confidentiality in the Workplace?
The law on confidentiality about health and medical data applies to everyone in the workplace. That means information disclosed by managers as well, as anything shared between work colleagues is covered under the Data Protection Act.
This means that every workplace should have policies around personal health related conversation in the workplace. All workplaces should make sure employees understand that disclosing medical information about a collegue without their permission would breach the Data Protection Act.
Data Protection Act 2018 & GDPR
Issues of medical confidentiality at work were previously covered by the Data Protection Act 1998. However this has since been replaced by GDPR Law.
The Data Protection Act 2018 is the UK’s legal framework which has been created to comply with GDPR Laws.
How Does GDPR Apply to Medical Information at Work?
The Data Protection Act 1998 includes health issues and confidentiality in its remit. Under the terms of the Act, health data is sensitive personal data.
GDPR governs how all personal data is treated. It classes medical data as a “special category” of data, and the processing of this data is not allowed unless you consent. It might also be allowed if you have already made the information about yourself public, or if it was needed to protect your interests at work.
However, this would not be because a manager felt your colleagues “needed to know”. But if your medical information needed to be shared with HR staff in order to make reasonable adjustments, or process sick pay entitlements, this would most likely be reasonable.
If you have concerns about how your workplace has used or shared personal data, you should contact ACAS. They will help you understand what is and is not allowed in your circumstances.
This article on worker’s health information and data protection law has a detailed overview.
My Manager Has Breached My Confidentiality – What Should I Do?
Your approach to a breach of medical confidentiality by your manager will vary depending on how serious it is. However, in the first instance you should document the breach in writing.
You may wish to write a clear and concise email to your manager outlining why you consider they have breached your right to confidentiality at work. Keep it factual, and do not allow emotion to creep into the email. If you are feeling emotional, it might be a good idea to leave your email as a draft and re-read it later.
Request a Solution
If there are any actions you feel should be taken to try and remedy the situation, these should be outlined.
For example, if your manager has disclosed a health condition to work colleagues it might be reasonable to request they speak to them and ask the disclosure is not repeated. You may wish to copy in HR to the email if you feel you might wish to take the matter further and raise a grievance.
If the breach is particularly serious, maintaining a paper trail of communications might help if you decide to take the issue to an employment tribunal.
It would be a good idea to have a conversation with ACAS before sending any communication. Understanding your rights will help in resolving the situation and keeping things constructive. Remember, you do have a clearly defined right to medical confidentiality
Storing Health Data at Work
Placing health data in a computer or file is legal if medical purposes require it. The person who processes the data must be a healthcare professional or someone who has a similar duty of confidentiality.
Storing medical data at work is also legal if a worker gives an employer permission to do so. Under GDPR law you have the right to access any data stored about you at work. Your workplace must also have a clear policy about how your data will be stored and processed.
if you feel your workplace has breached GDPR law in relation to your medical data – you should speak to your workplace data controller. If your workplace does not have a data controller, you should speak to your manager in the first instance.
After that, you may wish to report the matter to the ICO if you feel your concerns have not been addressed.
Disclosing Medical Information to an Employer
There is no obligation for a worker to give medical details to an employer. In practice, many workers will give this information out of courtesy and to fully explain any absences from work.
If they do so, they have a right to expect that the employer will not divulge the details to anyone. This means that your manager should not share information about your health with your co-workers unless you give permission.
Reasonable Requests for Medical Information
On occasion, an employer may need full medical details from a worker. Under some circumstances, this is reasonable.
The health and safety requirements of a workplace may be such that there are legitimate risks if an employer is not aware of workers medical background. Some health conditions can affect workplace safety, and should be shared.
If you are asked to share medical information, or are required to undergo a medical for work purposes your data should be kept confidential.
Reporting Ill Health
When calling in sick, you are not obliged to say exactly why you are unwell.
You can give a broad report of ill health. A worker has an obligation to perform a job. If something affects this performance, an employer has a right to know that poor health is the cause.
All you need explain to an employer is how a condition affects your work. You should also say when you’d to be back to full fitness. There is no need to mention the nature of the condition.
Occupational Health Professionals
An employer may ask an occupational health (OH) professional to speak to a worker who is ill. The duty of confidentiality that applies to a doctor or nurse also applies to an occupational health professional.
This means that a worker can speak to an OH professional in the knowledge that an employer will not learn the nature of an illness.
An OH professional does, of course, report back to an employer. Such a report should give details about a workers ability to function. It should say whether or not a workers state of health will improve and when. An OH report should not have any medical details unless a worker agrees in writing.
An OH professional may keep an additional record that gives full details about a workers health. An employer does not have an automatic right to gain access to this.
A worker must first give his or her written agreement. On the other hand, a worker has a right to see such a record at any time.
Further Reading
- Cancer & employment rights – our guide looks at navigating cancer diagnosis and treatment in the workplace.
Health Confidentiality at Work FAQ’s
Hopefully the above article will have given a good overview of the law and best practises around health confidentiality at work. However, here are some commonly asked questions to help your understanding of how the law might apply to you and your work.
There are limited situations at work where your boss can discuss your medical information. It would be appropriate for them to talk about health issues with HR to ensure your wellbeing. However, discussing private health information with co-workers would breach your right to confidentiality at work.
Your employer or occupational health can ask for a report from your doctor, however this does not mean they will gain unrestricted access to your health records. They will be able to ask if a condition you have affects your role at work. The report might also state in general terms if you needed reasonable adjustments or if your condition constituted a disability.
Can I request to see a copy of notes taken during an OH interview which were used by OH to male their written assessment?
My manager received my OH report before me and I had to request it from my manager. Apparently this is standard procedure which I’m confused by
My line manager failed to give me it after numerous requests, until my Union rep asked them to send it to me.
My manager then replied to my union rep attaching my OH report and copied me and her manager in.
I feel this is a breach of confidentiality as I didn’t give consent.
I only asked for it myself
Is this a breach?
You should get it before your manager as you have the right to read your report and if you don’t agree with any contents in your report you can ask OH to change it before you consent your manager to have a report.
This happened to me and I never got a chance to request that new medical details not relating to being referred in the first place but I had mentioned be removed, now at least 3 people know my personal medical information
My husband has recently had a new procedure done to repair a replaced heart valve. His GP said as a this is a new procedure there is no data with regards to the risks. But his employer is still asking verbally for a letter. My husband has shown his employer the text his doctor wrote to him to say that the GP did not have any information about the procedure. But apart from 2 weeks off work after the procedure he has not had any sick off. He is finding this very stressful.
A colleague I line manage shared some confidential information about their health with me. I have been reprimanded for not sharing this with HR and my line manager. I have never been told that I was obliged to share confidential information with HR/line manager. Can you clarify?
I have been asked to sign an employment contract which states that my employer can make me to have a medical at any time and then discuss the outcomes with HR. Signing the contract gives permission for this. I’m not happy. What if I were eg pregnant but not yet ready to disclose this – having a medical is one thing, but allowing all findings to be discussed make me extremely uncomfortable.
Hi Lou,
In the first instance, it might be an idea to request further information on what the scope of the medical examination your employer wishes you to have would be. I’d also recommend asking for the appropriate policy documents on how your medical data would be shared and stored by your employer. Using pregnancy as an example, unless the medical were to include a pregnancy test or external examination of the uterus a pregnancy would not necessarily be revealed. Also, it may be that the scope of the medical would be related to things related to fitness to perform your role, and findings would only be shared with HR if it was discovered there was a health issue that might affect your work.