Employers may wish to access and use information on workers’ medical conditions, for example, where an employee is off on long-term sickness absence, where there is a need to use pre-employment medical questionnaires, or where they wish to carry out drugs and alcohol testing. They may also need to collate information for insurance schemes. Employers need to understand what information they may have access to, and how they may process such information.
In the UK, if an employer needs to obtain a report from a medical practitioner who has been responsible for the employee’s clinical care, they need to comply with the Access to Medical Reports Act 1988. Such practitioners would include the employee’s GP and others responsible for the employee’s care, such as a physiotherapist, psychiatrist or other specialist.
The Act requires that the employer must:
• obtain the employee’s express consent in writing before applying to the medical practitioner for a report; and
• notify the employee of their rights under the Act. These include the right to withhold permission from the employer obtaining the report, the right to have access to the report either before it is sent to the employer or afterwards and, on seeing the report, the right to withdraw consent or request amendment of the report.
Medical records amount to ‘sensitive personal data’ under the Data Protection Act. If sickness records are to be ‘processed’ (e.g. obtained, retained, disclosed, disposed of, etc.), then employers must comply with the sensitive personal data rules. Whilst it is worth noting that the DPA only comes into play when such information is held on a computer system or in a ‘relevant filing system,’ in practice, the DPA is likely to apply to most information held by an employer about its employees.