The main elements of GDPR are the cornerstone of occupational health;
- Only collect information that is relevant
- Ensure data is only used for the purpose that it was originally collected for
- Securely dispose of data that is no longer required
- Ensure accuracy of data
- Inform subjects of what data is held, whom has access and how it is held
- Security of data storage.
- Managing special category or what used to be sensitive data.
- Consent for data processing for a specific purpose.
OH clinicians are bound by professional ethics, codes of conduct, professional regulatory bodies, legislation and guidance on the management of sensitive health information or special category data.
As clinicians the terms consent and informed consent demand specific information giving to the subject or in a true clinical sense patient. This is enshrined in clinical practice, with OH being clinical practice.
The broad brush of GDPR is not new to OH or demand a different stand point.
The detail of GDPR does bring changes to OH practice which I like to think strengthens relationships and brings greater clarity of roles and responsibilities.
It requires designation of roles – controller, processor and data protection officer (DPO – only for public bodies or those handling large scale systematic monitoring or large-scale processing of special category data). Within OH these roles will be duplicate; so the employer being a controller/processor as well as OH. GDPR requires a written contract to be in place between controller and data processor for instance with a provider of services as the controller is liable for the processor’s compliance.
GDPR orders specifying for the lawful processing of data. In OH this is likely to be Article 6 (1) (e) or (f) and/or specifically for the purposes of preventative or occupational medicine, for assessment of working capacity of employee, medical diagnosis, provision of health or social care or treatment or management of health or social care systems and services on the basis of Union or member state law or pursuant to contract with health professional (Article 9(2)(H).
It is not advisable for OH to use consent as the GDPR lawful reason as the GDPR consent definition (freely given, specific, informed and unambiguous) brings nuances and legal challenge when compared with clinical informed consent. For example, employees are often required to engage with OH as part of their contract so there is an imbalance of power – consent in relation to GDPR & OH cannot be freely given.
Another requirement of GDPR which has made OH very busy is the creation and sharing of a privacy notice to data subjects. Whereas before, the data subject would be informed of how data will be used and whom will have access; GDPR requires specifics about what information is provided to the data subject. A key element of this and to GDPR is about data storage specifically – how long. This is a complicated one for OH as some health and safety legislation specifies the length of time to retain health records but not clinical records – COSHH, CLAW etc. Clarity is required on the use of terms such as health records and clinical records. Sometimes clinical records will also be termed medical records. A health record will contain details that enable a business to appropriately manage risk for example level of hearing loss as a category or management report following a referral and not the clinical details (audiometry graph/tracing, clinical history, medications). Clinical records contain all clinical health details and are not released to an employer. There is no legislation which specifies the length of time these the clinical records are to be retained. Guidance on the retention of clinical records for management referrals is 6-7 years after the employee has left the business or last entry.
The data subject has the right to access the personal data, no matter what the reason is for this request. In OH personal data will include health, clinical data and management referrals. This will increase the demand on managers to ensure they are involving the employee in the management referral process – reasons for referral, what is being asked for, where will the information go and how will it be used. Redaction is appropriate and lawful if third parties have not consented to identity being disclosed. OH professionals will also consider if there is a likelihood of serious harm to the physical or mental health of the data subject or another individual on release of the data and may refuse the request on this basis. Interestingly GDPR states that a controller who is not a health professional must not disclose health data unless they have obtained an opinion from an appropriate health professional.
So that is a whistle stop tour of GDPR from the OH perspective which I hope will allow for closer partnerships and understanding.
If you wish to view Valentine’s Privacy Statement please do so here