Embedded Files
Health surveillance data is classified as special category data under the General Data Protection Regulation (GDPR). To lawfully process this type of data, organisations must identify both a lawful basis and a specific condition for processing.
This article outlines these requirements but should not be taken as legal advice.
Lawful Bases for Processing Health Data (Article 6)
Lawful Bases for Processing Health Data (Article 6)
Under the UK GDPR, several lawful bases can justify processing health data for health surveillance purposes:
Legal Obligation
Legal Obligation
Processing is lawful if necessary to comply with a legal obligation to which the data controller (employer) is subject. For example, UK health and safety legislation, such as the Health and Safety at Work Act 1974, requires employers to monitor and protect employee health.
Consent
Consent
Processing is lawful if the employee provides explicit consent for their health data to be processed. Consent must be:
Freely given
Specific
Informed
Unambiguous
Note, while valid, consent can be problematic in employer-employee relationships due to the imbalance of power. Employees may feel they cannot refuse, making the consent less "freely given." Employers should ideally rely on legal obligation or employment rights unless specific circumstances make consent preferable
Performance of a Contract
Performance of a Contract
Processing may be necessary to fulfil a contract to which the data subject (employee) is a party, such as a contractual requirement for health surveillance.
Legitimate Interests
Legitimate Interests
Processing is lawful if it is necessary for the legitimate interests of the data controller or a third party, except where overridden by the data subject’s rights. This can include workplace safety measures.
Legitimate interests may be used as a lawful basis for processing health surveillance data when it is necessary to ensure workplace safety. However, this basis requires a careful balancing test to confirm that the employer’s interests do not override the employee’s privacy rights. Organisations must demonstrate that:
The processing is strictly necessary for achieving the goal (e.g., monitoring fitness for work).
There are no less intrusive ways to achieve the same result.
The data subject’s rights and freedoms are not unfairly impacted.
Vital Interest
Vital Interest
To protect an individual’s safety or comply with workplace safety regulations when:
The data subject is physically or legally unable to give consent
When there's an urgent need to use the data for medical care
Processing Special Categories of Personal Data (Article 9)
Processing Special Categories of Personal Data (Article 9)
Under GDPR Article 9, processing special category data like health surveillance information requires meeting specific conditions. The Data Protection Act 2018 outlines these in UK law. Relevant conditions for health surveillance include:
Explicit Consent
Explicit Consent
Data subjects must provide freely given, specific, informed, and unambiguous consent for processing.
Consent must be documented and easily withdrawn.
Employment, Social Security, and Social Protection
Employment, Social Security, and Social Protection
Processing is necessary for fulfilling obligations or exercising rights in employment, social security, or social protection law.
This includes compliance with health and safety regulations or monitoring fitness for work.
Legal Claims
Legal Claims
Processing is permitted if required to establish, exercise, or defend legal claims. This includes:
Court proceedings (actual or potential)
Obtaining legal advice
Protecting legal rights
Preventive or Occupational Medicine
Preventive or Occupational Medicine
Processing is necessary for preventive or occupational medicine purposes, such as assessing working capacity, medical diagnosis, or providing treatment.
How Opus Compliance Cloud Facilitates GDPR Compliance
How Opus Compliance Cloud Facilitates GDPR Compliance
Opus Compliance Cloud is designed to help organisations manage health surveillance data securely and in line with GDPR requirements:
Access Controls: Define and manage user permissions to ensure only specifically authorised system managers can access sensitive health data.
Access Audit: Maintain an audit log of access to this data.
Data Encryption: All health data is encrypted both in transit and at rest, offering robust protection.
Data Subject Rights: The platform supports responding to data subject requests, such as access, rectification, or deletion of personal data.
By implementing these measures, Opus Compliance Cloud ensures health surveillance data is processed in compliance with GDPR, protecting both the data and the rights of individuals.
Further information on the security measures of Opus Compliance Cloud is available here.
Report abuse