Data protection

Medical information is a “special category of data” (previously known as “sensitive personal data”) under the UK General Data Protection Regulation and the Data Protection Act 2018. Medical information must be kept confidential and secure, should be relevant and accurate and must be kept for no longer than necessary.

A medical report should not be shared with management or HR without the employee’s express consent. For more on data protection and privacy see Chapter 15.