Data protection

Medical information is a “special category of data” (previously known as “sensitive personal data”) under the UK General Data Protection Regulation and the Data Protection Act 2018. The employer must also comply with Part 4 of the Information Commissioner’s Code of Practice: Information about workers’ health. In particular, medical information must be kept confidential and secure, should be relevant and accurate and must be kept for no longer than necessary.

A medical report should not be shared with management or HR without the employee’s express consent. For more on data protection and privacy see Chapter 15.