The GDPR is quite complex but there are implications for records where an employer has carried out health surveillance as part of their health and safety programme.
The requirements for confidentiality presently under the DPA remain but the following apply:
- Employers have access to the results from this health surveillance.( See 1.)
- Employers can, and are strongly advised to, keep the records from such surveillance, even if the person to whom they apply wishes them to be destroyed. (See 2.)
We quite often find that health surveillance providers refuse to release results such as audiograms which are essential to understanding how well health protection measures are working. They typically claim that release is prevented by the DPA, often in ignorance of the DPA.
GPDR Article 6 (1)(c) states that processing is "lawful if it is necessary for compliance with a legal obligation to which the controller is subject". In this context, the employer is the controller and the employer has a legal obligation under Section 2 of the Health and Safety at Work, etc., Act. Article 6 (4)(b) reinforces this. Therefore, employers have access to the results from health surveillance they have arranged to meet Section 2 obligations. It would be worth making this a stipulation in any contract with a health surveillance provider.
Article 9 (2)(h) allows processing where it "is necessary for the purposes of preventive or occupational medicine or for the assessment of the working capacity of the employee..."
Articles 15 to 22 state the rights of the data subject (ie the employee). This includes, in Article 17, the right of erasure.
However, Article 17 (3)(c) states that this "shall not apply to the extent that processing is necessary for the establishment, exercise or defence of legal claims."
So, if it is possible that data are necessary for the defence of, say, a civil claim for noise-induced hearing loss, then the wise employer will retain such data, citing Article 17 (3)(c).