An individual submitted medical documentation to their employer’s disability officer in order to request reasonable accommodations that would support them in performing their work within a public sector organisation. The disability officer was the central point of contact and service provider for all staff with disabilities working for the organisation and the individual had occasionally had reason to contact the disability officer over the course of their employment. 

During the course of a particular meeting with the disability officer, the individual had discussed their health and other personal data relating to their finances and family circumstances, and their concerns regarding their options in the event that  they would no longer be able to continue to work. The individual subsequently discovered that following this meeting the disability officer had emailed a separate entity that provides support and assistance to employees across a number of similar organisations with regard to the meeting, including details of the individual’s personal data and the matters the individual had disclosed during the meeting in order to get advice from the disability officer. The individual was surprised to discover the extent of what was shared with the third party without their consent. 

Following receipt of a complaint from the individual, the DPC contacted the public sector organisation requesting it to identify the lawful bases under which it had shared the individual’s personal data with the third party. The public sector organisation responded that the third party it had shared the individual’s personal data with was an employee assistance service that provided support to employees on a range of topics. It maintained that the personal data, including special category data, had been processed under Articles 6(1)(d) and 9(2)(c) of the GDPR, “processing is necessary to protect the vital interests of the data subject” as the personal data had been shared with the third party in order to ask for guidance on how best to support the individual. 

“Vital interests” refers to tangible life and death situations where life is in immediate or imminent danger and requires assessment on a case-by-case basis by data controllers when seeking to rely on this lawful basis for processing. This lawful basis does not apply to processing that is performed in the data subject’s medium or long term best interests. Following the DPC’s examination of the information that was shared, it became apparent that the amount of the individual’s personal data that was shared was excessive in terms of the purpose it sought to serve. 

Data controllers are reminded that, even when acting in the best interests of the data subject, all processing of special category data requires enhanced measures
in terms of security and confidentiality that data controllers are obliged to meet. The use of vital interests as a lawful basis will only be valid under an immediate, demonstrable threat to life whereas no such threat existed in this case.   

In this instance, the public sector organisation initially considered that sharing this personal data with a third party service provider for the purposes of providing the best advice to the individual was compatible with the original purposes for which it was processed. However, on review of the personal data shared the public sector organisation conceded it had shared an excessive amount of un-redacted personal data in order to achieve its purposes.  An anonymised description of the individual’s circumstances could have achieved the same purpose without sharing the individual’s personal and special  category data. 

Furthermore, there was no evidence provided by the public sector organisation that demonstrated that the individual was made aware that their personal data could be shared with third parties in order to procure advice on their behalf at the time. Following on from the DPC’s examination of this complaint the public sector organisation revised its disability service information notices in order to fulfil its transparency requirements and engaged in appropriate training for staff to ensure that further unnecessary sharing of this type would not reoccur.