An individual submitted a complaint to the DPC after a medical facility disclosed their medical data to their employer. The individual attended the medical facility at the request of their employer, due to a long absence of sick leave from work. During the consultation at the medical facility, the individual was queried on
their past medical history, which was not directly related to their current illness. The medical facility furnished the individual’s employer with a full copy of their consultation notes, including their historical medical data.

In correspondence with DPC, the medical facility advised that it was standard practice for the medical facility to share medical data between medical professionals. However, only the minimum data necessary should be shared with an individual’s HR department, advising if an employee is either fit or unfit for work. In this instance, the medical facility shared the full medical data of the individual with the employer’s nurse practitioner, a medical professional, it also further processed this data by sharing the full medical data with the  HR department. 

The medical facility also detailed how the full medical report was incorrectly disclosed to the individual’s HR department. It advised that following a phone call with the individual’s employer, a manager within the HR department requested a copy of the medical report detailing the individual’s fitness to work. The medical facility stated it had incorrectly assumed consent had been given by the individual for this request and subsequently furnished the HR department with the full medical data.  

Medical data, or personal data concerning health, is considered a “special category of personal data” under Article 9 of the GDPR and is subject to specific rules, in recognition of its particularly sensitive nature and the particular risk to the fundamental rights and freedoms of data subjects, which could be created by the processing of such data. The processing of medical data is only permitted in certain cases as provided for in Article 9(2) of the GDPR, in conjunction with Article 6 of the GDPR. Furthermore, Article 5(1)(f) of the GDPR relates to the principle of integrity and confidentiality when processing personal data, to include protection against unlawful processing. In this instance, the medical facility advised the DPC that it had not informed the individual that their medical
data would be further processed or disclosed to their employer at the time of their consultation. 

As the medical facility failed to demonstrate a lawful basis for the processing,   the DPC determined the processing to be unlawful and not in compliance with
the requirements of the GDPR. 

Following the conclusion of the data protection complaint, the DPC engaged further with the medical facility in relation to its data protection practices  and policies.