When employees fall ill, multitudes of personal data need to be processed, by different parties using different absence administration systems. This can lead to all sorts of confusion and misconceptions on the division of GDPR-related roles, which is why, in 2016 – prior to the GDPR entering into force – the Dutch Data Protection Authority issued a number of policies on the processing of personal data relating to the health status of sick employees.
The current state of affairs, however, learns that even now, under the well-established umbrella of the GDPR, there are still serious differences of opinion between privacy professionals, H&S consultants and certification authorities when it comes to the division of GDPR roles in the context of Occupational Health & Safety service providers or, as we will refer to it here, the context of “arbodiensten”, since this blog is based on rather specifically Dutch conditions. Nevertheless, in order to shed a degree of light on the matter, The Privacy Factory will, in this blog, propose a thesis which will hopefully contribute to a much-needed discussion on the subject. So please, do not hesitate to react and share your thoughts and comments on LinkedIn.
1. Sick employees
In supporting employees who are absent from work due to illness, medical data need to be processed along with information of a non-medical nature. Here, however, both types of information qualify as ‘health-related data’ which makes them fall under the heading of special categories of personal data. As such, processing them is, in principle, not allowed. However, the UAVG, which is the Dutch GDPR implementation law, makes an exception for employers (and institutions or agencies working for or operating on behalf of these employers) in so far as processing is necessary in supporting employees in their time of illness (Art. 30 UAVG).
In the processing of health-related data as outlined above, different parties are actively involved. The employer, the arbodienst, the company physician and various case managers and relevant other employees. Below, we will examine the nature of their roles in terms of the GDPR by looking at the different ways in which these parties interact and work together in practical circumstances. But it is not only the GDPR we are interested in here. Another key legislative component in this equation is Article 14 of the “Arbeidsomstandighedenwet”, the Dutch Working Conditions Act, which states that employers have the legal obligation, whenever faced with employee absence due to illness, to arrange for expert counselling (Art. 14(1)(b)). In doing so, the employer must seek the advice of a registered occupational physician or a certified arbodienst. The latter two parties are also assigned specific tasks in Art. 14(1)(b) inasmuch as they have the legal obligation to provide such expert counselling. This then, is the legal basis justifying this type of personal data processing in the sense of Art. 6(1)(c) of the GDPR – necessity for the performance of a legal obligation.
In carrying out their respective legally required tasks, all parties are as a basic rule only allowed to process data that are necessary for the performance of their specific individual roles. Thus, the employer may only process data relevant to reporting sick leaves, reintegration and continued payment of wages. These include, for example, data on the period of absence, the extent to which the individual may be or is expected to become incapacitated and what this means for the work the employee may or may not be able to do in the future. When it comes to advice on the treatment of sick employees, this task belongs to the company physician who, to this end, collects strictly medical data, storing them in the employer’s medical file.
As far as performing his legal obligation is concerned, the employer is and remains the controller. There are several ways in which the employer can meet the legal requirement of arranging for expert counselling – sometimes a case manager will be available within the organisation to handle absentee counselling with the assistance of a company physician. Together, they would then make up the organisation’s internal medical service, processing the information in their capacities of employees acting on behalf of their employer, with the case manager qualifying as a process custodian for the employer and the company physician in a role of medical mentor for the employee. Here, the employer himself is the autonomous controller for the entire processing.
As an alternative, the employer may choose to enlist the services of an external certified arbodienst, assisted by an internal or external occupational physician. This does not change the fact that, for the performance of his legally required task, the employer qualifies as the controller, as he determines the purpose and means of processing by the very act of choosing to work with a specific arbodienst, which, in the performance of its duties, will be using a specific absence administration system.
The arbodienst, acting as a process custodian on behalf of the employer, is to be qualified as a processor and may also, with respect to the occupational physician, qualify or not qualify as a controller, depending on the details of their working relationship.
The arbodienst, by performing the employer’s legal duties in its role of process custodian, qualifies, within this capacity, as a processor acting on behalf of the employer. When it comes to medical counselling of the absent employee, the arbodienst, if it is using the services of an occupational physician in its own employ, qualifies as the controller for that particular part of the processing. The decisive element here is the relation to the physician – in case of external employment of the physician, the arbodienst, in that part of the working relations, does not qualify as the controller, while the external physician, in this construction, qualifies as a recipient of personal data in the sense of Art. 4(9) of the GDPR.
As we have seen in the above, an occupational physician may be employed by the employer of the organisation handling employee absenteeism, or by the arbodienst called in by the organisation to handle absenteeism on its behalf. He or she may also be working as an independent agent, available for hire on a case-basis. In the first two scenarios, where the physician is an employee, the organisation employing him or her qualifies as the controller of the (special categories of) personal data to be processed by the physician in the performance of his or her legal duties.
Independent occupational physicians on the other hand, for hire on a case-basis, qualify as autonomous controllers for the (special categories of) personal data to be processed by them in the performance of their legal duties, since they are the ones determining purpose and means of the processing, even when they are using the absence administration system made available to them by the arbodienst having enlisted their services. In this scenario, said arbodienst qualifies as the processor. Where the physician, as part of a delegation of tasks regime, transfers (parts of) his or her tasks to a case manager in the employ of the arbodienst, under derived professional confidentiality of course, the physician still qualifies as the controller of the (special categories of) personal data the actual processing of which has been delegated to the case manager.
In researching the topic prior to writing this blog, we discovered the probable source of the difference in interpretation of GDPR-related roles. The assumption in the Dutch Working Conditions Act and, possibly as a result, in publications by the Autoriteit Persoonsgegevens (the Dutch data protection authority), seems to be that there are two practical scenarios, one being that of an arbodienst employing its own occupational physician(s) and the other involving an independently operating occupational physician. In reality, there appears to be a third option, where the arbodienst, without actually employing medical personnel, works with independent physicians. In the latter construction, we would qualify the arbodienst as the processor acting on behalf of the employer in question, and the occupational physician as an autonomous controller.
If you are in any way familiar with these matters, please let us know what you think by posting your comments to this blog on LinkedIn.