During our recent webinar on Managing Long-term Sickness Absence, we received a number of questions via the chat facility that we will address in a short series of blogs over the next few weeks. Stay tuned for more to come.
The first questions we address are:
- When speaking about obtaining medical advice, you mentioned AMRA – the Access to Medical Reports Act. Can you explain a bit more about this?
- What should an employer be aware of from a data protection perspective when requesting medical information in this context?
When speaking about obtaining medical advice, you mentioned AMRA – the Access to Medical Reports Act. Can you explain a bit more about this?
The Access to Medical Reports Act 1988 gives individuals a right of access to medical reports written about them for employment or insurance purposes.
Only certain medical reports are covered by AMRA, namely those that have been prepared by a medical practitioner who is or has been responsible for the clinical care of the employee. It would therefore cover a medical report written by the employee’s GP or a consultant or specialist who has been treating the employee, but a report written by an independent medical examiner who has never been involved in the treatment of the employee would not be caught. Having said that, separate guidance by the General Medical Council advises all doctors, including OH physicians, to offer individuals the opportunity to see a report before it is sent to their employer.
Where the Act applies, employees have specific rights including the right to (a) withhold consent for their employer to apply for a medical report; (b) access the report before it is supplied to the employer, provided they make arrangements with the doctor to see the report within 21 days from the date of the employer’s letter notifying them that a request has been made; (c) withhold consent for their employer to see the report; and (d) ask the doctor to amend any comments that the employee considers to be inaccurate or misleading. If the doctor refuses, the employee has the right to ask the doctor to attach a statement to the report which reflects the employee’s views on the subject.
Nothing in the exercise of these rights protects the employee against the employer’s rights in turn to draw adverse inferences from the individual choosing, for example, to deny the employer the ability to request or see any report about them.
In practice, most employers have standard forms and processes in place to ensure employees are aware of their rights under AMRA and they have the necessary consent before obtaining medical reports about them. Do get in touch if you would like further information about preparing these.
What should an employer be aware of from a data protection perspective when requesting medical information in this context?
As information about an employee’s health will amount to “special category data” under the DPA 2018/UK GDPR, employers need to be particularly careful when processing such data.
The starting point of course is that they will need to establish a lawful basis for processing any such information and an exception allowing them to process this “special category” data. In the context of obtaining a medical report, this should not be difficult – it is most likely to be that the processing is necessary for the performance of rights and obligations in connection with employment. Remember that although you will need to obtain the employee’s consent to obtain the medical report in the first place, employers should not usually seek to rely on consent as a lawful basis for processing the data in the medical report once it is received. As is the case in other areas of the employment relationship, employers may find it difficult to rely on consent because of the perceived imbalance of power between the parties.
Further, when processing special category data, employers need to have an appropriate policy document in place setting out in broad terms the circumstances on which the employer may seek and process that data, the likely purpose of that processing and the measures that the employer will take to protect it against unauthorised access, loss or interference.
When processing employee health data, employers may find the Information Commissioner’s Employment Practices Code useful, as it contains a section (Part 4) on information about workers’ health. This part of the Code is currently being updated to reflect the introduction of the GDPR/Data Protection Act 2018 (rather belatedly, it has to be said!) and the consultation process ends in January 2023. You can access the current draft here. If you would like further information about your data protection obligations as an employer, we can put you in touch with a member of our Data Privacy & Cybersecurity team.