GDPR and occupational health

What is GDPR?

With all the angst surrounding the advent of GDPR, it’s a wonder these new European Union privacy regulations aren’t expressed as GD#*&%^@PR!

However, GD followed by PR need not be part of a string of negative epithets. According to the GDPR website, “the EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”

GDPR goes into effect on May 25, 2018, and that pending deadline coupled with potentially crippling fines for non-compliance and a fair degree of uncertainty about the regulations and their application has some global organizations on edge. Our clients operating in the EU are working through GDPR and what impact it may have on the provision of employee health services. We have been doing our homework on GDPR and occupational health to help our clients prepare.

Who's who in the GDPR zoo?

The GDPR legislative process involves multiple authoritative and advisory bodies, including the European Commission, the European Parliament, and the Council of Ministers of the European Union. The regulations themselves define several important roles, including:

• Data controllers — these are the entities that determine the conditions, purposes and means of the processing of personal data (in our case, our clients).
• Data processors — the entities which process personal data on behalf of the controller (which is our organization when we host/process data for our clients). Note that data processors take their marching orders from data controllers. 
• Data subjects — the identified or identifiable natural person(s) GDPR was designed to protect (in other words, people). 

What is Enterprise Health doing as a processor?

We have been preparing for our role as a processor, addressing:

• Appropriate policies and procedures
• Hosting environment options to support GDPR data protection guidelines
• Product enhancements to help satisfy data subject rights and data controller requirements
• Enterprise Health is prepared to collaborate with its clients operating in the EU to help them in their role as data controllers.

We provide occupational health services to our EU employees, how does this affect us?.

Article 9 of the GDPR states: “Processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.”

Before you panic and wonder how you are going to provide health services to your employees without the aid of technology, take solace in the knowledge this paragraph does not apply in certain situations, including:

• “the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;”
• “processing is necessary for the purpose of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health and social care systems or pursuant to contract with a health professional and subject to the conditions and safeguards in paragraph 3;”

This would seem to indicate that processing data for occupational health purposes is fine, as long as explicit consent is granted. However, additional guidance appears to indicate that as the relationship between an employee and an employer is unequal, consent is not necessarily required or appropriate. Since the data subject (the employee) does not have control or the freedom to give or revoke consent in an employment context, and data processing is necessary for occupational health purposes, the need for consent may not apply. We anticipate some lively discussions with our clients about how to interpret and respond here.

Does this mean European employers using health information technology to process occupational health information can breathe a huge sigh of GDPR relief? Not so fast.

What do we need to do to protect employee data?

The GDPR includes some important concepts about data protection, including data protection by design and by default. Article 32 of the GDPR states “the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: the pseudonymization and encryption of personal data;”

While the GDPR does not explicitly require pseudonymization or encryption, given the potential fines for non-compliance our clients are taking a hard look at these “suggested” measures. Due to the nature of the employee health data that is collected and processed in an occupational health context, pseudonymization is challenging to say the least. We believe encryption of data at rest is a superior alternative, and we have developed several hosting environment options for our clients to consider.