The Belgian national data protection authority (DPA) has recently reprimanded a public employer, following a complaint for a breach of GDPR-rules concerning data procession of personal health information, filed by a dismissed employee.
During an internal meeting of HR staff the dismissal of the employee in question was discussed, without the employee herself present. During the meeting, a service manager had read out a document provided by an external service for prevention and protection at work. This document contained the information that the employee had been absent for several weeks and that she later had been declared indefinitely incapacitated for work by the company doctor. These facts were included in the minutes of the meeting which were sent to all the employees of the department, regardless of their presence at the meeting and moreover, posted online on the public authority’s intranet, where employees of other departments could access them.
The employee discovered the above after she was asked questions about the disclosed information by her colleagues. She filed a complaint on the basis of the verbal statements during the meeting, but this was rejected, as oral statements do not fall within the scope of GDPR-rules. However, when she based her complaint on the minutes of the meeting and their availability on the public authority’s server, her complaint was deemed admissible.
The employee objected to personal information concerning her health being disclosed as reason for her dismissal to all employees, as well as the inclusion of this information in the minutes and the availability of these minutes on the server. The complaint was directed to her supervisor, the service manager, but the DPA reasoned that the entity with the final responsibility was in almost all cases the employer itself and extended the complaint to include the public authority.
The DPA stated that informing staff of personnel changes in writing is still allowed, but must remain limited to the fact that the employee is no longer employed by the company. Furthermore, communicating an employees’ sensitive health data to employees other than those whose job requires it to know (the HR staff) and including this data in the minutes, requires a specific separate basis to be considered ‘lawful processing’, as provided in art. 9.2 GDPR. The DPA found that the processing of health data in the manner concerned, could not be based on any of the grounds of art. 9.2 GDPR. Therefore, it was concluded that the public authority had committed a GDPR-violation.
The DPA sanctioned the employer with a reprimand, as it does not have the competence to impose a fine to public authorities, as well as urged the public authority to educate their staff and to take the necessary measures to rectify the current situation.
Key Action Points for Human Resources and In-house Counsel
- Informing staff of personnel changes based on personal information is still allowed, written statements should however be limited to factual data (see also: GBA 63/2021, 1 July 2021).
- When processing special (sensitive) categories of personal data (like data on health, but also data on race, ethnic origins, political beliefs, religious beliefs, trade union membership biometric data and sexual behaviour and indentity), , make sure one of the bases of art. 9.2 GDPR applies for it to be considered lawful processing.
- Keep in mind the objective for which the data processing takes place, as well as that only qualified employees can access this data.