Data Protection: The pitfalls of handling employee medical data

10 March 2017

Beware the Information Commissioner’s Office (ICO) which, particularly in recent months, has demonstrated its willingness to use their statutory Code of Practice enshrined under section 52 of the Data Protection Act 1998 (DPA) to impose monetary penalties (of up to £500,000) to those organisations who fail to take the appropriate measures to safeguard Medical Data (a type of Sensitive Personal Data).

On 11 August 2016, a GP practice (Regal Chambers Surgery)[1] that revealed confidential details about a woman and her family to her estranged ex-partner (following his subject access request for a medical report of his child) was fined £40,000 by the ICO because of the serious nature of the breach. The ICO noted that had the organisation been at fault (rather than the partners being individually liable), they would have expected to have issued a much larger fine[2].

Had the personal data been kept separate from the Medical Data contained in the record, this might have acted as a safeguard when the entrusted data controller was making the disclosure. The above case serves as a good example of the likely consequences of a failure to ensure that sufficient separation of different types of data can act as a safeguard against unauthorised disclosure.

Why is the Handling of Medical Data Problematic?

The ICO Code of Practice casts a very wide net when determining what constitutes Medical Data. It includes reference to all health conditions, physical or mental, and includes any expression of opinion about the individual by a medical practitioner (or a third party making reference to it in respect of the individual) as well as any indication of the intentions in respect of any recommended treatment (or the progress of it). Those diagnoses which carry a societal stigma such as mental health, HIV, epilepsy and gender reassignment must be considered to be the most sensitive, in that unlawful dislosure or other processing is likely to trigger even more substantial fines.

How to handle medical data

The ICO has advised that employers should ensure that they “keep sickness records containing details of a worker’s illness or medical condition separate from other less sensitive information” as each fall within a different category of Data under the DPA, and so a different degree of stringency applies to each. The dates of any period of absence or collection of absences fall into the category of “Personal Data” and the underlying reason for the absence falls within “Sensitive Personal Data” and keeping the two together runs the risk of unwittingly disseminating sensitive information.

The ICO suggests that “this can be done by keeping the sickness record in a sealed envelope or in a specially protected computer file. Only allow managers access to health information where they genuinely need it to carry out their job”.

However, in practice, this may not be so simple.

Firstly, modern technology presents its own problems. Medical Data can be created and shared using a broad range of different devices (such as desktops, laptops, tablets, mobiles etc), via corporate databases (such as SAP, Oracle, Microsoft) and can come in a variety of formats (such as letter, email, database entry, scan, picture, recording etc). Keeping track of ‘pools’ of health information can be costly and particularly problematic for SMEs. Moreover, digital data is usually archived or duplicated and backed up locally or in the cloud. This requires employers to be wholly aware of what data and copies of data they have, ensuring that only those with permission have access to it and that it is kept secure at all times.

There is also the issue of data accumulation where Medical Data is not in isolation of other, less sensitive data within the same packet of data. For example, emails present a big problem given the ICO’s wide definition of Sensitive Personal Data, the frequency and ease in which it can be created, shared to other employees directly or indirectly (and creating further data copies) and the problem when an email may only make a passing reference to an employee’s Medical Data in amongst other less sensitive information that may need to be accessed regularly. In practice, complying with the law requires dedicated Data Controllers with the responsibility of redacting Sensitive Personal Data in each email before it is to be stored or, at the very least, require any email or email chain containing such Medical Data, to be stored separately.  

Then there is the obligation on employers to keep track of what personal data they hold about every employee or ex-employee, ensuring compliance with the DPA from the moment they obtain the data until the time when the data has been returned, deleted or destroyed.

Finally, there is a real risk presented by “email chains” which can give rise to an Employee Harassment claim and a wider discrimination claim, as well as breaches of the DPA, if the data contained within the email chain identifies an employee and falls within one of the protected characteristics under the Equality Act (age, disability, gender reassignment, race, religion or belief, sex or sexual orientation). Repeated inadvertent dissemination of the information even within an organisation, could quickly intensify the seriousness of the Harassment claim, and so increase the compensation likely to be awarded by an Employment Tribunal.


Employers, as Data Controllers, must ensure that any processing of personal data for which they are responsible complies with the DPA. Failure to do so risks enforcement action, including prosecution and compensation claims from individuals. Even greater care must be taken where the data contains Medical Data.


[1] Source:

[2] Source:

This article is for general awareness only and does not constitute legal or professional advice. The law may have changed since this page was first published.

« Back to news index

Register for updates

Click here to register »

Share this news

© Copyright 2019 Sharpe Pritchard