Home » Media & Events » News » Guidance » Guidance on the General Data Protection Regulation
last updated:02/05/2018 @ 8:33 am
Print this page

Guidance on the General Data Protection Regulation


The following guidance is general and therefore needs to be considered alongside any additional duties of confidentiality that arise from common law in relation to health information and duties that health care practitioners have defined by their professional bodies.

Practitioners should be aware that this guidance is general in nature and that each organisation should obtain its own guidance, either from specialist practitioners or from the Information Commissioner. In addition, as the law is still developing, FOM does not accept legal responsibility for this guidance, which may need to be updated in due course.

We remain immensely grateful to Diana Kloss for drafting this general guidance and for her continued support of FOM. Dr Steve Boorman, Chair of FOM’s Ethics Committee, has been consulted in its preparation.


The General Data Protection Regulation comes into force throughout the European Union, including the UK, on 25 May 2018. It is planned that at the same time a new Data Protection Act 2018 (currently a Bill) will come into force, ensuring that the GDPR will remain the law of the UK after Brexit. The Data Protection Act 1998 will cease to be law on that date. The Information Commissioner is charged with enforcement of the new laws and continues to publish helpful advice and guidance on her website to which reference should be made (www.ico.org.uk).

The GDPR regulates the processing of personal data, defined as any information relating to an identified or identifiable natural person, the data subject. It does not apply to information that is completely anonymised, nor to information about dead people. It applies both to data processed wholly or partly by automated means and to manual data which form part of a filing system, that is files structured according to specific criteria. Medical records held manually and filed by the name of the patient and structured according to date within each file are likely to be covered by the GDPR.

The Regulation imposes duties on data controllers and data processors. The controller is the person or organisation that determines the purposes and means of the processing of personal data. The term processing covers virtually everything that can be done with data, including collection, recording, storage, disclosure by transmission, erasure and destruction. Since OH professionals have a legal and ethical duty not to disclose confidential patient information to management without consent both in-house OH departments and independent OH providers should be designated controllers of patient information. The processor is the person or organisation which processes personal data on behalf of the controller. There must be a written contract between controller and processor that stipulates that the processor processes data only on documented instructions from the controller and ensures that persons authorised to process the personal data have committed themselves to confidentiality.

OH professionals are likely to process personal data relating to patients who have been referred to them by managers and also data relating to employees of the OH provider. Different procedures apply to each separate function. Public authorities, such as local authorities, government departments, NHS Trusts, universities and police and fire services, and large private sector occupational health providers, must appoint a Data Protection Officer whose primary functions are to inform and advise the controller or processor of their obligations and to monitor compliance.

Most of the questions submitted to the Faculty have related to the interface between the GDPR and the ethical duties of OH professionals and this guidance therefore concentrates on that area. Practitioners should be aware that it is general in nature and that each organisation should obtain its own guidance, either from specialist practitioners or from the Information Commissioner. In addition, as the law is still developing, the Faculty does not accept legal responsibility for this guidance, which may need to be updated in due course.

The data protection principles

These are very similar to those in the Data Protection Act 1998 but have been reduced to six in number. The controller is responsible for, and must be able to demonstrate compliance with, the principles.

The first data protection principle is that personal data shall be processed lawfully, fairly and in a transparent manner.

It is a common misapprehension that data protection legislation is the only law that regulates the processing of information. In fact the controller needs to observe many other laws, including the common law of confidentiality, the Human Rights Act 1998, the law of defamation, the criminal law under the Computer Misuse Act 1990 and the Access to Medical Reports Act 1988.

As far as compliance with the GDPR goes the controller must prove that they have a lawful basis for processing data under Article 6, which applies to personal data of all kinds. Where the data are special category (sensitive) they must also find a lawful basis under Article 9. Special category data are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, data concerning health and data concerning a natural person’s sex life or sexual orientation. OH are likely to be processing special category data and must therefore comply with Article 6 and Article 9.

Should OH use consent as a lawful basis?

Consent is potentially a lawful basis under both Article 6 and Article 9, but health professionals are advised to justify their processing by another lawful basis. This is because the definition of consent in the GDPR is different from the definition of consent at common law and in the ethical rules of the health professions. Health professionals must continue to observe the common law of consent and confidentiality and the guidance of, for example, the General Medical Council, but are well advised to find a different justification under the GDPR.

Consent is defined in the GDPR as any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. There is no requirement in the GDPR that consent be given in writing. Recital 43 (official guidance) says that in order to ensure that consent is freely given consent should not provide a valid legal ground for processing where there is a clear imbalance between the data subject and the controller. The employment relationship is one of imbalance. Employees are not completely free to refuse to be referred to OH or to allow OH to report since if they withhold consent the employer can act to their detriment without medical advice.

In addition, in medical practice health professionals use implied consent as a justification for sharing information among members of a team on a need to know basis. Implied consent does not satisfy the GDPR but it is valid under common law. It would be virtually impossible in practice in a health care setting for explicit consent to be obtained from patients for their information to be disclosed to each individual health care worker with whom they came into contact, therefore the Information Commissioner advises that consent should not be used as a justification under the GDPR.

What lawful bases should OH choose?

Advice generally given is that public authorities like NHS Trusts should use Article 6(1)(e): processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. Private sector OH providers should use Article 6(1) (f): processing is necessary for the purposes of the legitimate interests pursued by the controller or a third party. The latter justification cannot be used by public authorities in the performance of their duties.

Where health data are being processed OH providers both in the public and private sectors are advised to use Article 9 (2) (h): processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems or services…”. But note that this paragraph can only be used by someone with a professional duty of secrecy or with an equivalent duty, like a medical secretary.

If OH uses these justifications the ethical guidance of the GMC and the Faculty will not need to change since the ethical and common law obligation to obtain informed consent, except in the public interest or where there is a legal obligation to disclose eg where there is a court order, already well established, will continue to apply and the GDPR rules on consent need not be adopted. For example, the current FOM guidance that on the appointment of a new OH provider the employer need only inform the workforce that OH records will be transferred unless they notify the employer that they object (opt out) will remain valid.

Employers, including OH providers, also collect health data in the course of, for example, assessing employees’ fitness for work, entitlement to sick pay and holiday pay, and complying with their duties under health and safety legislation and also the Employment Rights Act and the Equality Act. Employers are advised to use Article 9 (2) (b) as a lawful basis: processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment or social security or social protection law. The employer should create a policy for dealing with these issues.

The third data protection principle is that personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.

In OH practice it is important that health questions be relevant to the job. This is especially important when drafting pre-placement health questionnaires.

The fifth data protection principle is that personal data should be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed.

OH records should be deleted when they are redundant. There is no strict legal rule about how long records should be kept but current guidance from the Information Government Alliance/Department of Health is for the period of the person’s employment plus six years or until his 75th birthday whichever is the sooner. Where a job applicant has not been appointed it is good advice to keep records for at least a year in case there is a legal claim. Records used for research or statistical purposes can be kept indefinitely. Where an OH physician is acting as an external adviser and may only see the patient once, for example in connection with a pension application, records should be kept for a minimum of six years, the limitation period for breach of contract. If the case may potentially give rise to a legal claim they may be kept for longer. The point is that you must have a reason for retention.

Records of statutory health surveillance are in a special category. There are a number of regulations which impose a duty on employers to institute regular health checks of employees exposed to particular hazards where it may be possible to detect adverse effects before serious damage is done. Examples particularly relevant to OH are the Control of Substances Hazardous to Health (COSHH) Regulations, the Control of Vibration at Work Regulations, the Control of Noise at Work Regulations, the Control of Lead at Work Regulations, the Control of Asbestos Regulations and the Ionising Radiations Regulations. All these regulations follow a similar pattern. The employer must create a basic health record with the following details: employee’s name and address and National Insurance number, substance/process they are exposed to and when, surveillance that has been done on them and the name of the tester, and the outcome, eg fit/unfit/fit with adjustments. This health record is not confidential to OH and can be kept by management. The detailed clinical records with the results of the tests and other clinical information should be kept separate in the confidential OH record and not disclosed without consent. The health record should be kept for 40 years (30 years in the case of ionising radiations) but the clinical records do not need to be retained as long as that unless there is, exceptionally, a special reason for doing so.

The rights of the data subject

The data subject has the right to information, therefore the OH provider must audit its collection, holding and disclosure of personal data and review current leaflets and Intranet entries. Data subjects need to be told what personal data is being collected about them, the name and contact details of the controller and Data Protection Officer, what is the legal basis for collecting and holding that data under Articles 6 and 9, if the legal justification is legitimate interest what is that legitimate interest, to whom the data may be disclosed and in what circumstances, how long data will be kept and their rights, for example to subject access and to complain to the Information Commissioner. All this should be incorporated in a privacy notice which should be expressed in clear and unambiguous language. Further information is available from the Information Commissioner’s website.

Subject access

The right of the data subject to know what information is being held about him and to ask for a copy is retained and strengthened by the GDPR. Where a request is made after 25 May the controller of OH records will not be permitted to charge for providing a copy of personal data and will have a month rather than 40 days to comply with a subject access request. There are exceptions where the subject makes excessive requests or asks for more than one copy where a reasonable fee can be charged. If retrieving data is particularly onerous the controller can ask for an extension of the time for providing access, up to three months.
The existing exemptions where access would damage the subject’s physical or mental health or that of another person, or where it would reveal the identity of a third party who does not consent to be identified (unless he unreasonably refuses consent) are preserved.

The right to erasure

The data subject has the right to obtain from the controller the rectification of inaccurate personal data and the erasure of personal data (‘the right to be forgotten’) where they are no longer necessary, if the processing is based on consent where consent has been withdrawn (another reason for not using consent as a lawful basis), where the controller bases the processing on Article 6 (1) (e) or (f) but does not have legitimate grounds for processing the data, or where the data have been unlawfully processed. In the case of OH records practitioners should always be ready to correct errors of fact. It may also be necessary to add a supplementary statement clarifying or adding to the records so that they are completely accurate. Where the patient disagrees with a diagnosis the Information Commissioner advises that as long as that was the health professional’s opinion at the relevant time it is not inaccurate, even if it is later shown to be mistaken. It is necessary to preserve the record in order to explain what was done thereafter. A statement explaining that it is now found to be incorrect and adding the new diagnosis, if any, should be attached to the record.

There are several exceptions to the right to be forgotten. If processing is necessary for exercising the right of freedom of expression and information, where processing is necessary to comply with a legal obligation or in the public interest, where there are reasons of public interest in the area of public health in accordance with points (h) and (i) of Article 9(2) and (3), for historical research, scientific or statistical purposes, or for the establishment, exercise or defence of legal claims information can be retained against the data subject’s wishes. It is submitted that in OH practice, and in fact in medical practice in general, confidential records should as a general rule not be deleted at the will of the patient because they fall within Article 9 (2)(h) (see above) and also because they may be needed to defend the health professional or the employer if a claim is made, just as health professionals should not delete records which demonstrate that they are at fault. Where an OH report has not been sent to a manager because the worker has not consented to it the report should be retained in the confidential OH record but marked ‘not to be disclosed to management’.