In this questions and answers based Article, Deirdre Crowley, answers queries raised by many delegates following the Legal Island Annual Review conferences. This Article is required reading for any HR or legal professional drafting a HR retention policy.
Question 1 – Is it lawful to store medical records for employment purposes?
Yes. Section 46 of the Data Protection Acts 1988-2018 specifically provides a legal basis for the processing (which includes storage) of medical data (and special categories of data generally) in employment situations:
“Subject to suitable and specific measures being taken to safeguard the fundamental rights and freedoms of data subjects, the processing of special categories of personal data shall be lawful where the processing is necessary for the purposes of exercising or performing any right or obligation which is conferred or imposed by law on the controller or the data subject in connection with employment or social welfare law.”
Retention policies regarding the storage of medical records are key and should use language that provides organisations with reasonable discretion in relation to processing and retaining such records as are necessary, while balancing this need with the rights and freedoms of the data subjects/employees.
Question 2- How long can I store medical records for?
There is no specific provision either in the Data Protection Acts 1988-2018 or in the GDPR that provides a specific retention period for medical records.
It is clear from the wording in Section 46 of the Data Protection Acts 1988-2018 that a test should be carried out to weigh up the need to retain special category data such as medical data by an employer with the fundamental rights and freedoms of the employee data subject.
The analysis undertaken should expressly state the purpose for which the data was procured, the necessity for processing the data and the reason why the processing of the data is necessary in order for the employer to exercise or perform any right or obligation conferred on them by law. It is also very useful to consider whether an employer would be prejudiced in the event that the data was not processed or retained. If for example, an employer has formed a reasonable view that conflict or litigation is likely with the employee, it is arguable that an employer would be prejudiced in the event that they did not have the relevant data to allow them to defend an action brought against them. This type of rationale can be developed to a point where, if the facts allow, an employer retains medical information for up to a total of three years post termination of employment, to cover the statute period for both the issuance and service of personal injury proceedings as well as of course any Workplace Relations Commission proceedings.
Question 3 – Is medical information always disclosed to a data subject in the event of a data subject access request?
A question we are often asked is whether medical records are to be disclosed in a data subject access request if they are stored in a location that is different to the personnel file.
From a data protection point of view, the location of personal data makes no difference in the event of a data subject access request. If the data meets the definition of personal data and is not subject to legal privilege, it is likely to be disclosable to an employee in the event of an employee subject access request.
Question 4 – Should medical data be stored separately from the personnel file?
The two important pillars of compliance within the GDPR relate to accountability and security. As medical data is a special category of data which automatically attracts a high-risk status under the GDPR, it is prudent to have optimum security in place in respect of the processing of this data. We recommend that, where it is practicable for an employer, medical information is stored separately from the personnel file and that it is subject to authorised and secure access only.
Question 5 – Where can I find the legislative provisions that specify retention periods for employee personal data or other guidance where a legislative provision does not exist?
- Wages (including payslips) – 3 years in accordance with section 22 of the National Minimum Wage Act 2000
- Employment of minors (under 18s) – 3 years in accordance with section 15 of the Protection of Young Persons (Employment) Act 1996
- Hours worked – 3 years in accordance with section 25 of the Organisation of Working Time Act 1997
- Collective redundancies – 3 years in accordance with section 18 of the Protection of Employment Acts 1977-2007
- Records of parental/paternity/force majeure/maternity/adoptive/carer’s leave – 8 years in accordance with section 27 of the Parental Leave Acts 1998-2006, section 17 of the Parental Leave and Benefit Act 2016 and section 31 of the Carer’s Leave Act 2001
- Tax records (not in respect of an open Revenue case) – 6 years in accordance with the Companies Acts and Taxes Consolidation Act 1997
- Health and safety records – 10 years from the date of the incident in accordance with section 60 of the Safety, Health and Welfare at Work (General Applications) Regulations 1993
- Contracts of employment – 7 years post termination of the contract in light of the 6 year limitation period and 12 month timeline for the service of breach of contract proceedings.
- Personal injuries – 3 years from the date of the injury (subject to health and safety incidents which may necessitate a 10 year retention period) in line with the 2 year limitation period and 12 month timeline for the service of personal injury proceedings.
- Invoked and expunged disciplinary records – in accordance with the employee handbook/disciplinary policy, such retention periods to be appropriate and fit for purpose
- Training records – 7 years post termination of the contract (In the case of training records which are relevant to a health and safety incident or workplace accident, these records should be retained for 10 years from the date of the incident/accident in accordance with section 60 of the Safety, Health and Welfare at Work (General Application) Regulations 1993. this is in line with the 6 year limitation period and the 12 month timeline for the service of breach of contract proceedings.
- Garda Vetting outcomes/disclosures – 1 Year from the date of receipt (unless exceptional circumstances exist). The reference number and date of disclosure should be retained on file, which can be checked with An Garda Síochána in the future if necessary. This is based on the Data Protection Commission’s recommendations.
Question 6 – Do you think in time employees who intentionally commit serious breaches should face criminal conviction?
This has already happened. In January 2018, a civil servant based in the Department of Employment Affairs and Social Protection was sentenced to two years in prison with the final year suspended for selling personal details of hundreds of people to two private investigators. This case involved separate investigations by An Garda Síochána and the Data Protection Commissioner.
Assistant Data Protection Commissioner, Tony Delaney, commented as follows:
This has already happened. In January 2018, a civil servant based in the Department of Employment Affairs and Social Protection was sentenced to two years in prison with the final year suspended for selling personal details of hundreds of people to two private investigators. This case involved separate investigations by An Garda Síochána and the Data Protection Commissioner
“Today’s court outcome should serve as a very clear warning to employees in all sectors against snooping through, or disclosing to, unauthorised third parties personal data that may be at their disposal in their workplace for the performance of their duties.”
Had this issue happened after the GDPR had taken effect, the Department of Employment Affairs and Social Protection would potentially have faced a fine of up to €1,000,000, an extensive investigation and audit and potentially civil legal actions from the data subjects for material or non-material losses due to the serious privacy breaches committed by the civil servant in question. Ultimately, this issue could have cost the Department of Employment Affairs and Social Protection millions of euro and accrued serious unwelcome additional reputational damage for the Department.
Question 7 – There has been UK case law outlining that an employee is entitled to a “description” of data, and not necessarily a copy of the data itself. Irish legislation on the right of access pre and post GDPR also uses the word “description”. Can employers limit a response to an employee subject access request to simply describing what data they hold as opposed to providing copies?
In Ireland, the GDPR applies by default and further rules are set out in the Data Protection Act 2018.
Article 15 of the GDPR deals with the right of access by data subjects and at Article 15(3) specifically provides that “The controller shall provide a copy of the personal data undergoing processing.”
Section 91 of the Data Protection Act 2018 does refer to a right of access to a “description” of data held. However, this section of the Act is contained at Part 5 of the Act which is specific to the Processing of Personal Data for Law Enforcement Purposes only.
An Employer’s Guide to Workplace Inspections, Workplace Relations Commission, September 2018
It is interesting for employers to note that in the Employer’s Guide to Workplace Inspections, the WRC refers generally to the retention of records for 3 years.
Our view is that this refers to the statutory retention period of data as distinct from the non-statutory retention of HR related data such as grievance and disciplinary records
Our recommendation to employers when considering the appropriate timeframes for the retention of non-statutory employment related data is to consider each type of data processing activity on a case by case basis.
An organisation policy will be key to determining a reasonable retention period in the case of non-statutory HR related data. For example, if your organisation’s disciplinary policy provides that a disciplinary sanction expires after one year and it is then expunged from the personnel file, an analysis needs to be undertaken by the organisation to properly classify the expunged data and to determine whether that data should be permanently deleted or retained for a particular objectively justifiable purpose.
When drafting retention policies and privacy policies or notices generally, we suggest that organisations should expressly reserve their discretion to retain and process personal data for so long as it is necessary and/or in line with legal and statutory obligations.
For further information on any issue raised in this article please contact the team at Crowley Solicitors at 021 428 9560 or at firstname.lastname@example.org.
Disclaimer: This Article is intended to be a high level overview of the retention period of commonly processed data within the HR field. Depending the Sector involved, the employer may have additionally statutory and privacy obligations in relation to the retention of data not covered in this Article. Legal advice should be sought by each employer on a case by case basis.