How to handle your (ex)-employees’ health data. The BDPA provides new guidelines regarding manager’s communication

Belgium

An employee is leaving your company. As a manager, you announce in the employee’s absence his/her departure to your team during a meeting. Such communication needs to be conducted intelligently to defuse any tensions that may arise. But what should you say? How transparent should you be? Does he/she have a serious illness? In its decision of 19 July 2022, available in French, the Belgian Data Protection Authority (“BDPA”) has issued a reminder of the limits attached to such communication. We have set out below a summary of this decision and provided some data protection and employment law-related tips and tricks on effective communication in case of the departure of an employee.

Background

The complaint concerns the processing of health data of an ex-employee. In his/her complaint, the employee criticised the disclosure of personal data relating to his/her health by his/her manager during a departmental meeting at which the employee was not present.

When contacted by telephone by some of his/her colleagues, the employee realised that, during a departmental meeting, the manager announced his/her departure and read the document issued by the External Service for Prevention and Protection at Work (Cohezio) stating that he/she was unfit to carry on working.

This information (the fact that the employee was the subject of a report by Cohezio and that he/she was declared unfit to work and would no longer be working for the company) was also recorded in the minutes of the meeting and sent by email to 17 members of the department. It was also available to be viewed on the server by other staff members, including staff in other departments. The employee’s medical diagnosis was however not in the possession of the manager.

Can “unfit for work” be considered as health data?

This terminology (“unfit for work”) is taken from the Belgian Civil Service Code (“inaptitude” in French). According to the BDPA, it constitutes data relating to the complainant’s health within the meaning of the GDPR. Health data has indeed a very broad definition under this regulation.

The BDPA also specifies that the information stating that the complainant has been declared unfit for work by professionals (whose responsibility is precisely to assess the capacity of workers to perform their duties) does not reveal the complainant’s physical or mental health condition. This information of unfitness nevertheless reveals information relating to the complainant’s state of health and must therefore be considered as personal data relating to his/her health within the meaning of the GDPR. In the same vein, information concerning the complainant’s long absence and the fact that he/she was the subject of a Cohezio report also constitute data relating to his/her health.

Are oral communications caught by the GDPR?

The BDPA’s inspection service recalled that a complaint will be declared inadmissible (and the case will be dismissed) if it is only based on oral transmission of personal information that does not originate from a database or a file and is not intended to be stored in such a database or file.

In this case, the information was revealed not only through oral communication at the departmental meeting, but was also recorded in the minutes of the meeting and sent to 17 people by email. Considering these aspects, the BDPA considered that it was competent and that the GDPR was applicable.

What is the legal basis for processing health data?

A controller must have a lawful basis for processing personal data.

 

When it comes to processing special categories of data such as health data, it is important to recall that the processing will be lawful (under Article 6) only if Article 9(2) provides for a specific derogation from the general prohibition on processing special categories of data. In other words, when a controller processes data within the meaning of Article 9 of the GDPR, it must identify both a lawful basis under Article 6 and a separate condition for processing under Article 9. In addition, all processing of health data must comply with the data protection principles of the GDPR (Article 5) and the specific national requirements of the Belgian Privacy Act (Article 9).

 

In this case, the BDPA was of the opinion that the disclosure of the employee’s (health) data could not be based on any lawful basis for the following reasons:

  • The employee did not give consent either to share his/her health data to other employees or to record the matter in the minutes of the meeting.
  • The subsequent communication was incompatible with the initial purpose, which was to receive the information and for the human resources department to process it for the purposes of personnel management.
  • Said communication to other staff members and its recording in the minutes could not be qualified as a necessary obligation of the employer.
  • Finally, the principle of data minimisation was not respected, because the employer could have simply announced the employee’s departure without stating the reason.

Tips and tricks on effective communication for the departure of an employee

  • Limit the communication to what’s strictly necessary (e.g. practical information).
  • Do not communicate the reason for the dismissal of an employee to other employees. To respect the data minimisation principle, it is better to just announce that the employee no longer works for the company, rather than also give the reason.
  • Do not communicate any personal information about the ex-employee or the circumstances of his/her departure without his/her approval. In any case, you can only reveal the employee’s health data to others after he/she has given explicit consent to do so.
  • Ideally, agree with the employee beforehand on how the departure will be communicated to the other team members/employees.
  • Be aware that every negative communication about an employee’s dismissal could be a legitimate basis for the employee to claim compensation.
  • Make sure that the departure communication is within the reasonable expectations of your employee. The information (especially when it is sensitive) should only be communicated to those who have a functional need to know it.
  • Record the information about the health data in the minutes of a meeting only when it is necessary for complying with your employer obligations.

For more information on cybersecurity, contact your usual CMS adviser or local CMS experts. Did you know our tech & data practice is recognised as tier 1 (best-in-class) by Chambers and Legal 500?