Does the chief executive have the right to view sensitive personal data without an employee’s consent?Posted in : Seamus Says - Employment Law Discussion on 9 April 2021
"Does the chief executive have the right to view sensitive personal data without an employee's consent even if they are the employee's line manager, for example, the nature of an illness?"
Seamus: Yeah, so this is a common occurrence that I would come across just in relation to my own practice and advices, and there can be that aspect where you have a chief executive of an organisation, maybe of a very strong chief executive of an organisation and maybe someone that likes control, likes the power of it and can be very demanding in relation to things that they want to oversee, documents that they want to see, and if there's absence that they may be asking very straightforward questions of why is the person absent and what is the issue relating to that. So, I mean, there's a balance here to be got but, really, this is a question for me relating to . . . it covers GDPR and data protection and also one of justification. And if you look at the Information Commissioner's Office guidance in relation to personal data on an employment space that generally only the employee or their direct line manager and the HR staff, the person that is controlling the information should be able to access an employee's personal records or their personnel records and, you know, obviously, that may include very sensitive data. It could include medical information, and it could include medical reports or doctor fit notes and things like that as well.
And I think if the chief executive is the employee's direct line manager, then it would be appropriate for them to be aware of the personal data, specifically if someone was off on sick leave and there was reasons being presented for the absence, I think the line manager is entitled to know that. If you think of the duties and responsibilities of the line manager and it is to ensure that there is appropriate staff there to do the job and, you know, that the absence has to be managed in relation to how long the person is going to be absent for, you know, what is the recovery period, you know, because the holes and the gaps are going to have to be minded while the absence is ongoing. If it's going to be long-term, does the does the organisation need to bring in an alternative member of staff? So it's important that the right person is aware of the information.
That does not necessarily mean that the chief executive of an organisation is automatically entitled to sensitive and personal data about another employee. And there are various, you know, circumstances where I could say that the chief executive would be entitled to the information and, again, it comes down to the aspect of justification. And I'm thinking of matters if the chief executive, you know, very high up in the chain of command and if it was a third-party organisation, you've potentially got a board of the chief executive, but the position would be or a board of directors, but the position would be that maybe the chief executive is tasked with dealing with disciplinary or grievance matters or perhaps the appeal relating to those matters and it would be a matter for the chief executive and it may be requesting to see personal information and sensitive information and medical records particularly if the there's around issues relating to grievance . . . or sorry, absence and things like that.
I can certainly see the chief executive being able to access that. The chief executive may also be the data controller for the organisation and may as part of that role, you know, be in control or be entitled to see the documentation, but I think that the important point here is that it should always be justified, and it's also important to remember that we come down to an employee's rights under The Data Protection Act or under GDPR that the employee has a right to be told what records are being kept and how they're being used and that may include information about who has access to those records.
The employee is entitled to know, you know, if it's their records and what the confidentiality aspect is of those records and how those records are going to be held, you know, when it comes to training and development of work. So, you know, if the employee asks those questions, the employee is entitled to know who's going to have access to my information, and it's important that the information has been treated on a confidential basis.
I think it's just also worthwhile pointing out that, again, if an employee ask to find out what data is kept on them, they're entitled to know that information and the employer will have the 30 days to provide a copy of the information if it is requested. I always caveat this, Scott, and I know that we've said this previously, but an employer shouldn't keep any data for longer than is necessary and they should follow their data protection policy and procedure that they have in place.
More on Data Protection & Freedom of Information
- Can we ask staff to let us know if they have been vaccinated, and can we keep a record of this?
- Data Protection Implications of Selling From the UK into the EU after Brexit
- Covert Recording in the 'Workplace' - When Might it be Lawful?
- New ICO Guidance on Subject Access Requests and Education Data
- Black Friday & Cyber Monday Alert: Issues for Employers While staff are WFH
The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.