OH Reports

Posted in : Supplementary Articles NI on 23 September 2020 Issues covered: Confidentiality, OH report, data protection.

One issue that keeps cropping up for us is the question confidentiality and the sharing of occupational health reports by our in-house occupational health advisors of the organisation. Currently, OH will not release an OH report to the organisation without the consent of the employee. Where the consent is sought, OH will only share the report with named individuals rather than the organisation. This means that they'd be expected to provide the individual names of all those involved in handling sickness, absence-related grievances, appeals, etc., which would mean going back the employee's consent at different stages of the process.

So under GDPR, that the organisation would be the data controller in this instance, and the organisation requests or commissioned the report. And it's the responsibility of the organisation to ensure that the report is handled in line with GDPR regulations and special category data. Therefore, it follow that when dealing with sickness absence related grievances, is it okay for the organisation to take responsibility for providing that data to the relevant parties involved in the grievance? The problem is that OH abide by GMC regulations, which apparently requires more specific consent. In addition, I understand that the consent in itself is not in itself sufficient as a sufficient reason for sharing this information. Would this fall under the legal reason for sharing data?


Dr McCrea: Well, I'll defer to my colleague about the data aspect, Peter, of the legal but I touched on this at the start and I'll just go back over it again. And this is this is a common concern. And, first of all, I think let's be pragmatic about it. And I think GDPR has probably introduced a number of additional layers of confusion and concern and even paranoia I have to say. I think that if we go back to fundamentals, the information that one obtains during the course of an occupational consultation is category one, the most sensitive medical information. Absolutely. So the employee is the owner of the information is the person who needs to give consent to its release. And that consent has to be informed and by informed they've got to know what's going to happen to that information.

Then what I do in every single consultation I take place I explain this to the individual at the start and I explain to them that if they tell me anything during the consultation that they either wish to keep confidential or do not wish their employer to know, I will keep it absolutely confidential. And that gives them reassurance that pretty sensitive information won't be put in a report that may be seen by a number of people. To be fair, in a lot of cases the employer doesn't need to know what level of sensitive information. The employer needs to know what's the matter? What's the cause? Where are we at? What's happening? Can we get them back to work? Do we need to put adjustments in? What's the outlook? Etc. Etc.

So the sensitivity of the information itself isn't necessarily that relevant, but it's the employee that, I know that you're going to send my report to X, Y and Z or X, Y, Z, A, B, and C, and I agree to it, and GDPR, all the consent rules are met. BMC is okay. The patient, the client, the employee has consented and has been informed consent. In other words, they understand what they're consenting to. I have never had an issue with that. There is a fallback where you can often advise people, but they can see the report before it goes to the employer. But in the vast majority of cases, they are reassured by it.

Some of my colleagues who do remote consultations suggest that as part of the remote consultation, you should complete your report, hang up on the telephone call or video call, do your report, then contact the employee again, read through your report so they understand what's going to the employer and then get their, as it were, subsidiary consent to its release. Certainly, something that you can do.

But simply as long as the employee understands where the report is going and is agreeable to it, that's all that needs to happen. I think the occupational health provider is probably being slightly unduly cautious. As I said at the start of my talk, we have a number of customers where we send the report to an HR inbox or to a HR advisors dot at the employee. And we know that it's going into a human resource generalised inbox that can be accessed by a number of HR professionals who are allowed to access that. And the vast majority of cases, I don't think I've ever had an employee who said no. Normally, the GMC will advise you to send the report to the person who made the referral. We call it the referrer. But that referrer can be an organisation.

So within reason, we would send it to a group of people in the organisation who would exercise the appropriate discretion in the subsequent dissemination of the information. So I think your occupational health provider is probably being unduly cautious and unnecessarily restrictive and I think you just need to go back to them and tease this out.

Louise: Yeah, I would, I would certainly agree with Dr Phil there. I think from a GMC perspective, I'm not really an expert in that area at all. But the OH assessor is not the treating physician. And from a data protection perspective, of course, the employee must consent to the release of the report. But the release does not need to be limited, in my view to individually named members of staff. I have encountered fairly reasonable requests that it would not be released to someone who is the subject of a grievance that the employee has raised perhaps which is understandable and common sense. And I suppose the other issue that I very much encounter in practice, and I suppose is important maybe to flag it at this time would be in terms of the referral.

The referral is the personal data of the employee. And there are a number of employers out there who seem to be perhaps under the illusion that they don't have to share that with the employee and it's quite frustrating because the employee can be very anxious as to why they're being assessed, do they understand why they're being assessed. And I certainly would encourage all employers to share the referral in advance of the assessment because it is the personal data of the individual. And they're going in with their eyes wide open as to the reason for their assessment.

This article is correct at 23/09/2020

The information in this article is provided as part of Legal-Island's Employment Law Hub. We regret we are not able to respond to requests for specific legal or HR queries and recommend that professional advice is obtained before relying on information supplied anywhere within this article.