The new DPC website is currently under construction. Our latest guidance in relation to GDPR, which comes into effect on 25th May, 2018, can be found at gdprandyou.ie and via pages on this website starting with "NEW" as per the navigation pane on the left. All other material on this site relates to the previous legislative regime under the Data Protection Acts 1988-2003 ("the Acts"). While the Acts may continue to apply in some circumstances, as of 25th May, 2018 the GDPR is the primary piece of legislation governing data protection.

Data Protection Commission

Case Study 1

Employment matters – claim of legal privilege and access to medical data in the workplace

An employee of a major national company had been requested to attend a doctor nominated by the employer in the context of his on-going sick leave. His employment was subsequently terminated and he made an access request under section 4 of the Data Protection Acts for a copy of the medical report. The company refused him access on the grounds that the employee had initiated legal proceedings against the company and that the report was privileged and that it did not have to be released as section 5(1) (g) applied. This section provides that the right of access under section 4 of the Acts does not apply to personal data

"(g)in respect of which a claim of privilege could be maintained in proceedings in a Court in relation to communications between a client and his

professional legal advisers or between those advisers."

I pointed out that there are two main categories of legal professional privilege recognised by Irish Courts:

? Confidential communications between a person and his lawyer seeking or giving legal advice and documents created by either party to provide or to obtain such advice are privileged.

? Documents created by either lawyer or client in anticipation or furtherance of litigation are also privileged. Therefore, communications between a person and his lawyer which provide legal advice or assistance and documents created to obtain or produce such advice or assistance are privileged if given or created in anticipation or furtherance of litigation.

In deciding whether privilege could be claimed, I considered the purpose of the referral to the doctor and specifically whether it was in anticipation of legal proceedings or to obtain legal advice or whether the purpose was to determine fitness for work.

The complainant stated that he had been requested by letter to attend the doctor to have his condition assessed due to his on-going sick leave – no reference was made to attendance being requested in connection with any court proceedings. The company however sought to claim to my Office that the report had been sought on legal advice and in anticipation of possible future legal proceedings. I found that while there may indeed have been a possibility of legal proceedings in relation to other matters, the first formal notification of court proceedings was sent by the data subject's solicitors many months later. I further found that the purpose of the medical examination should be clear to the data subject at the time that he attends the doctor.

The employee in this case was clearly under the impression that the referral was related to assessing his fitness for work only. It is an important Data Protection principle that another purpose cannot be introduced retrospectively. Furthermore, information about the purpose is required to be provided to the employee (data subject) pursuant to section 2(D)(i) and (ii) of the Acts, otherwise personal data is not treated as "fairly processed".

Privilege is an important feature of court proceedings but it should not be used as a veil to seek to restrict access where it cannot be justified. As section 5(1)(g) relates to personal data in relation to communications between a client and his professional legal advisers or between those advisers, I took the view in this case that a copy of a medical report prepared for a specific personnel purpose could not be considered as such a "communication" which would attract privilege. Also, there are very limited restrictions on an individual's right of access to his or her medical data. The Data Protection (Access Modification)(Health) Regulations, 1989 provide that restrictions on access must be based on opinion by a medical professional that allowing access would cause serious harm to the individual's physical or mental health. As "harm" was not an issue, I therefore concluded that section 5(1)(g) of the Data Protection Acts, 1988 and 2003 could not be relied upon by the company to restrict his access to a copy of the medical report in question. I was pleased that the company accepted my view.

In another employment related case, I established that a data controller cannot avoid dealing with an access request for an employee's medical report on the premise that it has been returned to the author of the report. To deal with such requests, organisations should have a clear procedure in place. The request may be for (1) the report itself and/or (2) the data on the medical file. When an access request for medical data is received, the Company Doctor/Medical Officer should be immediately advised and should make the data available unless it is considered 'harmful' to do so.

On a related question, it is sometimes considered that the employee's consent is needed for referral to a company doctor. Generally, an employer will have the right under the contract of employment to refer an employee for a medical report. Processing of personal data in a medical report involves sensitive data and section 2(B)(i) of the Acts provides that a data controller must obtain "explicit" consent from a data subject before sensitive data may be processed. Alternatively, section 2B(ii) provides for processing which "is necessary for the purpose of exercising or performing any right or obligation which is conferred or imposed by law on the data controller in connection with employment.".

Relying on freely given consent implies that an employee has a right to refuse referral. Given the employer's rights under the contract of employment, this may not fully reflect the entirety of the rights and obligations involved. Therefore when the employee agrees to attend the doctor, what is important is that the employee clearly understands that s/he is required to attend the medical assessment for a particular purpose e.g. to determine whether s/he is fit to return to work and attends on that basis alone. On the other hand, if the purpose is connected with anticipation of or defence of legal proceedings then the employee should know that this is the basis for the referral.

Privilege is an important feature of court proceedings but it should not be used as a veil to seek to restrict access where it cannot be justified- generally, an employer will have the right under the contract of employment to refer an employee for a medical report