Have you considered the impact that GDPR will have on your healthcare benefits data?

The EU General Data Protection Regulation (GDPR) comes into effect on 25 May 2018 and will change the way that you handle your employees’ personal information.

These regulations include the processing of personal data across employee benefits such as private medical insurance and employee protection products, but also mobile health apps and wearable technology. Providing any of these will often require you to handle employee data such as name, age and address but also, health data.

Whether you’re dealing with employees’ personal data or more sensitive health data, you will need to make sure you have the right processes in place to follow the new requirements and prove that you have lawful consent to process the data and have taken appropriate steps to keep it secure.

Establish consent

Establishing a legal basis for processing personal data is a must for any organisation. Under the current data protection legislation, this is usually obtained through the employment contract but, because this weighs heavily in favour of the employer, you should consider if this is still valid under GDPR.

Going forward, if you intend to rely on consent to process your employees' personal data, you will need to ensure that consent complies with the new stricter requirements. Any document that you use to obtain consent must be in plain English and include details of:

  • the type of data you wish to collect,
  • how long you will store it, and
  • whether you will share it, if so, who you will share it with.

It will also need to include the name and contact details of your data protection officer.

Consider what data you really need

The new regulations present an ideal opportunity to assess the amount of data that you collect, store and supply to other parties.

For example there might not be a need to supply a life insurer with a list of employee names and national insurance numbers. Some insurers might accept just an employee number and salary. Check with your insurers what data they really need. There needs to be a good reason to supply the data, otherwise don’t do it.

There may also be situations where it isn’t necessary for you to hold the data at all, for example, your employees’ medical history. It may be necessary to provide the data to the insurer, but it might not be necessary for you to handle this. Your employees could provide it directly to the insurer or your insurance consultant.

Managing your data

It is essential that you give some thought about how you manage health data. Security measures such as password protection, encryption and secure filing cabinets for paper-based data are vital but you need to think about how long you store it.

Subject access requests and the introduction of the right to be forgotten means you also need to have a system in place that enables you to identify where all of an employee’s personal data is held.

It is also important to ensure that any third party dealing with your employee health data has the right processes in place to keep it secure, and should be part of your due diligence process.

Get yourself prepared

Putting in place the necessary processes to comply with GDPR may seem like a major project given the deadline, but you needn’t panic. The Information Commissioner’s Office (ICO) has taken a pragmatic approach to the regulation and has produced lots of really useful guidance on their website.

This information is provided for the purposes of general interest and is not intended to apply to specific circumstances. Reasonable steps have been taken to check accuracy at the time of writing but we make no representation as to future accuracy. This information does not constitute legal or regulatory advice. We are not qualified to provide, and will not provide, legal or regulatory advice. We recommend that you obtain your own such specific legal or regulatory advice on matters such as GDPR from relevant professional advisers.