CP&A receives fine for violating privacy of sick employees

Security of personal data

The Dutch Data Protection Authority (DPA) has imposed a fine of €15,000 on maintenance company CP&A for violations committed when processing the health data of sick employees. CP&A maintained a register of the causes of sick leave. In doing so, the company processed more health data than legally permitted. Furthermore, the registration of sick leave was not adequately secured. CP&A has now ended this practice.

Not necessary for reintegration

CP&A’s sick leave registry contained highly sensitive information about the physical and/or mental health of employees. This included the names of illnesses, specific health complaints and indications of pain.

It is not necessary for employers to process this kind of information for the reintegration of their employees.

Sensitive personal data

Health data constitutes sensitive personal data, which must be given special protection. Everyone has the right to keep such information to themselves wherever possible, and this includes employees. However, an employee can feel obliged to share such information with their employer.

If an employer has knowledge of an employee’s physical or emotional state of health, it may form an opinion or take decisions that have a major impact on the employee concerned.

Nature and cause of illness

Under privacy law employers are not allowed to register information about the nature or cause of an individual’s sickness absence notification. Nor can the employer ask questions about such things. That is for the in-house medical officer or the safety, health and welfare services to address.

In exceptional situations an employer may register information about the nature or cause of an employee’s illness. One example is when a staff member has epilepsy, and co-workers need to be aware of this so that they know what to do if the individual suffers an episode.

Sick leave register was held online

CP&A’s sick leave register was accessible online, without any form of authentication system. Information about someone’s sick leave can say something about their health, so especially strict requirements apply to the security of health data. Only authorised employees may access such data.

If a sick leave system is accessible via the internet, access to the system is permitted only via multi-factor authentication. Besides a regular login procedure, authorised individuals must confirm their identity in another manner, such as by using a security token, in order to gain access. So a login system requiring only a user name and password is not sufficient.

Asking necessary questions is acceptable

According to DPA board member Katja Mur, ‘Of course, it’s completely understandable that an employer wants to know whether someone’s sickness absence is going to be short or long term in nature. But to establish this it isn’t necessary for employers themselves to process health data or start playing doctor. The in-house medical officer or safety, health and welfare service can provide information about the expected duration of the leave and the workload an employee can take on when they return to work.’

Naturally, an employer may ask a sick employee a number of questions to determine whether, and if so how, their tasks should be reassigned.