Collecting and Processing Health Data
Health data about an employee may only be collected in certain strictly defined situations. Health information is sensitive personal data, as defined by law. Thus, processing such data is subject to stricter provisions than regarding other personal data. When health data is needed, it should be collected primarily from the employee him/herself. Thus, the conditions are, from this perspective, the same as for other personal data. If personal data is collected elsewhere, e.g. from occupational healthcare services, written consent from the employee is required. Oral consent is insufficient in this situation. The employee’s consent may only regard the request of pre-defined data, such as e.g. data about a sick leave. The consent may also be more extensive. The employee is free to decide about the disclosure of data collected about him, and to give consent regarding future data. The employee is however free to revoke his consent later on.
The employer has a right to collect personal data in four different situations. Information may be collected
in order to pay sick pay or other comparable health-related benefits;
to establish whether there is a justifiable reason for absence;
if the employee expressly wishes his/her working capacity to be assessed; and
in the specific circumstances, and to the stipulated extent, separately provided elsewhere in the law.
The nature of what health data an employer may process is to be considered separately in each case. For instance, collective labour agreements generally provide that a medical certificate, complete with a diagnosis, is delivered in case of a sick leave. The assessment of working capacity may justify more extensive processing of data. When acquiring health data, the necessity requirement, provided in the Act on the Protection of Privacy in Working Life, also needs to be taken into account. Only data directly necessary for the employee’s employment relationship may be collected. The necessity requirement affects the detail of the information as well as its scope.
Information concerning the employee's state of health may only be processed by persons who prepare, make or implement decisions concerning employment relationships on the basis of such data. The employer shall nominate such persons or specify the tasks that involve processing of health-related data. For instance, information regarding the employee’s state of health is needed in the calculation of salaries. For instance, the employee’s manager may need information about the employee’s state of health when contemplating the justifiability of the employee’s absence. The objective is that information concerning an employee’s state of health doesn’t get out in the workplace but stays on a need-to-know basis, between the persons who need it to carry out their assignments. An explicit confidentiality requirement is assigned to such persons. They may not disclose employee health information to others during or after their employment. In addition, the employer must store any information in his possession concerning the employee's state of health separately from any other personal data that he has collected and and, in addition, data concerning the individual's state of health shall be deleted immediately after the processing is no longer justified under paragraph 1. The justification and necessity of the processing must be assessed at least every five years.
External sources
- The Data Protection Ombudsman: Frequently asked questions about working life
- The Data Protection Ombudsman: Working life's data protection handbook (only available in Finnish)
- The Data Protection Ombudsman's decision on the processing of employees' health status data and data on sick leave at the workplace and transferring of the data to occupational health care in co-operation between the employer and occupational health care (only available in Finnish)