Is it allowed to do medical checks on employees?
I read that Amazon and Apple are opening their own health clinics for their employees. This lead me to address the following question: Is it allowed under privacy law to perform medical checks on employees, such as a drug test or alcohol test?
Why companies perform medical checks
In some American companies such as Amazon, it is common to conduct a medical assessment as part of the hiring process. This is known as the pre-employment screening. Some companies also perform drug and alcohol tests, before and during employment. In many Asian countries, it is common that employees undergo yearly medical examination, paid for by the employer. The medical results are also shared with the employer.
It seems noble that companies feel responsible for their employees’ health. However, in Europe, medical checks for employees is a no-go. One example: In the Netherlands, the energy company Uniper (formerly known as E.on) was not allowed to perform drug tests on its employees. Why is that? And what does the current European privacy law, the GDPR, say about this?
Health data is a broad concept
Let’s start with the definition: what is health data? The definition of ‘health data’ under the GDPR is very broad. It is anything that relates to the physical or mental health of a person. This includes medical reports, genetic (DNA) samples, diseases, disabilities, medical history, and medication. Without a doubt, medical checks and drug tests involve health data.
Health data can also include other information such as: the number of steps or stairs, your heart beat, blood sugar level, how many hours you slept, etc. The list is almost endless. If some information says something about health, you can bet it is health data.
Now we look at article 9 of the GDPR, which contains specific rules for health data.
General rule for health data: no-go area
The basic rule for using health data is that it is forbidden. There are only very few exceptions to this rule:
- The person gives explicit consent (be aware that consent will not work in employment relations, which I explain further below);
- You have to comply with the law (a medical check is required for some jobs);
- In case of life or death situations;
- You are a doctor.
In the Netherlands, there are some more exceptions to this rule, for example for insurers and pension funds.
However, for all exceptions, the health data may only be processed by someone who has a professional obligation of secrecy, such as a company doctor. An employer may not have access to health data of employees.
Another obstacle for employers is: consent.
Employee consent: another no-go area
For consent, all of the following conditions apply:
- Consent should be freely given (voluntary)
- It should be explicit; (e.g. signature);
- The request for consent should be clear, in an easily accessible form, using plain language;
- The person can withdraw a given consent at any time.
Now let’s apply these conditions to employees. If an employer asks consent from an employee, the employee may feel pressured to say ‘yes’. When a refusal to give consent may have any negative consequences for the employee, the consent is not voluntary (‘freely given’). The negative consequences can be anything, such as not getting hired, being laid off, not being promoted, or other kinds of pressure. When one of the conditions for consent is not fulfilled, you cannot use consent at all.
Another problem with consent is that consent can be withdrawn. If you want to apply a new policy for all employees, it is problematic if some employees refuse to give consent. This means that you need another legal basis instead of consent, such as the ‘necessity to comply with the law’.
Conclusion: medical check only if required, by doctors, and no consent
Under the GDPR, it is generally not allowed to perform medical checks on employees, before or during the employment. There is an exception if the medical examination is required by law, and if it is performed by a company doctor.
In practice, I see that many employers assume that they have to ask employees for consent. However, consent should be voluntary and can be withdrawn at any time. This is problematic in dependent relationships, such as employee-employer relations. In that case, consent is not suitable. Asking for consent may seem simple (a ‘formality’), but in practice it leads to difficulties.
If you have other questions about privacy, just send me a message.