Seminar "Health Protection in Employment and GDPR" – Summary

On November 15, 2024, the seminar "Health Protection in Employment and GDPR" was held, organized by the Personal Data Protection Office, the Social Team of Experts under the President of the Personal Data Protection Office, and the Lewiatan Confederation.

As emphasized at the outset by Mirosław Wróblewski, President of the Personal Data Protection Office, the conclusions gathered during the seminar dedicated to the processing of personal data in employment will help the supervisory authority's specialists better understand the legal and social phenomena related to the topic. This is particularly important, as many inquiries during public consultations on the revision of the employer's guide pertained to the issues covered in the seminar's program.

Different Conditions, Different Legal Challenges

In the panel on the processing of personal data in preventive healthcare, it was highlighted that several decades ago, employees primarily sought assistance for infectious diseases. Today, work-related illnesses are dominated by cardiovascular diseases, cancers, and mental health disorders. A significant proportion of occupational diseases still stems from the pandemic, specifically long COVID. This underscores the need to transform employee healthcare, making it more responsive to current societal needs.

The following issues were identified as problematic:

• The procedure for early referral to periodic health examinations due to a deterioration in the employee's health;
• The exchange of information between the employer and the occupational medicine doctor beyond what is directly stated in the referral form or medical certificate;
• The scope of occupational health examinations.

Currently, an occupational health doctor conducting an examination does not have access to any test results other than those voluntarily provided by the individual being examined, and there is no standardized practice in this regard. The scope of additional tests that the doctor can order is quite limited and is not always tailored to the needs of the working individuals.

It was noted that employers are increasingly eager to be proactive in the area of employee mental health. However, current legal regulations do not provide them with a clear basis to do so. Even when they are willing to allocate financial resources for psychological support for employees, they do so on a smaller scale and with concerns about being accused of violating GDPR and processing special categories of data.

In the current referral form for preventive medical examinations, the employer only describes the working conditions, providing information about the presence of hazardous, harmful, or burdensome factors in the workplace, as well as other factors resulting from the way the work is performed. This includes the level of exposure and current results of tests and measurements of harmful health factors conducted at the workplace. The form does not provide for the employer to share any other information. During the discussion, it was considered whether the employer could include additional information on the referral that might be relevant for determining the employee's fitness for work, which would be particularly justified when the employer is referring an employee for periodic examinations earlier than the expiration date of the medical certificate.

Experts pointed out the issue of employers providing information about observed changes in an employee's behavior that could justify expanding the diagnostics if the occupational health doctor had access to such information. Employees referred for earlier examinations, out of fear of losing their ability to work, are often unwilling to share such information with the doctor. The practice of occupational health doctors shows that patients are more likely to conceal information about their health than to take any initiative in disclosing it.

Experts agreed that a change in the referral form would help standardize practices and avoid the so-called informal circulation of information about an employee, such as information being conveyed by phone or the use of an "internal code" agreed upon between the employer and the occupational health unit with which they have a contract.

According to the discussion participants, it would also be worth considering granting doctors broader powers to obtain information from systems such as the P1 platform, through which referrals, sick leaves, and prescriptions are issued, among other things.

The systemic solutions are lacking, indicating that the examinations conducted under the provisions of the Labor of Code should also serve preventive purposes and a comprehensive assessment of health status, rather than solely focusing on the observation of those organs and systems that are critical to the workplace hazards.

It is necessary to standardize occupational medicine practices, organize data protection issues in a way that safeguards sensitive information, while at the same time not hindering the formulation of diagnoses that are consistent with the actual state of health.

How to conduct psychological tests for employees in accordance with GDPR

More and more employers are relying on psychological testing of employees. Meanwhile, legal interpretations regarding the compliance of such tests with GDPR are very divergent. To what extent can we say that these are health-related data? Are these regular data? Apart from cases where the law explicitly permits such tests, are they permissible? When, if ever, can the legitimate interest of the employer be applied as a basis? These are the questions the panelists sought answers to during Friday's seminar.

Employers turn to psychological tests, among other things, for jobs and positions exposed to high stress in order to identify psychosocial hazards in the workplace. However, they should always be used in accordance with ethical standards, in a responsible and careful manner. Good testing tools must be characterized by validity and reliability.

From a pro-worker perspective, it should be stated that vocational suitability tests should be standardized. The data processed in this process constitutes sensitive information, which is why employees must be made aware through training of the consequences associated with its processing, and that the use of vocational suitability tests during employment is stigmatizing.

It was pointed out that the issue of perceiving psychological testing of employees solely through the lens of personal data protection. Until recently, there was a lack of legal regulation — the Act on the Psychological Profession. The period of retention of psychological tests has also not been regulated.

Meanwhile, there should be a strong legal framework for psychological testing. The legal provisions regarding referrals for psychological testing need to be reconsidered. Employee consent is not an appropriate instrument that could serve as the legal basis for conducting psychological tests, as it can be withdrawn at any time. There should also be mechanisms for the deletion of such data. The President of the Personal Data Protection Office recognizes the deficit in the existing statutory solutions related to employment.

The practice of testing employees often arises from the actual needs of the employer. The position of the Personal Data Protection Office should be viewed through the lens of protecting the rights of the individuals whose data is being processed, in this case—employees. In practice, however, the Personal Data Protection Office has not recorded any complaints regarding psychological testing of employees.

The participants of the meeting were divided on the issue of the justification for conducting psychological tests of employees' vocational predispositions. Some considered them acceptable, while others disagreed.

Current regulations and the professional activation of people with disabilities.

To what extent are employers open to hiring people with disabilities, and do current regulations support such actions? Panelists mentioned that, on one hand, around 4 million people in the labor market have disability certificates, while on the other hand, companies report staffing shortages. Employers from larger enterprises are increasingly open to hiring people with disabilities. However, small and medium-sized enterprises, which are the backbone of the economy and employment, face challenges related to ensuring compliance with GDPR and adapting workplaces to the needs of people with disabilities. According to employers, a factor that complicates the implementation of positive changes is the complex nature of legal regulations.

How to raise awareness among employers and recruiters.

In the context of corporate social responsibility, knowledge of an employee's disability is very important. Recruiters should be sensitized to the issue of people with disabilities, so they are aware of how long the employer will be able to process their data, e.g., in terms of adapting the workplace to their needs. During a job interview, if an individual discloses their disability, the recruiter should ask the potential employee in detail what it entails. It was pointed out that a good starting point for the recruiter is to ask about any specific needs and expectations related to the job position. In such a situation, the boundaries of sharing knowledge about one's illness depend on the specifics of the case.

In the job advertisement, it is possible to show that the employer is open to hiring people with disabilities. The goal should be to create a safe environment where the employee will feel comfortable disclosing their disability.

Regarding the extent of necessary disclosure of disability and other health issues, in accordance with GDPR, during the recruitment interview, the prospective employee is not required to inform the potential employer about them. At the employment stage, when a person with a disability becomes an employee, according to GDPR, they should provide personal data that is necessary due to their use of specific rights provided for in labor law, which may be related to their disability.

In job advertisements, employers often indicate that individuals with a disability certificate are preferred. However, these certificates often include notes stating that the individuals concerned can only undertake "light work," which frequently leads to interpretive issues. Panelists also pointed out legislative deficiencies regarding the terminology of certificates stating "total incapacity to work" and "incapacity for independent living."

Accident report and the data contained in it

The Chief Labour Inspector, Marcin Stanecki, presented to the seminar participants the scope of the activities of the National Labour Inspectorate concerning workplace accidents and shared data illustrating the state of accident prevention in Poland in 2023. The number of omissions identified by the National Labour Inspectorate on the part of employers may indicate insufficient social sensitivity in the area of determining the circumstances and causes of accidents, and it may have a negative impact on systemic preventive actions.

It was reminded that in the accident investigation process, the personal data of the injured party, individuals involved in the accident who caused it or contributed to it, as well as witnesses, are processed. Importantly, witnesses to the accident may not only be employees of the company where the accident occurred. In this regard, attention was drawn to the obligations related to the processing of personal data within this procedure. Issues related to other evidence, including surveillance recordings, were also discussed.

Reporting workplace accidents and the personal data related to them is meant to prevent similar incidents in the future. However, there are GDPR limitations regarding the data in accident reports, where there are practical restrictions on the amount of information provided. At the same time, including specific circumstances of the accidents in these reports is important due to their preventive function.

The topic of training was revisited – as emphasized, members of accident investigation teams should be trained in GDPR. Accident reports contain large amounts of sensitive data, to which the principle of data minimization should apply.

It was noted that the principle of data minimization should apply not only to the accident report but also to any data collected in the context of a workplace accident. Since the legal regulations are outdated – not accounting for surveillance recordings – there is a need for their modernization. Awareness of data protection and personal rights protection among employees is low. The detectability of workplace accidents is also low.

Although the scope of data collected in the accident investigation process concerning the injured party, witnesses, and those forming the accident investigation team is outlined in the accident report, in practice, it is broader than what is specified by law. As experts pointed out, the scope of data that should be included in the accident report should be specified in more detail under GDPR. This should include, for example, the possibility of collecting data from video surveillance and how long and under what conditions it can be stored.

Further findings

The seminar was organized at the initiative of attorney-at-law Dominika Dörre-Kolasa, a member of the Social Team of Experts at the President of the Personal Data Protection Office, who is actively involved in the work on updating the guide for employers on the processing of personal data in employment. The insights and reflections gathered during the seminar will be used in the guide being developed by the Personal Data Protection Office, in consultation and collaboration with the Social Team of Experts  at the President of the Personal Data Protection Office.

The conference was held under the patronage of the Minister of Health and the National Labour Inspectorate.