What impact will GDPR have on healthcare benefits data?

healthcare benefits data

Need to know:

  • The General Data Protection Regulation (GDPR), which comes into force on 25 May 2018, will apply to the processing of employees’ personal data within healthcare benefits.
  • Employers will need to get data subject consent from employees and inform them of the type of data the employer wishes to collect, how it will be used, how long it will be stored and whether it will be shared and, if so, with whom.
  • Certain information, such as an employee’s medical history does not need to be shared with the employer, it can be supplied directly to the provider or consultant.

Introducing a new set of data protection requirements, as well as significantly higher fines for non-compliance, the EU General Data Protection Regulation (GDPR) will change the way organisations handle employees’ personal information.

GDPR comes into force on 25 May 2018. In the healthcare and wellbeing space, the regulations apply to the processing of personal data across the full range of benefits, including more recent additions such as wearable technology and mobile health apps, as well as more traditional group risk and private medical insurance products. Providing any of these will often require an employer to handle employee data such as name, age and address but also potentially, health data.

Whether they are dealing with employees’ personal data or more sensitive health data, employers will need to make sure they have the right processes in place to comply with the new requirements, says Laura Gemmell, employment law and HR training manager at Law at Work. “Organisations will need to be able to demonstrate they have established a lawful basis for processing [the data] and taken the appropriate steps to keep it secure,” she explains. “There is work required to achieve compliance but much of it is common sense and may also benefit the business.”

Matter of consent
Data subject consent is a must for any organisation looking to process personal data. Under the current data protection legislation, this has traditionally been obtained through the employment contract but, because this is weighted heavily in favour of the employer, it will no longer be valid under GDPR. “How can an employee not sign their contract of employment?” says Gemmell. “They must be able to choose whether or not to give [their employer] access to their data. It may be more appropriate to make consent a clause on the benefit itself.”

This document must be in plain English and include details of the type of data the employer wishes to collect, how it will be used, how long it will be stored and whether it will be shared and, if so, with whom. It will also need to include the name and contact details of the employer’s data protection officer.

However, there is still some ambiguity around what is required. Stuart Scullion, executive chairman of the Association of Medical Insurers and Intermediaries (AMII), explains: “If [employers] extend benefits such as [private] medical insurance or a health cash plan to an employee’s partner and children, do [they] need to get their explicit permission too? They can choose not to give their permission, but they wouldn’t be able to get the benefit.”

As well as getting consent from employees when arranging benefits, it may also be necessary to seek it if reasonable adjustments are required to support a health issue. These situations can be difficult to manage, especially where employees may perceive their colleague to be receiving favourable treatment if, for instance, they are allowed to work different hours, says Gemmell. “It’s sensible to explain to other employees why this allowance has been made but [employers] do need to get explicit permission from the employee to share any information about their health,” she adds.

Data minimisation
While the need for consent may require additional work for compliance, GDPR also presents a great opportunity to assess the amount of data employers collect, store and supply to other parties.

Employers should ask themselves whether they really need to collect or supply each piece of data, says John Dean, managing director of Punter Southall Health and Protection. “There’s no need to supply a life insurer with a list of employee names and national insurance numbers,” he says. “All it needs is an employee number and salary. Insurers regularly get sent loads of data they don’t need: there needs to be a good reason to supply it, otherwise don’t do it.”

In some instances, it will not be necessary for the organisation to hold the data at all. For example, where an employee has to provide their medical history to an insurer, there is no need for this to be handled by the employer, says Gemmell. “Employers shouldn’t handle this information. Employees should provide it directly to the insurer or the consultant,” she adds.

As well as thinking about the amount of data collected and supplied to healthcare benefit providers, it is worth employers considering how it is supplied. “Don’t send it in a spreadsheet by email,” Dean adds. “Encrypt it, password protect it and, if [they] can, use a secure portal. Emails can, and do, get forwarded to the wrong people so [employers need to] make sure [they’re] not leaving [themselves] open to a data breach.”

Managing data
Organisations also need to give some thought to how they manage health data. Again, security measures such as password protection, encryption and secure filing cabinets for paper-based data are essential but employers need to think about how long they store it. Rick Dallaway, data protection officer at Validium, says: “The days of hoarding loads of data are over. Organisations are custodians of data for a set length of time, after which it must be deleted.”

The introduction of subject access requests and the right to be forgotten means organisations also need to have a system in place that enables them to identify where all of an employee’s personal data is held.

GDPR may also affect the management information provided by health benefit providers. Although this is usually provided in an anonymised format, for instance a health risk assessment report might highlight that 70% of employees are not taking enough exercise, the possibility of identifying anyone must be removed. Dallaway explains: “We require a minimum of 100 employees in any group or subgroup before we’d report on trends and, even then, we will always check to make there isn’t a risk that someone could be identified.”

It is also important to ensure that any third party dealing with employee health data has the right processes in place to keep it secure. Requesting information on the data security measures in place at an insurer or healthcare service should be part of the due diligence process.

Be prepared
Putting in place the necessary processes to comply with GDPR may seem like a major project given the deadline, but employers should not panic, says Gemmell. “There’s a lot of scaremongering going on,” she explains. “As a good starting point, look at the Information Commissioner’s Office (ICO) website. It’s taken a pragmatic approach to the regulation and has produced lots of really useful guidance.”

And, while no one is expecting the ICO to start handing out fines on 25 May to every organisation that has not achieved full compliance, for an employer to demonstrate it has done as much as possible to comply is a must.