The Dutch Data Protection Authority ("DPA") has published policy rules for the processing of personal data concerning the health of employees (the "Policy Rules"). The Policy Rules will serve as a guiding principle for the DPA when implementing enforcement measures.
Since 1 January 2016 fines for breaches of data protection law in the Netherlands have increased significantly in anticipation of the EU General Data Protection Regulation that comes into effect on 25 May 2018. The Dutch Data Protection Act now provides for a maximum fine of EUR 820,000 or, if the DPA is of the opinion that this maximum does not provide an appropriate sanction for a legal entity, a maximum of 10% of the annual turnover achieved in the previous financial year. Further, the DPA has categorized unlawful processing of special categories of personal data, such as data concerning health, as a serious breach that can be punishable by the maximum fine.
In order to minimise the risk of such violations (and hefty fines), employers should review the standards contained in the Policy Rules to ensure that their sickness absence registration processes and systems are compliant. This e-Alert summarises key issues in the Policy Rules and can be used as a basis for a high-level quick scan.
1. Awareness: processing of data concerning health is prohibited unless (limited) exceptions apply
Employers (and their employees) need to be aware of the fact that data concerning the health of employees may not be processed, unless it is necessary for:
- proper compliance with statutory provisions (including determining whether the employee is entitled to sick pay), pension schemes or collective bargaining agreements that provide entitlements that depend on the employee's health; or
- the reintegration or support of employees or recipients of welfare benefits in connection with illness or disability.
2. Sickness reporting: only specific and limited information may be requested and processed
Employers may only request and register the following information in case of sickness reporting:
- phone number / address where the employee is treated
- expected duration of absence
- status of assignments and duties
- applicability of a residuary provision (vangnetbepaling) of the Sickness Benefits Act (however, employers may not register which provision applies!)
- whether the illness is related to an accident at work
- whether the illness is related to a traffic accident (third party liability).
Other data, for example with regard to the nature of the sickness, may not be registered even with the employee's consent.
To reduce the risk of unlawful data processing, absence registration forms and systems should not contain multiple choice options that allow employers to classify the reasons for sickness absence provided by the employee. Exceptions can apply if the system processes the information in such a way that it can no longer be attributed to a specific employee.
Preferably, absence registration forms should not contain open fields. If open fields are used, the form should clearly indicate that no medical data, such as the nature and cause of the illness, may be recorded. The employer should refrain from processing medical data even if the employee discloses this information voluntarily.
If the employee requests the employer to register certain information because this is necessary to ensure that the employee's co-workers know what to do in case of a medical emergency, such information may be processed by the employer.
3. Rehabilitation efforts: reporting is necessary to comply with statutory provisions but limitations apply
The employer and the employee have a joint (statutory) responsibility for the return to work process. Dutch law provides rules regarding the recording of this process.
Plan of approach
Parties shall jointly draw up a plan of approach for the return to work process. Based on the Policy Rules, this plan should only contain data concerning the health of the employee insofar as it is necessary, such as information regarding the suitable duties that the employee can perform as part of his rehabilitation. The plan of approach should not contain information regarding the nature or cause of the employee's illness.
The employer shall keep record of the absence of the employee and the rehabilitation efforts in the so-called rehabilitation file. This file shall contain: the advice of the company doctor, the plan of approach (including revisions), other rehabilitation efforts and reports of third parties involved, such as the case manager or a rehabilitation firm. The employer must ensure that the rehabilitation file does not contain medical information that he is not allowed to process.
Employees who are responsible for the rehabilitation processes should be made aware of the applicable data protection rules to prevent unlawful processing of personal data.
4. Security measures: digital absence registration systems
The Dutch Data Protection Act requires the data controller to implement the appropriate technical and organizational measures to protect personal data against loss or any unlawful forms of processing. The measures shall guarantee a level of security appropriate to the risks represented by the processing and the sensitive nature of the data and shall also seek to prevent the unnecessary data collection and processing of personal data.
The Policy Rules require that digital absence registration systems used by employers and occupational health and safety services at least meet the following criteria:
- the data must be secured by means of two-factor authentication if the system can be accessed through the internet; and
- security risks shall be identified periodically, e.g. by means of security scans
Other appropriate technical and organizational measures mentioned in the Policy Rules include:
- the settings of the user authorizations must prevent persons that may not process certain medical data from accessing such data
- the system administrator may not use the personal data in the absence registration system to develop and test the system
- the employer cannot print out reports from the system containing medical information that he may not process
- (medical) data registered by the company doctor must not be accessible by the employer or his systems administrator in any way
- the employer may not distribute login codes for data that he may not process.
5. Period of storage: when should the data be deleted?
Personal data may not be stored longer than is necessary for the purposes for which the data were collected or for which they are processed further. According to the DPA, the following reasonable storage periods apply:
Click here to view table.