Providing medical information about a person is a highly sensitive personal matter. Asking for it as part of the hiring process raises difficulties in relation to both Israeli labor and privacy protection laws. Employers may have a legitimate need to obtain particular medical information about candidates if it pertains to the demands of the position. However, the retention and use of medical information may sometimes constitute a violation of the Privacy Protection Law.

The Israeli Privacy Protection Authority recently published a document presenting its position and recommendations on the privacy protection aspects pertinent to waivers of medical confidentiality and disclosures of medical information during the hiring process. This document is open for public comments until December 20, 2022, at 12:00.

The Privacy Protection Authority’s document focuses on five key questions.

Can job candidates consent to disclose medical information?

According to the PPA’s position, such consent is questionable, due to the power imbalance between the employer and the candidate. Therefore, when asking candidates to disclose medical information, employers must do everything possible to ensure their consent reflects the candidates’ free will.

To comply with this obligation, the PPA recommends that employers postpone the requirement to waive medical confidentiality and disclose medical information until after reaching a decision in principle about the candidate’s suitability for the position and not at earlier stages of the hiring process. The explanations given to candidates regarding the need for medical information may also have weight when analyzing whether the candidate gave his or her consent out of free will. The PPA believes that consent given according to these principles constitutes consent that more closely reflects a candidate’s free will.

Can employers collect medical information irrelevant to the job?

No. According to the PPA’s position, employers must refrain from collecting extensive medical information that is irrelevant to the job or position in question. Employers should be able to show the direct relevance of the information to said position. This relevance should be assessed according to an objective scale and the legal rules of reasonableness and proportionality, i.e., to what extent, if any, the medical information is relevant to the job or position.

A candidates’ signature on a general waiver of confidentiality does not constitute a legal basis for the actual collection of information that is irrelevant when considering the candidate’s suitability for a specific position, or of information that infringes on the candidate’s privacy more than is necessary. The PPA clarifies that if, as part of the information collection process, surplus or more extensive medical information is exposed than is necessary, employers must refrain from retaining or using this information.

To ensure employers do not collect information that is irrelevant to assessing candidates’ suitability for a position, the PPA proposes two possible courses of action. The first is referring candidates to an occupational physician who will examine their medical status against the job requirements and only provide the employer with an opinion regarding the candidates’ fitness or unfitness for the specific position, without elaborating on the candidates’ medical status. The second is compiling a summary document of medical information and a medical examination form containing a statement about the candidates’ medical status, in lieu of collecting detailed medical information.

For what purposes can employers use medical information?

In most cases, the purpose of having candidates sign a medical declaration or a waiver of medical confidentiality as part of the screening and hiring process is to examine their suitability for the intended position. Any other use of this information, if the candidates have not given separate and explicit consent, may constitute a violation of provisions of the Privacy Protection Law.

What is the information retention period and should it be reduced?

Storing information over time increases the risk of privacy law violations. In general, the longer employers retain sensitive medical information, the greater the risk of exposure or leaking of this information and the severe infringement of the candidates’ privacy. The PPA recommends that employers retain such information only for the period consistent with the purpose for collecting the information or the purpose of the database containing the information. If employers are collecting medical information about candidates during screening and hiring processes, employers should conduct at least an annual review of whether they still need to retain this information for that purpose. If the answer to this question is no, this is considered surplus information and retaining it is no longer justified.

Should candidates or employees be able to review information and correct it?

The Protection of Privacy Law states that database owners must comply with data subjects’ requests to review their personal information stored in their databases. Therefore, employers are under a statutory obligation to honor candidates’ rights to review medical information collected as part of the screening and hiring process. Furthermore, and especially since a person’s medical status changes over time, the PPA emphasizes that employees or job candidates who have reviewed the information about themselves and found it to be incorrect, incomplete, unclear, or outdated, are entitled to ask their employers to correct or delete the information.

Organizations that collect medical information about job candidates must verify they are complying with all the requirements of the Privacy Protection Law that apply to them, particularly with regard to the aforementioned. Failure to comply with these statutory requirements exposes organizations to various risks. These include the PPA refusing to register a database, suspending the registration of a registered database, and imposing additional sanctions by virtue of the Privacy Protection Law.