Employee health screening generates sensitive personal data — and under GDPR, mishandling this information can result in fines of up to €20 million or 4% of annual turnover.
Here's your essential guide to GDPR-compliant health screening that protects both your business and your employees' privacy rights.
Why GDPR Matters for Health Screening
Health data is classified as "special category personal data" under GDPR, requiring:
- Explicit consent from employees
- Heightened security measures
- Clear data retention policies
- Transparent processing purposes
The stakes: Non-compliance can result in:
- Substantial financial penalties
- Reputational damage
- Employee trust erosion
- Legal action from data subjects
Legal Basis for Processing Health Data
You need a valid legal basis under Article 6 AND Article 9 of GDPR:
Article 6 (General Processing):
- Legitimate interests (most common for workplace screening)
- Legal obligation (industry-specific requirements)
- Vital interests (emergency health situations)
Article 9 (Special Category Data):
- Explicit consent from the employee
- Employment law obligations
- Protecting vital interests (if consent impossible)
- Occupational medicine purposes
Getting Valid Consent
Consent must be:
- Specific — tied to particular screening activities
- Informed — employees understand what data is collected and why
- Freely given — no coercion or employment consequences
- Withdrawable — employees can opt out without penalty
Example consent language:
"I consent to CheckAtWork collecting and processing my health data for the purpose of assessing my fitness for work. I understand this includes [specific tests] and that results will be shared with [specific parties]. I can withdraw this consent at any time."
Data Minimisation in Practice
Only collect what you actually need:
✅ Justified for office workers:
- Basic health questionnaire
- Blood pressure and BMI
- Vision screening (if computer work)
❌ Excessive for office workers:
- Detailed blood panels
- Genetic testing
- Mental health assessments (unless job-specific risk)
✅ Justified for construction workers:
- Lung function tests
- Hearing assessments
- Physical capability evaluations
- Drug and alcohol screening
Secure Data Storage Requirements
Technical measures:
- Encryption at rest and in transit
- Access controls and user authentication
- Regular security updates and patches
- Secure backup and recovery procedures
Organisational measures:
- Staff training on data protection
- Clear data handling procedures
- Regular security audits
- Incident response plans
Retention periods:
- Keep only as long as necessary
- Typical retention: 3-7 years post-employment
- Some industries may require longer (aviation, nuclear)
- Regular review and secure deletion
Employee Rights Under GDPR
Employees can request:
- Access — copies of their health data
- Rectification — correction of inaccurate data
- Erasure — deletion in certain circumstances
- Portability — transfer of data to another provider
- Restriction — limitation of processing activities
Response timeframes:
- 1 month for most requests
- Extensions possible for complex requests
- Free of charge (unless clearly excessive)
Third-Party Provider Requirements
When choosing a health screening provider, ensure:
- They have robust GDPR policies
- Data Processing Agreements (DPAs) are in place
- Security certifications (ISO 27001, Cyber Essentials)
- Clear data breach notification procedures
- UK/EU-based data processing (post-Brexit considerations)
Key contract clauses:
- Purpose limitation
- Data retention periods
- Security measures
- Breach notification (within 72 hours)
- Return/deletion of data upon contract termination
Cross-Border Data Transfers
UK to EU transfers:
- UK adequacy decision covers most transfers
- Monitor for any changes post-Brexit
- Standard Contractual Clauses as backup
Transfers outside UK/EU:
- Adequacy decisions (limited countries)
- Standard Contractual Clauses
- Binding Corporate Rules
- Certification schemes
Breach Response Procedures
If health data is compromised:
Within 72 hours:
- Notify ICO (or relevant EU authority)
- Document the breach circumstances
- Assess risk to employee rights
Without undue delay:
- Notify affected employees if high risk
- Provide clear information about the breach
- Outline steps being taken to address it
Industry-Specific Considerations
Healthcare/Care Workers:
- Enhanced screening justified
- Professional body requirements
- Occupational health referrals
Construction/Manufacturing:
- Safety-critical role justifications
- Regular re-screening requirements
- Emergency medical information
Transport/Logistics:
- DVLA medical standards
- Regular fitness assessments
- Drug and alcohol policies
Documentation Requirements
Maintain records of:
- Legal basis for processing
- Consent forms and dates
- Data sharing agreements
- Retention and deletion schedules
- Employee training records
- Data protection impact assessments
CheckAtWork's GDPR Approach
We ensure compliance through:
- ISO 27001 certified data security
- UK-based data processing and storage
- Clear consent processes before any screening
- Automated retention and deletion schedules
- Employee portal access to personal data
- 24-hour breach notification procedures
Need GDPR-compliant health screening?
Contact our compliance team for a consultation on your specific requirements.
Protecting employee data isn't just compliance — it's trust.
— The CheckAtWork Team