is this breach of GDPR

tjc28

Hello. I've to attend a disciplinary meeting (related to absence) later in the week as a witness and as part of the email invitation they've included the number of days off and the medical reason why of the guy who I'm accompanying.
I'm not sure they should of included the guys medical details. I'm only a witness and don't need to know about these details.
Would this constituent a breach of GDPR?
Thanks

banie01

You are attending as a witness, as such you have no part to play in the actual hearing other than taking notes.
You can't present evidence or ask questions on behalf your colleague.

With that in mind, I'd consider the sharing of the dates absent and the actual medical info to be a primae facie example of a Data Breach.

You have no requirement for that information to be in your possession and unless the colleague under disciplinary sanction authorized it's sharing I'd certainly be referring the matter to Company's DPO.

Dial Hard

Surely this is information you would have become privy to as part of the meeting anyway, though?

banie01

Dial Hard wrote: »

Surely this is information you would have become privy to as part of the meeting anyway, though?

Hearing it incidentally to being a witness is true.
However, having the info supplied in writing before the hearing to a witness who can play no part in shaping or directing the proceedings is sketchy ground IMO.

The argument could be offered that as the OP has been named as a witness, the company received implicit permission to share the info, however IMHO nothing regarding data protection or its desemination can be done without the explicit and informed consent of the subject.

3DataModem

The meeting is about absence. All meeting attendees need to have the relevant information about the nature of the absences. This (IMO) absolutely falls into appropriate use of the data, in fact NOT sharing the data could be actionable in an employment tribunal later on.

Just to clarify OP - are you attending at the invitation of the staff member being disciplined?

Seanachai

3DataModem wrote: »

The meeting is about absence. All meeting attendees need to have the relevant information about the nature of the absences. This (IMO) absolutely falls into appropriate use of the data, in fact NOT sharing the data could be actionable in an employment tribunal later on.

Just to clarify OP - are you attending at the invitation of the staff member being disciplined?

Are they allowed to disclose the particulars of the medical issues though?, I thought the OP implied that they were disclosed.

MarkR

Perhaps the subject of the data specifically allowed the information to be shared? If you are to be present at the meeting, and this will be a matter of discussion, then you would be within the set of people who could reasonably need to know this info.

tjc28

3DataModem wrote: »

The meeting is about absence. All meeting attendees need to have the relevant information about the nature of the absences. This (IMO) absolutely falls into appropriate use of the data, in fact NOT sharing the data could be actionable in an employment tribunal later on.

Just to clarify OP - are you attending at the invitation of the staff member being disciplined?

yes, I am attending at the request of staff member being disciplined.

3DataModem

Seanachai wrote: »

Are they allowed to disclose the particulars of the medical issues though?, I thought the OP implied that they were disclosed.

I would expect that the meeting would often delve into the detail of the reason for the thing triggering the disciplinary, including interpersonal relationships, health issues, drug use, drunkenness, whatever. People are disciplined for all kinds of stuff.

It doesn't make sense to constrain such a meeting with "we will discuss everything except the actual nature of the medical issues"... and I don't think any court or data protection commissioner would see that this was unreasonable, in fact NOT delving into this in more detail would be seen as not being thorough and not giving the staff member a fair hearing.

I've attended these meetings in a variety of capacities (the staff member, the person accompanying, the manager) and there is nothing relevant that is off limits.

tjc28

Seanachai wrote: »

Are they allowed to disclose the particulars of the medical issues though?, I thought the OP implied that they were disclosed.

this is the thing. In the meeting I'm assuming they won't necessarily discuss this guys medical issue (which, I understand is all certified) rather they will discuss his absence. Yes the illness is related to the absence so how we'll do that I'm not sure but I think he will indicate the he is uncomfortable with discussing the medical problem as it is private.
My main concern is around the consent part, he didn't consent to his medical issue being shared.

3DataModem

tjc28 wrote: »

yes, I am attending at the request of staff member being disciplined.

Then I am 99.5% sure there is no GDPR or privacy issue here.

angel eyes 2012

banie01 wrote: »

The argument could be offered that as the OP has been named as a witness, the company received implicit permission to share the info, however IMHO nothing regarding data protection or its desemination can be done without the explicit and informed consent of the subject.

Contrary to popular belief, consent is not the only lawful basis for processing personal data and in fact, consent is the least favourable lawful basis that data controllers/processors should rely on.
The other lawful grounds are:
A contract with the individual: for example, to supply goods or services they have requested
Compliance with a legal obligation: when processing data for a particular purpose is a legal requirement.
Vital interests: for example, when processing data will protect someone’s physical integrity or life (either the data subject’s or someone else’s).
A public task: for example, to complete official functions or tasks in the public interest.
and Legitimate interests

I would also contend it is quite likely that the medical information would be shared in the discussions, therefore the company could rely on the basis that they have a genuine reason to share this data with the witness provided it is not outweighed by negative effects to the individual’s rights and freedoms. To allow for such instances, the HR unit should have addressed the legitimate possible sharing of special category personal data (medical details) in their HR Privacy Statement.

3DataModem

tjc28 wrote: »

this is the thing. In the meeting I'm assuming they won't necessarily discuss this guys medical issue (which, I understand is all certified) rather they will discuss his absence. Yes the illness is related to the absence so how we'll do that I'm not sure but

It all being certified is irrelevant. You can be fired for excessive sick leave irrespective of certification. Some people (including some in this forum ) don't believe this, but the law and the precedent is there.

tjc28 wrote: »

I think he will indicate the he is uncomfortable with discussing the medical problem as it is private.

He needs to make that clear before the meeting, and needed to make that clear before inviting you. All attendees must be provided with all relevant information to the investigation or hearing.

tjc28 wrote: »

My main concern is around the consent part, he didn't consent to his medical issue being shared.

He invited you. They have obligations to invitees (to provide info).

tjc28

All good points folks and I appreciate the input. I'm off to another meeting now (unrelated) so won't be able to contribute here. I will have to dig out the company's privacy statement before the day is out.

3DataModem

angel eyes 2012 wrote: »

Compliance with a legal obligation: when processing data for a particular purpose is a legal requirement.

I'd say this is the case here. Most disciplinary processes require the sharing of all relevant information with meeting attendees prior to the meeting.


Just FYI - the staff member can consider raising a grievance about the information sharing, and a sensible employer will suspend the disciplinary until the grievance is resolved one way or the other.

Vetch

angel eyes 2012 wrote: »

Contrary to popular belief, consent is not the only lawful basis for processing personal data and in fact, consent is the least favourable lawful basis that data controllers/processors should rely on.
The other lawful grounds are:
A contract with the individual: for example, to supply goods or services they have requested
Compliance with a legal obligation: when processing data for a particular purpose is a legal requirement.
Vital interests: for example, when processing data will protect someone’s physical integrity or life (either the data subject’s or someone else’s).
A public task: for example, to complete official functions or tasks in the public interest.
and Legitimate interests

I would also contend it is quite likely that the medical information would be shared in the discussions, therefore the company could rely on the basis that they have a genuine reason to share this data with the witness provided it is not outweighed by negative effects to the individual’s rights and freedoms. To allow for such instances, the HR unit should have addressed the legitimate possible sharing of special category personal data (medical details) in their HR Privacy Statement.

Health data is special category data and you need to be able to apply a GDPR Article 6 legal basis (the ones you've listed) to the processing of personal data plus one from this Article 9 list http://www.privacy-regulation.eu/en/article-9-processing-of-special-categories-of-personal-data-GDPR.htm.

While it's possible that the specific medical info would be shared in discussions, it's also possible that it would not be, and it would seem more privacy-friendly to give less information to participants beforehand and stress the importance of confidentiality at the beginning of sessions.