arrow_up-blue blog branches consultations events facebook-icon facebook-icon2 factsheet forum-icon forum hands key link location lock mail measure menu_plus news pdf pdf2 phone policies publications related search share subjectguide twitter-icon word instagram-icon youtube-icon

Data protection

This guide covers your rights and your employers responsibilities regarding data protection at work.

General Data Protection Regulations (GDPR)

The General Data Protection Regulations came into force on the 25 May 2018, detailed information is available from the Information Commissioner's Office. This includes frequently asked questions for the health and social care sector.

Back to contents arrow_up-blue

Displaying names and photographs in a public area

The term 'personal data' includes photos of any individuals. If you have any concerns about your employer using or displaying your photo, please discuss this with your manager in the first instance. This includes displaying your photo in your workplace, online or in any promotional material.

It is likely that the use of the photo would be ‘fair and lawful’ if your objection is simply that you do not want it displayed.

The use of your photo may be a breach of data protection legislation if you raise a reasonable objection. For example, in a clinical environment staff may raise personal safety and security concerns because they have access to drugs in the course of their employment.

If your employer takes your photo, you should be told why it is being taken. It should not be used for any other reason without your permission.

If you are unable to resolve any concerns informally, please call us for further advice.

Back to contents arrow_up-blue

Monitoring at work

Employers may be able to monitor workers, as long as this is done in a way which is consistent with data protection legislation. Employers must also consider Article 8 of the European Convention on Human Rights which creates a right for each individual to respect for private and family life, including their correspondence.

An example of data which may be collected in certain circumstances is biometric data, including fingerprints.

Your employer may also be able to monitor your use of the Internet while you are at work and your workplace emails. They should have a local policy which defines 'acceptable use' and outlines how this will be monitored.

Please also refer to the Acas guidance on being monitored at work.

Back to contents arrow_up-blue

Covert recordings

Covert recordings should only be undertaken when there is no alternative. For example, to investigate or prosecute a serious crime or protect someone from serious harm. It is not appropriate to record conversation unless the parties involved have given their consent.

The Information Commissioner’s Office (ICO) has guidance on covert monitoring. Please see section 3.4 of the Employment Practices Code. Please note that the ICO are in the process of updating their guidance following the introduction of the Data Protection Act 2018. We believe that the advice on covert recording is still relevant at this time.

If you feel your privacy has been breached in this way, please contact us. You may have a number of options available including a complaint to the Information Commissioner. 

Back to contents arrow_up-blue

Audio recording or filming in clinical settings

If a patient or family member is audio or film recording then the reasons for this should be discussed. Unless there is good reason for doing so (e.g. the patient is unable to recall oral advice or there is a problem with interpreting written material) this action should be stopped.

Health-related information is confidential and can only be shared if consent is given. So, if other patients are being recorded without their consent, it is a clear breach of confidentiality.

The Nursing and Midwifery Council (NMC) Code places a professional duty on registrants to take action to ensure that anyone in their care is protected from risk. Failure to take such action could amount to professional misconduct.

If this happens to you:

  • ask the person to stop recording until a full explanation is given
  • escalate your concerns in writing to your manager (with reference to the NMC Code)
  • if the manager is not supportive and if the patient does not have reasonable grounds to make the recording, call us.

The Care Quality Commission (CQC) has produced guidance for families, carers and people who use health and care services on using hidden cameras to monitor care. They also have an article titled Thinking about using a hidden camera or other equipment to monitor someone's care?

Back to contents arrow_up-blue

Drug and alcohol tests at work

The ICO suggests that employers should communicate the details of their drug and alcohol policy to staff.

Regular drug testing is usually only justified where there is a reasonable suspicion of drug use that has an impact on safety. Any test must provide real evidence of impairment/potential impairment at work that will put the safety of others at risk. Drugs taken outside of work would not normally concern your employer unless there is any sign of impairment at work. In this situation, your employer may be able to take action.

When undertaking testing, your employer must be clear about what they are looking for and why the test is being conducted. They should take particular care where drug testing is justified on health and safety grounds.

Covert medical testing should only be used in exceptional circumstances with police involvement. A reliable interpretation of the test results requires a high level of technical expertise.

Please also check your local policy and should there be any concerns please contact us for support.

Back to contents arrow_up-blue

Health records and data protection

Data protection legislation defines a health record as "information relating to someone's physical or mental health that has been made by (or on behalf of) a health professional". It must have been prepared "in connection with the care of that individual". Health records which fall within this definition are protected - this includes manual and computerised records.

Back to contents arrow_up-blue

Who can access my employee health records

Under data protection legislation, health records are "sensitive data". This is any information concerning the physical or mental health or condition of a job applicant or employee. For example, pre-employment questionnaires, drug and alcohol test results, information about disabilities and any information that has been revealed through an occupational health examination.

Before information about your health is shared your employer must ensure:

  • you have given your explicit consent to share the information
  • sharing is necessary to enable your employer to meet their legal obligations, for example regarding health and safety or to comply with disability regulations
  • it is for medical purposes and is undertaken by a medical or health professional or someone working under an equivalent duty of confidentiality.

Your employer must ask for your consent before accessing your health records or requesting a medical report. Under the Access to Medical Reports Act 1988 you have the right to decline consent however it is important that your employer explains the implications of this.

Back to contents arrow_up-blue

How I can access my health records

Everyone has the right to view their health records. You should:

  • Contact your NHS Trust or GP surgery and request access to your records. Keep a copy of your request along with proof of postage or a copy of your email. 
  • Clearly state that you are requesting information under current data protection legislation.

You may be denied access if it likely to cause serious harm to you or another person’s physical or mental health.

Back to contents arrow_up-blue

Occupational health disclosure

Please see our clinical pages for more information about appropriate disclosure in occupational health nursing.

Back to contents arrow_up-blue

Access to employment records

The ICO 'Employment Practices Data Protection Code' states that you have the right to access copies of the information that an organisation holds about you.

The Code covers:

  • job applicants (both successful and unsuccessful)
  • employees (current and former)
  • agency workers, casual workers and contract workers (current and former). 

Please note that the ICO are in the process of updating their guidance following the introduction of the Data Protection Act 2018. We believe that the above advice is still relevant at this time.

Back to contents arrow_up-blue

Access to interview notes

As an applicant you will normally be entitled to access your interview notes. These will be kept for a reasonable time whether you are successful or not. The collection and storage of this information is covered by current data protection legislation.

Back to contents arrow_up-blue

Being the victim of a data breach

If your own employee data has been compromised or you are the victim of a data breach, please contact your employer’s Data Protection Officer immediately. Once the breach has been reported they will talk you through the process and advise you of the next steps. You may also wish to obtain a copy of your employers Data Protection policy which will outline the rights and responsibilities of both yourself and your employer.

Our advice on investigations and statement writing may also be useful.

Back to contents arrow_up-blue
Call the RCN on: 03457726100

Page last updated - 09/11/2018