Privacy protection - Health information - Alisivu

An employee’s health information belongs to special data referred to in the Data Protection Regulation, the collecting and processing of which must be necessary for the employment relationship.

The employer has the right to process an employee’s health data if the information was collected from the employee or from another source with the employee’s written consent. An employee’s health data may be collected and processed if it is necessary:

  • for the payment of sick pay or other equivalent health-related benefits
  • to clarify whether the employee has a valid reason for absence
  • when specifically requested by the employee in order to investigate the employee’s ability to work based on health data.

In addition, the employer has the right to process this information in situations and to the extent specifically provided for elsewhere in the law. Information must not be collected and processed contrary to the law, not even with the consent of the employee.

The employer must not collect a register of any employee’s medical details. Only a health care operator, such as the occupational health care service provider, may keep such a register. Occupational health care service may not give the employer an employee’s health data from their register without the employee’s specific consent, unless a specific situation is stipulated in legislation for releasing such information.

If the employer requires a fit-to-work statement to be provided for the employee in connection with the pre-employment health examination, information on the employee’s health must not be included in the statement. The occupational health care service may only inform the employer as to whether the employee is suitable for a particular job, or whether there are limitations.

Only designated persons may handle health information

An employee’s health data is confidential information. At the workplace, employees' health information may only be handled on a strictly need-to-know basis. Employees allowed to handle the health information of other employees in the course of their work must be specifically designated by the employer. They may not disclose any of that information during or after their employment relationship. The number of persons allowed to handle health information must be as limited as possible. Normally, people such as managers and HR and payroll staff are required to handle employee’s health data in order to perform their jobs properly.

Health information must be kept separate from all other information, and it must be destroyed immediately, once it is no longer needed. The employer must review the need for storing health data at least every five years. 

It is only permissible to handle health information at the workplace if it is relevant for a special risk of illness related to the work. If an employee goes to work for another employer where a similar special risk of illness exists, the occupational health care service may disclose the related health information to the occupational health care service of the new employer.

Information on sickness absences may be recorded

The employer is allowed to register information on the times of an employee’s sickness absences for instance for the payroll system. However, the employer may not register the diagnoses entered on the medical certificates presented for those sickness absences.

The employer may give an employee’s medical certificate or statement, provided by the occupational health care professionals, to the occupational health care provider in order to perform the health care tasks required in the Occupational Health Care Act, unless the employee prohibits this. In any case, the employer may inform the occupational health care service about the times and durations of an employee’s sickness absences.

Handling health information in occupational health care three-way meetings

The employer is entitled to send an employee to the occupational health care service for a work capacity assessment if the employer has justified reason to suspect that the employee’s work capacity is compromised by a decline in his/her health. Cooperation to provide early support may be agreed on in the occupational health care service plan or a dedicated early-support model drawn up for the workplace.

The practices for supporting work capacity are agreed in the occupational health care service plan.

An early-support three-way meeting is usually attended by the ill employee, the employer’s representative (e.g. the supervisor) and the occupational health care physician or nurse.

Occupational health care professionals may not inform the supervisor at the meeting or indeed any other employer representative about the employee’s illness without the consent of the employee, but they can describe the impact of that illness on work capacity in general medical terms. All participants of a health care meeting are bound by confidentiality with regard to the employee’s health information.

If a diagnosis is required on the medical certificate, the employer will already know what the employee’s illness is. The employee himself/herself may of course share more information about the illness.

Often the employee will agree beforehand with the occupational health care service how much to tell the employer about the illness at the meeting. The purpose of the three-way meeting is to agree on job duties suitable for the employee’s work capacity at that time. The occupational health care service may provide its expert opinion regarding the duration of the adjustment of job duties and determine a time for the follow-up meeting.


Link to the European Commission's Your Europe portal.


This website is part of the European Commission's Your Europe portal. Did you find what you were looking for?