In two previous blogs (see bottom of this article), I discussed the processing of personal data of sick employees and the Autoriteit Persoonsgegevens's Policy Rules. By now, many organizations are familiar with these policy rules. In practice, however, we see that organizations sometimes still pay insufficient attention to certain aspects surrounding sick leave and the processing of personal data.
Some examples:
absence records are not properly secured by appropriate organizational and/or technical measures.
the forms to be filled out at the time of a sick call provide too much space for comments and explanations, while the inclusion of closed questions can prevent the processing of more data than is allowed.
without the prior assessment of the company physician, an employee's sickness rate is determined and recorded in the absence system.
no explicit confidentiality is imposed on employees who process (health) data of other employees by virtue of their position in the organization.
data are kept longer than necessary.
the purposes for processing personal data are not well documented.
lack of information provision to employees about the processing of personal data.
Especially as the General Data Protection Regulation is about to take effect, it is critical to verify that your organization has everything in place.
Take care when processing personal data of sick employees (Part 1)
Take care when processing personal data of sick employees (Part 2)
Take care when processing personal data of sick employees (Part 4)
This article can also be found in the Privacy in the Workplace file
