DPA, employers, and hospital appointments

scrabbles_2

I'm a bit concerned at the way my workplace are treating my personal data and I was hoping someone might be able to tell me where I stand.

Yesterday a colleague found a copy of a letter relating to a hospital appointment of mine on our office fax machine. She gave it to me but at least three or four other colleagues were shown the letter first. It relates to an appointment I had earlier this week, and I had given the letter to my line manager to explain my absence (we get paid time off for medical appointments). The letter wasn't on a letterhead, as I was called in to see my surgeon at short notice after a test result (I have a fairly-serious ongoing health condition). I had asked them to print the letter off for me when I arrived at the hospital as proof of the appointment.

I asked my manager if she knew why it was on the fax machine and she said she'd look into it. She came back to me later that afternoon and said HR had been checking up on me because the letter wasn't on a letterhead and that they'd got the hospital to fax another copy of the letter over. I have nothing to hide as I have done nothing wrong, and I'm not too bothered that they wanted another copy of the letter, (though I don't know of any reason that they shouldn't trust me). If they had asked I would have contacted the surgeon's secretary and asked them for a proper letter-headed copy to provide to them. But I do have a few questions.

1) Are my employers allowed to call the hospital and confirm my appointments without my consent? I was under the impression that they are not entitled to this information without my permission, I thought it came under the data protection act. Is there an exception that I don't know about?

2) The fax machine it was sent to is shared by the whole of the floor of our office, about 100 people. It's not that I'm hiding my ongoing health issues exactly, but the nature of my illness is rather embarrassing and I'm not happy that the fact I'm having colorectal surgery has been broadcast across the office. I'm used to jokes about "s**t happens" and "your health is a pain in the a**e" jokes from friends, and even find them quite funny in the right circumstances, but I don't find them funny from colleagues I don't even know Now, maybe I'm being a bit thick here, but our HR office is on a completely different floor of the building... isn't it reasonable to expect that they have their own fax machine and that it is away from prying eyes?

3) I have previously complained that my medical letters were going missing and/or being left around the office. I thought this had been resolved when the last manager left. The lady at the next desk says that there are special rules about how medical information has to be stored. Does anyone know what these are called so I can read up on them please?

My manager did apologise, but I get the impression that she really doesn't get why I am bothered. I'm not trying to be unreasonable or go after my employer or anything like that, but I am quite upset and I would ideally like to find out what the rules are so I can go to HR on Monday and (nicely) explain that I think I deserve my data to be treated with a little more respect. Can anyone help please? I do have a union but we are not a unionised workplace, so I can only really get them to help with this if I make a formal grievance, which seems a little adversarial to me.

System

1. There is no law stopping them contacting the hospital. The more pertinent point as far as DPA is concerned is that the hospital released the information to them.

2. This is HR's c0ck-up. If they are being sent medically confidential info to a general fax machine then they should be monitoring it to prevent what has happened.

3. No idea

LittleVoice

3 -

Medical records are "sensitive" but I am not aware of special rules in relation to how an employer would store them.

Clearly hospitals have rules about storing records and who has access to them.

If they were faxing something they should have ensured that the receiving fax was a safe haven or adequately private. However I fail to see why they would need to fax anything to the employer - they could have simply confirmed on the phone the wording of the letter HR held. Presumably because the original had been requested by the OP in order to pass it to the employer, patient permission would be implied.

Emmzi

1.you had already asked the hospital to write the letter, therefore no new information was being disclosed to anyone you had not already said could have it

2. it sucks that it came by fax, but if there is no fax in HR (we haven't had one since 2007) does the HR person sit all day by the fax machine? So it depends a bit it the hospital said "we'll fax it now" or "we'll fax it sometime and we aren't prepared to put it in the post." I can see the odd thing going wrong, BUT

3. I would raise a grievance as it has happened more than once though

Is your condition such that you are afforded protection under the equality act?

If not, then actually your employer does not have to allow you any time off for appointments - and the simplest solution is to use holidays or flexitime.

mountainofdebt

I would have thought your compliant would be better directed at the consultant's secretary ....anyone could have rung up and said that they were from your HR department.

Also if it was that confidential why didn't the secretary email the letter (the domain name would have sufficed to prove it came from a hospital) or check that the person who had requested it was standing by the fax machine before sending it.

DVardysShadow

scrabbles wrote: »

1) Are my employers allowed to call the hospital and confirm my appointments without my consent? I was under the impression that they are not entitled to this information without my permission, I thought it came under the data protection act. Is there an exception that I don't know about?

Anyone in the whole wide world is allowed to call the hospital and confirm your appointments. A problem only arises for the hospital if they breach your privacy.

In your case, your employer already knows about the appointment, so there is no privacy issue. Effectively, they are asking the hospital to confirm the authenticity of a letter. So it is a very different matter.

More broadly, you employer has been negligent with your information. Stick to the core of the argument and you won't go far wrong. But don't drag in red herrings, because it will dilute your point.

tafelmoneysaver

You will get the best advice direct from the Information Commissioner's Office who regulate and enforce the DPA:
https://www.ico.gov.uk/Global/contact_us.aspx

ohreally

If your employer required further clarification, they should ask you to provide this. The admin staff at the hospital should not have sent this information, instead referring the employer back to yourself.

Personal data relating to you in this context will almost certainly be regarded a sensitive data and as such should be treated accordingly with access extremely limited. There needs to be some accountability from the employer here.

Jokes about your health are at best in poor taste and likely to be inappropriate.

I'd be looking at prosecuting a grievance with the employer and raising the issue of the fax with the hospital as at best someone needs a procedural training refresher.

TeaForOne

I agree with Ohreally.

It's pretty much inconceivable that a hospital would disclose information about you to your employer without your consent. Information governance is an extremely hot topic at the moment - in my previous role I had to train my staff who never came into contact with patients or the public, so consultants' secretaries must have been trained (surely?).

I'd hazard a guess that your manager is lying to you for some reason; if not, you should complain to the hospital.

Either way your personal data is "sensitive personal information" under the data protection act and your employer has a responsibility for treating it as such.

You may find the following helpful in framing your approach.

http://www.ico.gov.uk/for_organisations/data_protection/topic_guides/employment.aspx

Good luck