It is unlikely that employees will voluntarily submit medical information to employers. Employees run the risk of medical information being disclosed to third parties without their consent, as well as the possibility of workplace discrimination from their employers and/or co-workers because of their medical status. While the law protects the privacy of medical information of employees, there are instances under which an employer is permitted to access such information for the employee’s benefit. This article highlights the right to privacy of medical information in the employment setting. The article acknowledges limitations to this right but posits that any limitations to the right to privacy of medical information must be sanctioned by law.
Under the 1992 Constitution of Ghana (“Constitution”), all persons have a right to privacy. The right to privacy is to be protected from arbitrary and unlawful interference from the state or natural or legal persons. Personal information on computers, databanks and other devices held by public authorities or private individuals/bodies is protected by the right to privacy. However, under the Constitution, the right to privacy is not absolute. The Constitution provides that the right to privacy is subject to what is necessary for:
(i) a free and democratic society for public safety or the economic well-being of the country;
(ii) for the protection of health or morals;
(iii) for the prevention of disorder or crime; or
(iv) for the protection of the rights or freedoms of others.
In delineating the scope of the right to privacy under the Constitution, the Supreme Court of Ghana has noted that, “[i]t is up to the individual, subject of course to statutory laws made for the public good as stated in Article 18(2) itself, to decide if there should be any intrusion into, scrutiny or publicity of his private life including his communication.” [emphasis is mine]. Thus, despite an employee’s right to keep medical information private, under certain instances prescribed by law, an employer may have reasonable access to an employee’s medical information. The balance between confidentiality and lawful access to medical information is compatible with the Public Health Act, 2012 (Act 851) (“Public Health Act”). Under the Public Health Act, except where medical information is required by law or is in the public interest, a patient’s medical information shall not be divulged to a third party without the consent of that patient or a person acting on the patient’s behalf.
An employer may therefore process medical information of an employee in accordance with the Data Protection Act, 2012 (Act 843) (“Data Protection Act”) which recognises medical information as special personal data. Processing under the Data Protection Act includes the collection, retrieval, disclosure, dissemination or erasure or destruction of the information or data and special personal data shall not be processed unless the data subject consents to the processing or it is necessary. The processing of special personal data (medical information) is necessary where it is for the performance of a right or an obligation conferred or imposed by law on an employer.
Instances where an employer may process the medical information of an employee are as follows:
- Certification as to medical fitness: Under the Labour Regulations, 2007 (LI 1833) (“Labour Regulations”), an employer is entitled to receive medical certification from a recognised medical practitioner that the prospective employee is fit to work.
- Reporting on persons with disabilities: Under the Labour Act, 2003 (Act 651) (“Labour Act”), an employer must notify the Public Employment Centre of the employment of a disabled person.
- Payment of compensation: Under the Workmen’s Compensation Act 1987 (P.N.D.C.L 187) (“Workmen’s Compensation Act”), an employer is required to pay an injured employee compensation commensurate with the incapacity so assessed by a medical doctor. An employer reasonably ought to know the nature of the incapacity of an employee for injuries or diseases or death occurring in the performance of duties so as to grant equitable and fair compensation to the incapacitated employee.
However, as with all forms of personal data, an employer who processes the medical information of an employee must ensure that information is processed: (i) without infringing the privacy rights of the data subject; (ii) in a lawful manner; and (iii) in a reasonable manner. Additionally, the medical information must be processed for a specific lawful purpose which must be explicitly defined and related to the functions or activity of the employee. An employer must take the necessary steps to ensure that the employee is aware of the purpose for the collection of the medical information.
Although employers may have lawful grounds for processing employees’ medical information, all requirements for processing personal data under the law must be complied with. Furthermore, because of the sensitivity of medical information, it must be handled with the necessary degree of skill and care.
We emphasise that medical information is private and except provided by law, an employee is not required to hand over medical information to his/her employer.