The Dutch Personal Data Authority (Autoriteit Persoonsgegevens) has fined a Dutch company 15,000 euros for processing health data of sick employees and not securing it properly.
Registration of special personal data
The company CP&A kept sick leave records but recorded highly sensitive information about the physical and/or mental health of employees. For example, the names of illnesses, specific complaints and indications of pain. This sensitive information is not necessary for the reintegration of the employees after their sick leave. Therefore, the company was not allowed to register these data.
Health data falls under the so-called "Special categories of personal data". This category of personal data includes sensitive data such as a person's race, religion or health. The legislator provides extra protection for these data. According to the privacy legislation, an employer is not allowed to register information about the nature and cause of someone's sick leave. An occupational health and safety service or company doctor may ask for this information, but an employer may not.
It is prohibited to process special personal data, unless there is a legal exception such as the protection of vital interests of the person concerned. For example, an employer may register that an employee has epilepsy and inform colleagues so that they know what to do if that person has an epileptic fit.
Furthermore, CP&A's absence registration was unsafe. It was accessible online and without authentication. Health data are subject to extra strict security requirements. Only authorised employees may view the data. And if an absence system is accessible via the internet, access must be secured via multi-factor authentication.
The basic fine for the two violations is over 1 million euros (725,000 and 310,000 euros respectively). But the Personal Data Authority has taken into account the company's ability to pay. And set the fine amount at €15,000.