In our previous GDPR post, we provided an overview of the European Union General Data Protection Regulation in the context of occupational health. In this post, we consider the rights of data subjects for whom these regulations were enacted and how Enterprise Health can help its clients comply.
What are the rights of data subjects?
The GDPR extends a number of rights to data subjects (in our case, employees of our Enterprise Health clients), many of which apply in an employment/occupational health context. Fortunately, Enterprise Health employee portals can be configured to help our clients comply (more on that later). Some of these applicable rights include:
GDPR Article 12 — indicates that data controllers must provide information relating to processing to the data subject in a concise, transparent, intelligible, and easily accessible form, using clear and plain language.
GDPR Articles 13/14 — indicate that where personal data are collected and/or not obtained from the data subject, pertinent information will be provided.
GDPR Article 15 — indicates that data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data and pertinent information.
GDPR Article 16 — indicates that the data subject shall have the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her. Taking into account the purposes of the processing, the data subject shall have the right to have incomplete personal data completed, including by means of providing a supplementary statement.
GDPR Article 17 — indicates that the data subject has the right to erasure or “the right to be forgotten.” Given other legal requirements to retain employment records including employee health information for defined time periods, we intend to work with our clients to determine how/if this article applies in an occupational health processing context.
GDPR Article 18 — indicates the data subject has the right to obtain from the controller a restriction of processing if certain situations apply.
GDPR Article 19 — indicates the controller shall communicate any rectification or erasure of personal data or restriction of processing carried out in accordance with Article 16, 17, or 18 to each recipient to whom the personal data have been disclosed, unless this proves impossible or involves disproportionate effort. The controller shall inform the data subject about those recipients if the data subject requests it.
GDPR Article 20 — indicates the data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly-used, and machine-readable format, and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided. It goes on to say the data subject shall have the right to have the personal data transmitted directly from one controller to another, where technically feasible. While the technical feasibility language and its implications could fill up several more blog posts, we have years of experience in generating and transmitting standardized electronic health information in both human and machine readable formats.
GDPR Article 21 — indicates the data subject has the right to object at any time to the processing of personal data concerning him or her.
GDPR Article 22 — indicates the data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.
How can Enterprise Health assist in addressing data subject rights?
Enterprise Health employee portals were designed to streamline communication between employees and occupational health clinics, and can be configured to help support the rights of GDPR data subjects. We are finalizing a data privacy module within the employee portal designed to address these rights with the following specific capabilities:
Articles 12, 13, 14, and 22 The employee portal can present, in plain language, detail on the kind of information collected, how that data is processed, and other elements to meet individual GDPR article requirements.
Articles 15 and 20 The employee portal can enable data subjects to access their information and download it in both human and machine readable formats.
Article 16 The employee portal can incorporate a form enabling the data subject to request rectification of their personal data.
Article 18 The employee portal can incorporate a form enabling the data subject to request restriction of processing, and secure messaging functionality can inform the data subject before the restriction of processing is lifted.
Article 19 The employee portal can use existing secure messaging functionality to inform data subjects of activity related to rectification or restriction of processing.
Article 21 The employee portal can incorporate a form enabling the employee to lodge an objection regarding the processing of their personal data.
Does EU employee data have to stay in the EU?
Articles 13 and 14 from the GDPR include the requirement to provide information to the data subject including “where applicable, that the controller intends to transfer personal data to a recipient in a third country or international organisation and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47, or the second subparagraph of Article 49(1), reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.”
In short, the GDPR includes some very specific requirements regarding the transfer of data out of the EU — including that the data transfer only be made to countries that have adequate data protection laws. While the EU does not identify the United States as one of the countries that clear the adequate data protection bar, there is a program called Privacy Shield that designates individual companies as having adequate protection and as such able to participate in data transfer outside the EU.
As a data processor, Enterprise Health complies with the EU-US Privacy Shield Framework and the Swiss – US Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States, respectively. Enterprise Health has certified to the Department of Commerce that it adheres to the Privacy Shield Principles of Notice, Choice, Accountability for Onward Transfer, Security, Data Integrity and Purpose Limitation, Access, and Recourse, Enforcement and Liability.
Enterprise Health recognizes that its clients managing the employee health data of EU citizens will have varying opinions on the transfer of data to the US, and we support a variety of hosting options including client self-hosting and third-party cloud service hosting in the EU. For those clients who elect to have us manage EU citizen data from our US data centers, our employee portals can be used to share appropriate data transfer information with affected data subjects.