I wanted to throw a question at the GDPR experts in the community.
A company I have seen is tracking leave including sick days via a group/department calendar. What are the implications, people’s thoughts on the matter of practice?
My initial thoughts are that would not be classified as “sensitive” data or “healthcare data regarding leave” especially marking of type of leave/sick doesn't/wouldn't include any medical information or location data - leave/holiday type.
Naturally, at some level, the information is PII, as you can identify the individual using their name and department, so should be protected from public view and protected, indexed and all that good stuff. However, is restricting the data calendar to be only available to department members/team leaders a stringent enough control?
Could it be argued that by submitting a holiday/leave request or reporting sick the employee provides implied consent to the employer processing that information for the specific purpose with a legitimate interest, which would include availability notification to the department and team?
I was asked the question about it, and I’m not 100% sure on my position on this, so figured I would reach out and get other views on the matter.
I would agree with you on the statement that, by submitting leave (sick or otherwise), there is an implicit consent for it to be known within the company you work for, as I would argue that an employees status (working or not working) is an operational necessity to the other employees in the company. However, it certainly wouldn't hurt to add that sort of disclosure statement to your company's leave & liberty policy document.
I don't believe that a generic categorization of "sick" or "healthy" is enough to warrant falling under the GDPR category of "Health Data."
I am assuming that only employees have access to the calendar, protected via required authentication, and the calendar is protected via other network security measures, so I think the PII aspect of it is covered.
Here in the US while working for the US government, supervisors had to be very careful about letting the sick leave information become known to other employees. When we had these shared calendars I had employees only put down Leave and no identifier (sick/annual/regular/personal/FMLA/etc.). Really, it is no one's business what type of leave the employee is on, except for the supervisor. All the other employees need to know is that a person is unavailable. If the employee wants to share their medical information with their coworkers, then let them do it themselves.
I knew some supervisors that were fired for leaking an employee's sick leave information and health details.
Probably not a GDPR issue, which deals primarily with the handling of *customer* data, but in the US, it *might* be a HIPAA issue.
In practice, it would probably best to just have a "Leave / Out of Office" calendar for employees to see if their coworkers are available or not, but the reason for that leave is not everybody else's business, just your direct management. That said, this kind of semi-formal sick/vacation/jury/whatever notice is *probably* fine, limited to within your organization.
I am neither a HIPAA, nor GDPR expert, and none of this is legal advice.