Health Confidentiality in the Workplace UK | Legal Rights to Privacy (2024)

Medical confidentiality in the workplace is a sensitive issue. If you disclose health information to your manager or HR, you have a right to privacy. There are also many situations where you are not legally obligated to disclose sensitive personal about your health to your workplace.

Health Confidentiality in the Workplace UK | Legal Rights to Privacy (1)

If you confidentiality is breached at work, it can cause a lot of stress and upset. We’ll look at your right to medical privacy at work.

We will also explore situations where you need to disclose a medical condition to your employer, and how you should approach letting them know.

Jump To...

What is Medical Confidentiality in the Workplace?

The law on confidentiality about health and medical data applies to everyone in the workplace. That means information disclosed by managers as well, as anything shared between work colleagues is covered under the Data Protection Act.

This means that every workplace should have policies around personal health related conversation in the workplace. All workplaces should make sure employees understand that disclosing medical information about a collegue without their permission would breach the Data Protection Act.

Data Protection Act 2018 & GDPR

Issues of medical confidentiality at work were previously covered by the Data Protection Act 1998. However this has since been replaced by GDPR Law.

The Data Protection Act 2018 is the UK’s legal framework which has been created to comply with GDPR Laws.

How Does GDPR Apply to Medical Information at Work?

The Data Protection Act 1998 includes health issues and confidentiality in its remit. Under the terms of the Act, health data is “sensitive personal data”.

GDPR governs how all personal data is treated. It classes medical data as a “special category” of data, and the processing of this data is not allowed unless you consent. It might also be allowed if you have already made the information about yourself public, or if it was needed to protect your interests at work.

However, this would not be because a manager felt your colleagues “needed to know”. But if your medical information needed to be shared with HR staff in order to make reasonable adjustments, or process sick pay entitlements, this would most likely be reasonable.

If you have concerns about how your workplace has used or shared personal data, you should contact ACAS. They will help you understand what is and is not allowed in your circumstances.

This article on worker’s health information and data protection law has a detailed overview.

My Manager Has Breached My Confidentiality – What Should I Do?

Your approach to a breach of medical confidentiality by your manager will vary depending on how serious it is. However, in the first instance you should document the breach in writing.


You may wish to write a clear and concise email to your manager outlining why you consider they have breached your right to confidentiality at work. Keep it factual, and do not allow emotion to creep into the email. If you are feeling emotional, it might be a good idea to leave your email as a draft and re-read it later.

Request a Solution


If there are any actions you feel should be taken to try and remedy the situation, these should be outlined.

For example, if your manager has disclosed a health condition to work colleagues it might be reasonable to request they speak to them and ask the disclosure is not repeated. You may wish to copy in HR to the email if you feel you might wish to take the matter further and raise a grievance.

If the breach is particularly serious, maintaining a paper trail of communications might help if you decide to take the issue to an employment tribunal.


It would be a good idea to have a conversation with ACAS before sending any communication. Understanding your rights will help in resolving the situation and keeping things constructive. Remember, you do have a clearly defined right to medical confidentiality

Storing Health Data at Work

Placing health data in a computer or file is legal if medical purposes require it. The person who processes the data must be a healthcare professional or someone who has a similar duty of confidentiality.

Storing medical data at work is also legal if a worker gives an employer permission to do so. Under GDPR law you have the right to access any data stored about you at work. Your workplace must also have a clear policy about how your data will be stored and processed.

if you feel your workplace has breached GDPR law in relation to your medical data – you should speak to your workplace data controller. If your workplace does not have a data controller, you should speak to your manager in the first instance.

After that, you may wish to report the matter to the ICO if you feel your concerns have not been addressed.

There is no obligation for a worker to give medical details to an employer. In practice, many workers will give this information out of courtesy and to fully explain any absences from work.

If they do so, they have a right to expect that the employer will not divulge the details to anyone. This means that your manager should not share information about your health with your co-workers unless you give permission.

Reasonable Requests for Medical Information

On occasion, an employer may need full medical details from a worker. Under some circumstances, this is reasonable.

The health and safety requirements of a workplace may be such that there are legitimate risks if an employer is not aware of workers’ medical background. Some health conditions can affect workplace safety, and should be shared.

If you are asked to share medical information, or are required to undergo a medical for work purposes your data should be kept confidential.

Reporting Ill Health

When calling in sick, you are not obliged to say exactly why you are unwell.

You can give a broad report of ill health. A worker has an obligation to perform a job. If something affects this performance, an employer has a right to know that poor health is the cause.

All you need explain to an employer is how a condition affects your work. You should also say when you’d to be back to full fitness. There is no need to mention the nature of the condition.

Occupational Health Professionals

An employer may ask an occupational health (OH) professional to speak to a worker who is ill. The duty of confidentiality that applies to a doctor or nurse also applies to an occupational health professional.

This means that a worker can speak to an OH professional in the knowledge that an employer will not learn the nature of an illness.

An OH professional does, of course, report back to an employer. Such a report should give details about a worker’s ability to function. It should say whether or not a worker’s state of health will improve and when. An OH report should not have any medical details unless a worker agrees in writing.

An OH professional may keep an additional record that gives full details about a worker’s health. An employer does not have an automatic right to gain access to this.

A worker must first give his or her written agreement. On the other hand, a worker has a right to see such a record at any time.

Further Reading

  • – our guide looks at navigating cancer diagnosis and treatment in the workplace.

Health Confidentiality at Work FAQ’s

Hopefully the above article will have given a good overview of the law and best practises around health confidentiality at work. However, here are some commonly asked questions to help your understanding of how the law might apply to you and your work.

Can my boss discuss my medical condition?

There are limited situations at work where your boss can discuss your medical information. It would be appropriate for them to talk about health issues with HR to ensure your wellbeing. However, discussing private health information with co-workers would breach your right to confidentiality at work.

Can your employer ask for your health records?

Your employer or occupational health can ask for a report from your doctor, however this does not mean they will gain unrestricted access to your health records. They will be able to ask if a condition you have affects your role at work. The report might also state in general terms if you needed reasonable adjustments or if your condition constituted a disability.

Health Confidentiality in the Workplace UK | Legal Rights to Privacy (2024)

FAQs

What are the laws with confidentiality in UK? ›

Common law requires there to be a lawful basis for the use or disclosure of personal information that is held in confidence, for example: where the individual has capacity and has given valid informed consent. where disclosure is in the overriding public interest.

What is the right to privacy at work UK? ›

You have the right to see any information held about you, like emails or CCTV footage. Your right to a private life means you have the right to some privacy in the workplace. You can't be monitored everywhere. If your employer doesn't respect this, they'll be breaching human rights law.

Can I sue my employer for disclosing medical information in the UK? ›

If your employer has been sharing your personal information with other employees, then you may potentially have grounds for making a compensation claim against them. In order to make a claim, you would need to be able to show that the way this information was shared breached the Data Protection Act.

What are the rights of employees to privacy in the workplace? ›

Employees have the right to keep private facts about themselves confidential and the right to some degree of personal space. An employer that discloses private facts or lies about an employee may be held accountable in a civil action for invasion of privacy or defamation.

What is confidentiality in healthcare in the UK? ›

A duty of confidentiality arises when information is obtained in circumstances where it is reasonable for a person confiding personal information to expect that it will be held in confidence by the recipient of the information.

What are the privacy rights in the UK? ›

the right to be informed about how and why their data is used - and you must give them privacy information; the rights to have their data rectified, erased or restricted; the right to object; the right to portability of their data; and.

What is the privacy regulation in the UK? ›

The Data Protection Act 2018 is the UK's implementation of the General Data Protection Regulation (GDPR). Everyone responsible for using personal data has to follow strict rules called 'data protection principles'. They must make sure the information is: used fairly, lawfully and transparently.

What legal rights do employees have in the UK? ›

Employment rights

protection against unlawful deductions from wages. the statutory minimum level of paid holiday. the statutory minimum length of rest breaks. to work no more than 48 hours on average per week or to opt out of this right if they choose.

What are the UK privacy principles? ›

The Seven Principles
  • Lawfulness, fairness and transparency.
  • Purpose limitation.
  • Data minimisation.
  • Accuracy.
  • Storage limitation.
  • Integrity and confidentiality (security)
  • Accountability.

Can an employer tell others about your health issues? ›

Can My Employer Disclose My Medical Information To Other Employees? In California, employers are generally prohibited from disclosing a worker's medical information to other employees. State laws provide important safeguards to protect employee privacy.

Can my employer ask for medical information in the UK? ›

An employer must get an employee's permission to ask for a report about their health. An employer should tell their employee: why they're asking for the report. that they will not get access to their full medical records, only the information they need.

Can my employer tell others I am sick in the UK? ›

In summary, you should not discuss the reason for an employee's sickness absence with their colleagues without the employee's consent because you could end up in difficulties if you say something in breach of the employee's confidentiality and/or your comment/s place you (and the employee) in an awkward situation.

What is considered an invasion of privacy in the workplace? ›

Intrusion into an individual's private solitude or seclusion. An employee may allege this form of privacy invasion when an employer unreasonably searches (e.g., a locker or desk drawer) or conducts surveillance in areas in which an employee has a legitimate expectation of privacy (e.g., dressing rooms).

What are the confidentiality rules for employees? ›

Employees are expected to maintain the confidentiality of all sensitive information they have access to in the course of their job duties, including personal information about employees, customers, and other stakeholders, and proprietary and confidential business information.

Can your employer give out your personal information? ›

Things like job applications, criminal background checks, credit histories, complaints and commendations all contain potentially private information about an employee, and if an employer carelessly discloses them, the employee can bring a claim for invasion of privacy.

When can a doctor break confidentiality in the UK? ›

If it is not practicable or appropriate to seek consent, and in exceptional cases where a patient has refused consent, disclosing personal information may be justified in the public interest if failure to do so may expose others to a risk of death or serious harm.

Can you sue for breach of confidentiality UK? ›

Under data protection law, you are entitled to take your case to court to: enforce your rights under data protection law if you believe they have been breached.

What is breach of confidence in the UK? ›

What does Breach of Confidence mean? A claim to protect confidential information. Typically, the information concerned must: have the necessary quality of confidence; have been communicated to a recipient in circumstances imparting on obligation of confidence; and been used in an unauthorised manner.

What are the consequences of breaching confidentiality in the UK? ›

Consequences may include: Legal Action: Employers can take legal action against employees who breach confidentiality agreements, potentially leading to injunctions, damages, and, in severe cases, criminal charges.

Top Articles
Latest Posts
Recommended Articles
Article information

Author: Prof. Nancy Dach

Last Updated:

Views: 5459

Rating: 4.7 / 5 (77 voted)

Reviews: 84% of readers found this page helpful

Author information

Name: Prof. Nancy Dach

Birthday: 1993-08-23

Address: 569 Waelchi Ports, South Blainebury, LA 11589

Phone: +9958996486049

Job: Sales Manager

Hobby: Web surfing, Scuba diving, Mountaineering, Writing, Sailing, Dance, Blacksmithing

Introduction: My name is Prof. Nancy Dach, I am a lively, joyous, courageous, lovely, tender, charming, open person who loves writing and wants to share my knowledge and understanding with you.