Service providers of health portals and health apps analyze the movement behavior, the consumption behavior and the subjective well-being of their users. Already this offer is viewed critically by data protection authorities because it represents the disclosure of very sensitive personal data. Recently, such service providers use web-based health portals to approach employers to provide business health management consulting services.
As part of the web-based data processing by the service provider a variety of personal (often health-related and thus “sensitive”) data of the employees is collected. Employees are encouraged to answer all health portal questions truthfully. On the basis of the collected data, employees receive, for example, emails or text messages from the service provider, which should encourage them to engage in sports activities and to change their consumer behavior.
In the consulting service, the employer is additionally offered the creation of a mental risk assessment on the basis of the data entered by the employee in the web-based health portal.
Collection, processing and use of personal data in the employment relationship
The Federal Data Protection Act (BDSG) regulates the admissibility of the processing of personal data in the employment relationship. For example, section 32 (1) sent. 1 BDSG stipulates that the personal data of an employee may be collected, processed or used for employment purposes, if this is the case for the decision to establish an employment relationship or justification for employment or termination is required.
Since health data regularly fall under the “sensitive” (ie special types of personal) data according to § 3 Abs. 9 BDSG, special provisions regarding the admissibility of their collection and processing within the employment relationship in accordance with § 32 BDSG. Simitis also states in his BDSG comment that questions about the health status of an applicant must be justified by “specific, job-related requirements and risks”.
The question of the general state of health or pre-existing illnesses by the employer is thus in principle inadmissible and left to the special legal regulations of the company doctor. In particular, in view of the medical confidentiality under § 203 StGB, this ensures that the data to be disclosed to the employer are kept to the minimum required and, for example, that no information about the type of illness is passed on.
Also, for example, the general question of the employer whether a candidate smokes, not allowed. This applies equally to questions in the context of an existing employment relationship.
According to section 32 (1) sentence 1 BSDG, data on the privacy of an employee may also not be collected. Data attributable to the privacy of an employee include, for example, data on hobbies, personal interests, sports activities, eating habits and consumption behavior or the like.
Contractual relationship of the parties and data use for purposes of the enterprise
As far as a data processing by the employer can not be based on § 32 BDSG (and no other data protection legal permission or data collection obligations are evident) is evidenced by § 4 paragraph 1 BDSG (compulsory for the employee) collection of data by the employer under data protection law inadmissible. Accordingly, the health service provider can not be used as an instruction-bound processing data processor according to § 11 BDSG for the employer to collect the data.
Employee consent to the employer also does not require the employer to collect the data because, on the one hand, this can not be voluntarily given due to the dependency situation and, secondly, in view of the data collection purpose pursued by the employer (measures regarding employee appraisal / selection depending on health status and consumption habits) would also be legally inadmissible with regard to the AGG guidelines.
Thus, the third-party service provider forms its own data protection law responsible body, to which the employee entrusts his data on a voluntary basis. In this respect, the employer is to be qualified as a fully independent third party pursuant to Section 3 (8) BDSG.
Duty to inform employees
In collecting the data by the healthcare provider, the latter has to inform the employees in detail about the nature and extent of the planned use of their personal data.
A use of the data for a mental risk assessment in accordance with § 5 Abs. 2 Arbeitsschutzgesetz for purposes of the employer and an accompanying data transfer is inadmissible and for the described reasons also not to be justified by a consent.
Also, an (attempted) anonymization or pseudonymization of the data by the healthcare provider prior to passing on to the employer for the purpose of occupational safety and health is ruled out, as these data relate precisely to a job or a specific activity and thus the possibility of repatriation to a natural person or to open a group of natural persons.
Registration with private e-mail address
As a result of this private occasion, the question also arises as to whether it is permissible for employees to register at a web-based health portal with their business e-mail address and then receive e-mails from the web-based health portal with information about their state of health.
This is especially against the background that many companies have prohibited the private use of the business e-mail address for legal reasons (cf further the discussion about the range of the telecommunications secrecy with permitted private use ) and at the same time on the e-mails of the employees during their absence may be accessible. Here, the use of the business e-mail address for private purposes of health improvement would conflict with the company’s internal requirements.
The preferred method of a company to promote the health of its employees should continue to be to encourage them to work in a sports club and possibly to support them. Larger companies have their own company sports clubs.
In addition, this type of exercise also allows the important community experience, which should be too short for a web-based individual request.
According to our legal opinion, the use of a web-based health portal by the employer is inadmissible under data protection law.
If, nevertheless, reference is made to the health portal of an external service provider, the following basic conditions must be observed:
The health portal of the external provider must be legally and technically completely separate from the employer.
The employer informs the employees that the web-based health portal offer is a voluntary service that is wholly within the privacy of the employees.
Employees must be free to decide whether or not to use the web-based health portal for their private purposes.
Employees only log on to the web-based health portal with their private data (in the case of a ban on the private use of the company’s e-mail inbox, even with their private e-mail address), if health-related data (exercise tips, nutritional recommendations etc.) to the persons concerned.
When using apps of the web-based health portal esp. On operating terminals, it must be ensured that the employer does not receive information from the health portal.
The data generated in the web-based health portal of the service provider may not be used for the purposes of the employer and may not be shared with the employer.
Ralf Zlama is external data protection officer of the Institute for IT Law (iitr), a consulting firm for data protection requirements.