The Power of Less: Privacy Considerations Around Employment Medical Assessments
Many organisations require successful recruitment candidates to undergo medical tests to determine their fitness before being given an employment offer. As a prospective hire seeking opportunities with an organisation, the rigour of the various stages of assessment ends with a sigh of hope or relief upon receiving a request for medical assessment from the organisation.
While it is a common practice to require candidates to undergo these medical assessments, what defines the scope or extent of legally permissible assessments? How much data would constitute crossing the line? Can an organisation actually rely on consent of the candidate as a basis for this? Is it ideal for an organisation to get such robust medical information because they possibly can, in a bid to safeguard the vital interest of a potential employee when eventually employed? Similarly, given that some organisations outsource these assessments to external health organisations, how adequate is the contract with such third-parties to establish the role of the controller and processor for the medical data, define responsibilities for controller and processor, and protect the interests of data subjects?
In this edition, we will focus on these questions and the importance of adopting adequate data minimisation practices when handling employee and pre-employment medical assessment data. We will explore lessons from useful case studies, practical strategies for reducing data exposure, and the stance of data protection laws on effective data management.
Medical Assessment Data and the Privacy Law in Nigeria
In Nigeria, health data falls under the category of sensitive personal data, a subset of personal data that requires greater care, due to its potential to cause significant harm if misused. Preemployment medical assessments, which often involve the collection of health records, present a critical intersection between privacy laws and organisational needs. How so?
Employers often request health records during recruitment to evaluate a candidate's fitness for a role, ensure workplace safety, or mitigate potential liabilities. However, the existing power imbalance in the employer-employee relationship can leave prospective employees in a vulnerable position. This power imbalance is evident when employers require candidates to undergo extensive preemployment medical tests, even when such tests may not be strictly necessary for the role. Job applicants are often left with no choice but to give consent to these tests due to likelihood of losing the employment opportunity, should they decline processing. This raises questions about the freely given nature of their consent. True balance can only be achieved when organisations adopt a targeted approach, requesting health information solely relevant to the specific demands of the position, in addition to giving job applicants clear information on why the pre-medical test is required, how their data will be used, and their right to refuse tests that should be optional or test not relevant to the role, without fear of discrimination.
The Nigeria Data Protection Act (NDPA) emphasises that data collection should adhere to the principles of necessity and proportionality. This means that organisations are expected to only collect data directly related to the requirements of the advertised job to ensure compliance with privacy laws. Over-collection of health data, can easily breach these principles, leading to legal and reputational risks.
We will now explore common practices that organisations use when conducting preemployment medical tests.
How Adequate are Current Practices for Pre- Employment Medical Assessments?
Over the years, many organisations have approached health data handling without much consideration for the privacy or rights of the data subjects. Today, while some organisations are taking steps towards complying with data protection regulations, a closer review of certain practices they have adopted often reveal gaps in compliance or ethical considerations.
In many cases, prospective employees are required to sign consent forms without being informed about the specific medical tests they will undergo as part of the standard hiring, or processing activities associated with the health data being obtained. Alternatively, some companies rely on legal obligations to process medical data, particularly for roles involving safety-sensitive responsibilities or regulatory requirements, allowing them to mandate health screenings.
Some of these practices stem from limited understanding or interpretation of privacy requirements, while others are driven by convenience. This brings us to a crucial discussion:
- The Question of Obtaining Valid Consent
Consent may often be relied upon as the lawful basis for processing sensitive health data at recruitment and during employment, but the key question remains: is it truly valid? For consent to be valid, it must be freely given, specific, informed, and unambiguous as outlined in section 26 (1) of the NDPA.
In the case of recruitment candidates, they may feel that they have little choice but to comply with preemployment medical tests, fearing that refusal could lead to the loss of a job offer.
This raises concerns about whether such consent is genuinely voluntary. The NDPA sets clear conditions for valid consent, emphasising that it must be given without coercion.
Additionally, employers must prove that consent was obtained in a manner that allows candidates to make an informed decision. Silence, inactivity, or pre-selected options do not constitute valid consent under the law.
To view the full article please click here.
The opinion expressed in this article is solely personal and does not represent the views of any organization or association to which the authors belong.
