Managing incapacity: document creation, preservation, access

Section 8 of the Personnel Today Management Resources one stop guide on managing incapacity. Other sections.

Document management may seem like one of the more mundane aspects of dealing with workplace absences. Don't be fooled. It's often a major blind spot for employers and it can make or break a defence to any claims that you might face in relation to sickness management.

Post-Enron, we have all had plenty of food for thought. Keeping your house in order does not mean shredding everything in sight which might be prejudicial. The key concept to have in mind is 'transparency'. Be aware from the outset, ie, when creating documents, that you may well have to disclose them at some point in the future.

Subject access rights

An individual can make a subject access request under the Data Protection Act 1998 to obtain virtually any personal data that you hold on them. The time limit for responding is 40 days. You are obliged to disclose copies of personal data requested as well as details of to whom the data may be disclosed and its source. The legislation does protect you from repeat nuisance requests or access requests that are extremely vague and there are some exceptions. For example, you will not be required to disclose health data where it would be likely to cause serious harm to an individual's physical or mental health or condition (although in most cases you need to check with an appropriate health professional first before withholding the information). As a general rule, you should be working on the basis that you will have to disclose information regardless of how sensitive it is or potentially damaging. Labelling a document 'confidential' will not shield you from an access request.

Employees will also have access rights to medical records obtained by their employers for employment purposes under the Access to Medical Reports Act 1988. The Act covers reports prepared by medical practitioners who are responsible for the clinical care of the individual. At face value, this sounds as if company doctor reports are excluded. However, if you operate an occupational health or in-house medical facility which an individual has made use of in the past, you will be caught by the Act.

Under the Access to Medical Reports Act, you will only be able to commission a medical report if you have the consent of the individual. Bear in mind that the employee has the option of seeing any report before the employer receives it and their consent is required again to forward the report on to the employer. They can also ask for changes to be made to a medical report if they think that any of its contents are incorrect or misleading.

Even if you have managed to stave off an access request you may well have to disclose the information anyway as part of the document disclosure process prior to litigation.

A workable policy

As you can see access and disclosure is regulated by several different areas of law. It is complicated. You must have a policy that you can turn to for guidance on how to respond in an efficient and compliant manner to these requests. Time limits are often quite tight in this area and, given the administrative upheaval that requests can often create, you need to be able to act quickly.

It is no good having a beautifully drafted policy which then sits gathering dust on the HR bookshelf. Policies should be living documents which must be well publicised, easily accessible and updated frequently. The law does not remain constant for too long in this area. Training is the key and not just at the senior levels of the organisation.

Quite apart from knowing when to disclose or withhold information in response to requests, you need to take care with the day to day procedures that often get forgotten about. The crucial moment is the point at which you create a document. Think before you write. A good acid test is whether you would you be comfortable with having to read a document aloud in a court or employment tribunal.

Once your documents have been created, you need to take care over storage and retention. In this area, you are often dealing with confidential and/or sensitive data which is subject to strict processing requirements under the Data Protection Act. Generally, you will be able to satisfy the relevant conditions if you have either an individual's explicit consent to process this information or, alternatively, it is necessary for the purposes of an employment law right or obligation. This latter condition appears to be open to a fairly wide interpretation according to the Information Commissioner and could include rights or obligations under the contract of employment. Nevertheless, you must keep these conditions in the forefront of your mind as they are legal requirements as opposed to glossy good practice.

A secure system

Document security should also be appropriate for the type of data that you are dealing with.

A new Employment Records Code of Practice has recently been released by the Information Commissioner which gives specific guidance on how employers should be dealing with medical and sickness data. The code is not legally enforceable, but it does indicate what the Information Commissioner considers to be the appropriate compliance standard under the Data Protection Act.

One of the key recommendations in this area is that sickness records (which give details of an individual's illness) should be kept separate from absence records (which only record absence levels). Wherever possible, absence records should be used for sickness management unless it is vital to have details of the actual illness. Yet again, you need to think before you gather your evidence in these cases.

To retain or not to retain

Finally, retention periods. The shredder isn't entirely redundant. If you operate routine retention periods, you are not obliged to scrap them and cling on to every piece of paper ever created. Far from it, the Data Protection Act requires you only to hold information that is relevant and up to date.

The flip side of this is 'shred with due care and attention'. Destruction or amendment of documents following a data protection access request will only be permitted as part of a 'retention policy' if you can point to a routine policy that means the information would have been amended or deleted regardless of a request being made. Destroying or withholding documents to save face or, supposedly, protect the employer is a complete no-no.