Why proper medical documentation matters for employers
When an employee is absent due to illness, the organisation must navigate several simultaneous obligations. Operationally, it needs to manage the absence — covering workload, updating payroll, communicating with the team and planning the return. Legally, it must verify the absence is genuine where required, ensure statutory sick pay obligations are met, and assess whether the absence pattern triggers any occupational health or duty-of-care considerations. From a data protection standpoint, any health information it handles must meet the elevated requirements that apply to special category data under GDPR.
Most HR teams are reasonably competent at the operational dimension. The legal and data protection dimensions are where organisations expose themselves to risk. Medical documentation that is shared too broadly, stored insecurely, retained beyond its legal period or processed without a clear lawful basis can result in regulatory action, employment tribunal findings of unlawful processing, and — perhaps most damaging in practice — a serious erosion of employee trust that affects engagement and retention long after the specific incident.
The stakes are not hypothetical. Data protection authorities across Europe have issued substantial fines to employers for improper handling of employee health data. The UK Information Commissioner's Office has similarly taken enforcement action against employers who failed to secure medical records or who shared health information without legal justification. For HR teams, medical certificate management is not a filing question — it is a compliance question with material consequences.
Health Data Is Special Category Data Under GDPR
Processing health information requires explicit legal basis under Article 9 of GDPR, documented processing activities in your Record of Processing Activities, enhanced security measures beyond those applied to ordinary personal data, and a Data Protection Impact Assessment where processing is likely to result in high risk. An employee medical certificate is not a standard HR document — it is special category data that requires its own documented justification, security controls and retention schedule.
Types of medical documents HR manages
The category of "medical documents in HR" is broader than most people initially appreciate. The most familiar is the medical certificate or fit note provided by a general practitioner to certify a period of sickness absence. But HR teams regularly handle a considerably wider range of health-related documentation, each with its own handling requirements.
Fit notes and medical certificates are the most common. In the UK, the Statement of Fitness for Work (the "fit note") confirms whether an employee is not fit for work or may be fit for work with specified adaptations. In other European jurisdictions, equivalent certificates function similarly. These are produced by the employee's own medical practitioner and handed to the employer as certification of the absence.
Occupational health reports are generated when an employer refers an employee to an occupational health service — either because of a pattern of absence, a return-to-work assessment or a question about reasonable adjustments. These reports are detailed clinical documents that describe the employee's health situation, its impact on their capacity to work, and recommendations for accommodations. They require especially careful handling because they are created specifically at the employer's request and may contain detailed diagnostic information.
Workplace injury and accident records contain health information about injuries sustained at work. These may have extended retention requirements under health and safety legislation — in some jurisdictions up to 40 years for certain categories of industrial exposure. Requests for reasonable adjustments or disability-related correspondence contain implicit or explicit health information and must be treated accordingly. Return-to-work interview records, where they document health-related information discussed during the interview, are also health data. And pre-employment health assessments, where permitted and relevant, form part of this category.
GDPR and health data: special category protections
The GDPR treats health data as special category data under Article 9, recognising that health information is particularly sensitive and that its misuse can cause particularly serious harm. Processing special category data is prohibited unless a specific exception applies. For employment-related health processing, the most commonly applicable exceptions are: processing necessary for the purposes of the employer's obligations in the field of employment law (Article 9(2)(b)); processing necessary for the assessment of the working capacity of an employee (Article 9(2)(h)); and, where the employee has given explicit informed consent (Article 9(2)(a)).
The key word in each of these exceptions is "necessary." The processing of health data must be necessary for the specific purpose identified — not merely convenient or potentially useful. An employer who collects medical certificates and shares them with line managers, department heads and HR generalists across the business cannot claim that all of this processing is "necessary" for managing the absence. Only the people who need the information to perform a specific function in the management of that absence have a necessity-based justification for access.
Beyond the lawful basis question, GDPR requires that special category data processing be documented in the organisation's Record of Processing Activities, that appropriate technical and organisational measures are in place to protect the data, and that where the processing involves high risk, a Data Protection Impact Assessment has been completed. For HR teams that process health data regularly and at scale — which includes almost every organisation with employees — this means that medical certificate handling should be explicitly addressed in DPIA documentation, in privacy notices to employees, and in data processor agreements with any third-party systems used to store or process that data.
Secure HR Document Vault in Treegarden
Treegarden's HR document vault stores medical certificates and health-related documents in encrypted storage with role-based access controls that are maintained separately from general HR files. Medical documents are physically isolated in a restricted category that requires explicit authorisation to access — it is not possible to inadvertently grant a line manager or general HR user access to medical records without a deliberate administrative action. Each document category has its own access matrix, ensuring that compliance requirements are enforced at the system level rather than depending on manual vigilance.
Secure storage requirements for medical records
The technical requirements for securely storing employee medical records are substantially more demanding than those for general HR documents. The starting point is encryption: medical records must be encrypted both at rest and in transit. This means that even if the storage system is compromised, the health data is not readable without the encryption keys. Most cloud-based HR systems provide encryption at rest as a baseline feature, but it is worth verifying that encryption extends to all backup copies and that key management practices are appropriate.
Access control is the second fundamental requirement. Medical records should be accessible only to users with a documented, role-specific need. This is not a simple matter of setting a folder permission — it requires a granular role-based access model that distinguishes between, for example, an HR administrator who can upload documents, an HR manager who can view them for operational purposes, an occupational health liaison who can view and add occupational health reports, and a payroll administrator who may need to confirm the existence and dates of a certificate without seeing its contents. Each role should have access to exactly what it needs and nothing more.
Physical storage of paper medical certificates — still common in many organisations — presents additional risk. Paper documents containing health information should be stored in locked, fire-resistant cabinets, accessible only to authorised personnel. Access to the physical filing location should be logged. Where possible, paper certificates should be scanned and stored in the secure digital system promptly, with the paper copy shredded after a short retention period appropriate to local requirements. Maintaining parallel paper and digital records of medical information is a common source of data security incidents and should be avoided.
For cloud-based storage, the data processing agreement with the cloud provider must address health data specifically. Standard DPAs often do not explicitly cover special category data processing, and HR teams should ensure their agreements contain appropriate provisions for encryption standards, sub-processor management, breach notification timelines and deletion procedures.
Access Audit Log
Every access to an employee's health-related documents in Treegarden is logged automatically with the user identity, timestamp, action taken (view, download, upload, delete) and the session context. This audit log is immutable — it cannot be edited or deleted by system users — and is available to HR administrators and data protection officers for compliance review. When an employee exercises their right of access under GDPR, the audit log provides a complete record of who has accessed their health data and when, supporting both transparency obligations and internal accountability.
Who can access medical records and why
The question of who should be able to access employee medical certificates is one that many organisations handle incorrectly, typically by granting access that is too broad. The default assumption should be that access to medical records is restricted — the burden of justification rests on those claiming a need for access, not on those advocating restriction.
The HR team members directly responsible for managing sickness absence administration have a clear operational need. They must receive, verify, file and act on medical certificates as part of their core function. This access is justified by the employment law processing basis and is clearly necessary for the performance of HR's legal obligations.
Occupational health professionals involved in a specific employee's case have access to the information relevant to that case as part of their professional function. They may also need to produce reports that draw on the original certificate, which justifies access to the source document.
The payroll team often has a question about access: to process statutory sick pay or contractual sick pay correctly, payroll needs to know that a certificate exists and covers the relevant dates. This does not require access to the certificate itself — it requires a notification that a valid certificate has been received and the dates it covers. A well-designed system provides payroll with this functional information without exposing the medical content of the certificate.
Line managers occupy a particularly sensitive position. Operationally, a line manager needs to know when an employee will be absent, for approximately how long, and what — if any — work adjustments the employee can manage during a phased return. They do not need to know the medical details. The certificate should not be shared with line managers; the operational information they need can be communicated by HR separately. This is not merely a best practice recommendation — sharing medical details with line managers without justification may itself constitute a GDPR breach.
Separate Medical Records from General HR Files
Health documents should never be accessible to line managers unless a specific, documented legal justification applies in that individual case. System-level access controls enforce this automatically — rather than relying on HR staff to manually withhold documents from managers who would otherwise see them in a shared drive. The most secure approach is a dedicated medical document category with its own access matrix, completely separate from the employee's general HR file that managers can access for operational purposes such as contract details, performance records and leave balances.
Retention periods and deletion schedules
Retention of employee medical records is governed by a combination of statutory requirements, which vary by jurisdiction and document type, and the GDPR principle of storage limitation — which prohibits keeping personal data for longer than necessary for the purpose for which it was collected. For medical records specifically, the storage limitation principle requires active management: these are not documents that should be retained indefinitely "just in case."
For standard sickness absence certificates, most EU jurisdictions require retention for the duration of employment plus three to six years to cover potential employment tribunal claims. The UK's Limitation Act 1980 provides a six-year limitation period for most employment-related claims, making six years post-employment termination a common retention baseline. However, this is a ceiling, not a target — if there is no ongoing dispute or legal requirement that necessitates retention of a specific certificate, shorter retention periods may be more appropriate and more compliant with GDPR's storage limitation principle.
Occupational health reports, workplace injury records and records relating to occupational disease or industrial exposure may attract extended retention requirements under health and safety legislation. In some jurisdictions, records of exposure to hazardous substances must be retained for 40 years. HR teams must identify these categories explicitly and configure different retention schedules for them rather than applying a single blanket retention period to all health documents.
Retention scheduling in practice means: assigning a retention period to every document type at the point it is created or received; setting a review trigger when that period expires; confirming whether any ongoing legal obligation or dispute justifies extended retention; and, where no justification exists, securely deleting the document and recording the deletion. This process must be documented to demonstrate compliance — a record of deletion is as important as the deletion itself.
Automated Retention Schedules
Treegarden's automated retention engine allows HR teams to configure different retention periods for different document categories — standard sick notes, occupational health reports, workplace injury records and others can each carry their own retention schedule. When a document reaches its retention review date, the system generates a notification for the responsible HR administrator prompting a review decision. The administrator can confirm deletion, extend retention with a documented reason or reassign to a different retention category. All decisions are logged in the audit trail, providing the documentation necessary to demonstrate GDPR storage limitation compliance.
Linking absence records to medical documentation
A practical challenge for HR teams managing sickness absence is the relationship between operational absence records and the underlying medical documentation. The absence record — which documents the dates, duration and type of leave — is standard HR operational data accessible to line managers for workforce planning. The medical certificate — which documents the health basis for that absence — is special category data subject to restricted access. These two things relate to the same event but must be handled differently.
The solution is a deliberate structural separation in the HR system. The absence record sits in the employee's standard HR profile, accessible to line managers as part of their operational view of their team. The medical certificate sits in a separate, access-restricted medical document vault. The absence record may contain a reference indicating that a certificate has been received and is on file, without linking to or displaying the certificate itself. This way, line managers get the operational information they need — the absence is certified, the dates are confirmed — while the health information remains appropriately restricted.
When processing statutory sick pay or managing an absence management process, the HR team works with both records. But the working principle is: share the minimum information necessary for each person's role. The payroll team confirms a certificate exists; they do not see its contents. The line manager sees the absence duration; they do not see the medical basis. The HR team sees both; they are bound by professional confidentiality obligations and the system access controls that govern their use of that access.
Return-to-work processes add further complexity. When an employee returns following sickness absence, the line manager typically conducts a return-to-work interview. If that interview surfaces health information that is relevant to ongoing accommodations or phased return planning, any written record of that conversation that contains health details should be treated as medical documentation and stored in the restricted vault, not in the general absence record. HR teams should train line managers on this distinction — and should provide them with return-to-work interview forms that are designed to capture operational information without soliciting unnecessary health details.
Frequently asked questions about medical certificate management
Are medical certificates special category data under GDPR?
Yes. Medical certificates and any documents that reveal information about an employee's physical or mental health status are classified as special category data under Article 9 of the UK GDPR and EU GDPR. This means processing requires a specific lawful basis beyond the standard Article 6 grounds — typically explicit consent, a legal obligation or a substantial public interest — along with additional safeguards including documented processing activities, enhanced security measures and strict access controls.
How long should employers retain employee medical certificates?
Retention periods for medical certificates vary by jurisdiction and document type. In most EU member states and the UK, records relating to sickness absence and medical certification are retained for the duration of employment plus three to six years. Records relating to workplace injuries or occupational health exposure may have extended retention requirements of up to 40 years in some jurisdictions. HR teams should review their specific legal obligations with employment counsel and configure retention schedules accordingly, applying different periods to different document categories.
Who in the organisation can access an employee's medical certificate?
Access to medical certificates and health-related HR documents should be strictly limited to those with a documented business need. Typically this includes the HR team processing the absence, occupational health professionals where involved, and senior HR leadership for compliance purposes. Line managers generally should not have access to the actual certificate — they may be informed of the absence duration and return-to-work expectations, but not the medical details. System-level role-based access controls are the most reliable way to enforce this separation.
What is the difference between managing absence records and managing medical records?
Absence records document the fact and duration of an employee's time away from work — the dates, type of leave and return date. These are standard HR operational data. Medical records, including certificates, contain information about the health condition underlying the absence. These require separate, more restrictive handling as special category data. The two should be stored separately with different access controls: absence records are accessible to line managers for operational planning, while medical documentation is restricted to HR and occupational health personnel with appropriate authorisation.