Occupational health services: destroying medical files
An occupational health service and company doctor process the most sensitive data there is on the shop floor: medical information, causes of absence, return-to-work advice and examination results of employees. Part falls under a medical retention obligation held by the company doctor, part under the purpose limitation of the GDPR held by the employer, and the split between the two is strict in law. This guide shows, by part, what you keep, when it may go and how to destroy it confidentially.
The quick answer: the medical file held by the company doctor has its own medical period, often around fifteen years. The non-medical absence data the employer keeps you clear out sooner, usually within two years after the end of the employment. What may go disappears confidentially and with a certificate.
Two worlds: medical file and personnel file
At an occupational health service two kinds of file run side by side, and they must not touch. The company doctor keeps a medical file with complaints, diagnoses, treatment advice and examination results. That file is confidential and falls under medical professional confidentiality. The employer keeps an absence file alongside it, but may record only non-medical data there, such as the date of the sickness report, the expected duration and arrangements about returning to work. The cause of the absence or a diagnosis never belongs there.
This split is not a matter of form. It protects the employee against an employer who would otherwise gain insight into sensitive health information. So keep the two files separate physically and digitally, with their own access rights and their own retention periods. How that split works in a care organisation between the HR file and the patient file shows how strict that boundary is. Anyone who mixes the files runs into a data breach the moment either one lands in the wrong place.
Retention periods by part
The period differs strongly per type of data. The overview below gives the main line. Count most periods from the end of the employment or from the completion of the reintegration.
| Part | Starting point | Period |
|---|---|---|
| Company doctor's medical file | Medical retention obligation | often 15 years |
| Absence and reintegration file (employer) | GDPR purpose limitation | up to 2 years after employment |
| Workplace accidents and reports | Working conditions law | as the statutory period |
| Health checks for hazardous substances | Working conditions law | up to 40 years |
| Employee personal data | As long as needed | purpose-bound |
| Correspondence and drafts | No retention obligation | clear out at once |
Use this as a guideline, not a substitute for the applicable rules. For the non-medical absence data you keep as an employer, the line matches that of the personnel file under the GDPR. The company doctor's medical period aligns with the long line of the WGBO retention period for patient files. When in doubt about a specific part, consult your data protection officer.
Special-category data: employee health
Health data is special-category personal data and enjoys the strongest protection under the GDPR. Everything the company doctor records about an employee's health falls under this, as does the result of an occupational health examination or advice on fitness for work. Strict conditions apply to processing this data, and storage limitation applies to keeping it. That means you hold it no longer than the purpose requires.
In practice the risk often sits in the single documents. A printed consultation note, a copy of an examination result or an old reintegration report on paper is just as sensitive as the file itself. So treat those documents with the same care as the main file and clear them out as soon as they have served their purpose. A special case is data from checks on exposure to hazardous substances, which working conditions law in fact requires you to keep very long, up to forty years.
The processor role towards the employer
An occupational health service works on the employer's instruction, but that does not automatically make the service a processor. For the purely medical tasks of the company doctor the service is often a controller in its own right, because the company doctor carries an independent legal and medical responsibility. For the administrative absence management the service performs on behalf of the employer a processor role may apply. So it is not a black-and-white question but a division per task.
Record that division of roles in writing. Where the service acts as processor, a processor agreement belongs, with arrangements about security, retention periods and destruction. Run through the processor agreement checklist for that. That way everyone knows who is responsible for what and who, at the end of the road, destroys the data and demonstrates it.
How to handle it in 6 steps
- Split the files into a medical file and a non-medical absence file.
- Limit the employer file to non-medical data about absence and reintegration.
- Keep the medical file under the company doctor's management with its own access.
- Record the division of roles in a processor agreement where it applies.
- Collect what may go in sealed containers, not in the paper bin.
- Have it destroyed confidentially with a certificate and record it in your register.
Destroy confidentially with a certificate
Medical and absence files are destroyed confidentially, because they contain the most sensitive personal data of an employee. The paper and any data carriers travel sealed and stay that way until destruction, so the chain is closed. An old practice computer, a backup or an archive cabinet with consultation notes belongs with it too.
Afterwards you receive a certificate of destruction with the date, quantity and level. That certificate is your proof towards the GDPR that you acted carefully. Record the destruction in your record of processing. We collect within 20 km of Amsterdam with no call-out charge, work nationwide through pooled collection rounds and charge a fixed price per box or roll container. Drop-off on site is not possible; it works by appointment through collection.
Occupational health and absence files to be destroyed?
Tell us what you have and you get a fixed price. We collect it sealed, destroy it at the right DIN level and you receive a certificate for your GDPR file. No call-out charge within 20 km of Amsterdam.
Request a quoteCommon mistakes
- Medical data in the employer file. A diagnosis or cause of absence never belongs there.
- Keeping absence files forever. After two years the purpose usually lapses.
- Treating single consultation notes as ordinary paper. They are as sensitive as the file.
- Not recording the division of roles. Without arrangements it is unclear who destroys.
- Keeping no proof. Without a certificate you cannot demonstrate the destruction.
Frequently asked questions
How long does an occupational health service keep medical and absence files?
The medical file held by the company doctor has its own medical retention period, often around fifteen years. The non-medical absence data the employer keeps you hold for less time, usually up to two years after the end of the employment. Keep nothing longer than the purpose requires.
May the employer view the company doctor's medical file?
No. The medical file falls under the company doctor's professional confidentiality and is not accessible to the employer. The employer receives only non-medical information needed for absence management, such as arrangements about returning to work.
Is an occupational health service a processor or a controller?
That depends on the task. For the company doctor's medical tasks the service is often a controller in its own right. For administrative absence management on behalf of the employer a processor role may apply. Record that division of roles in writing.
How do I destroy occupational health and absence files in line with the GDPR?
Confidentially and with a certificate of destruction. Paper and data carriers travel sealed and the destruction is recorded in the record of processing.
Conclusion
An occupational health service works with the most sensitive data of an employee, between a medical retention obligation and the GDPR. Keep the company doctor's medical file strictly separate from the employer's absence file, keep each part no longer than its own period and record the division of roles in a processor agreement. What may go you have destroyed confidentially with a certificate as proof. That way you protect your employees' health data and meet both frameworks.
Read also: home care: destroying client records, mental health institutions: destroying client records, allied health: destroying treatment records and the WGBO and the GDPR retention periods cheatsheet.
Have occupational health files collected? Request a quote via desnipperaar.nl. Within a few minutes you have a fixed price, including a certificate as proof.