A discussion note by Dr Brian Moore and Howard Nichol at GSA Global

A British newspaper has recently reported that a business traveller with a pre-existing medical condition had to have his bowel removed after a work trip to India. The employee was awarded £800k in compensation because his employers hadn’t considered the risks of sending him on business travel.1

If the facts were reported accurately, it sounds obvious that this outcome could have been avoided if proportionate pre-travel risk assessment and planning, and adequate support during the trip had been available, as commended in ISO 31030 Travel Risk Management – Guidance for organizations. This is not an isolated case of things going wrong, so why do these problems arise and what can be done?

There is no doubt that organisations face challenges when it comes to obtaining, storing, and using employee personal health information (PHI). As the instant case tends to show, businesses and organizations that operate internationally often require access to employee medical data as part of travel risk management. How else can employers discharge their duty of care to travelling employees if employers are unaware of travellers’ relevant susceptibility to the effects of illness or disease?

However, this need introduces complex challenges, particularly in respect of complying with the General Data Protection Regulation (GDPR) in the European Union and the Health Insurance Portability and Accountability Act (HIPAA) in the United States. Both pieces of legislation impose stringent requirements on the collection, storage, and processing
of personal data. GDPR requires ensuring data minimisation, purpose limitation, and securing explicit consent. HIPAA enforces standards on how such data should be securely handled and disclosed. Employees often have concerns about privacy and the security of their PHI. Fear that PHI could be misused or inadequately protected can create resistance towards sharing necessary information. Storing and managing sensitive medical data increases the risk of data breaches. For multinational companies, data protection regulations complicate the transfer of medical data across borders, and developing policies that comply with multiple legal frameworks can be intricate and resource intensive. It is no surprise therefore that many businesses and organisations are loath to seek medical information.

Often, employers point out that the duty of care they owe is matched by the duty of fidelity or co-operation by their employees. This means that provided the employer points out relevant travel risks (e,g, the state of health provision and availability in a particular location) then there is a specific or implied contractual obligation on the employee to support risk assessment and mitigation. The defensibility of this approach is likely to be case-specific and fact-sensitive carrying a degree of legal risk for the employer as adjudication may focus on the question of what it was about this company, its processes or its culture that meant that this employee did not feel that they could disclose a relevant medical condition. It could be argued that the employee is being asked to undertake a risk assessment for which they are not trained. This point is amplified where a company or organisation does not ensure that travel related briefings, training or education sessions are actually completed or where ‘mandatory’ in policy are not enforced.

On the other hand, where companies and organisations can demonstrate that their need to seek medical information is for a proper purpose, then they may be able to demonstrate necessity, lawfulness and proportionality: collect only the data that is strictly necessary and consider anonymising it. Where resources permit, engage specialist third party providers which can manage health data securely. Implement robust security protocols, including encryption, secure access controls, and regular security audits to safeguard sensitive data against breaches and unauthorised access. Maintain transparency with employees about what health data is collected, how it is used, and the measures in place to protect it. Regularly train employees on the importance of data protection, their rights under GDPR and HIPAA, and the safe handling of personal data. Seek specialist legal advice about data protection to ensure all policies and practices are up to date with current legislation.

Organisations must decide whether the de facto ‘don’t tell; don’t ask’ policy is defensible and if doubted to ensure, as a minimum, that travel-related risk briefings are completed every time; after all, no employee is ever too busy not to be protected and no employer is ever too big not to be held to account for avoidable harm. Each has a duty to the other to achieve the company’s goals, safely.

GSA Global has been undertaking corporate travel risk assessments against ISO 31030 since 2022.

  1. https://www.mirror.co.uk/news/uk-news/man-who-bowel-removed-after-32323453 accessed 16 May 2024