1. Sending fit notes to personal email accounts: Never forward medical documents to your own Gmail or Outlook. Even if you’re working from home, stick to secure work platforms. 

2. Leaving absence forms on shared drives: Generic folders that anyone can access are not appropriate storage. Absence logs should be locked down to named users only. 

3. Copying in the whole team: Group emails that mention someone’s sickness, especially the reason for it, breach confidentiality. Keep communications need-to-know only. 

4. Publishing absence ‘league tables’: Pinning up a list of who’s been off most often, even if anonymised by initials, risks indirect identification and erodes trust. 

5. Over-sharing with line managers: A manager may need to know when someone’s off and roughly why, but they rarely need full detail. Avoid forwarding medical letters unless strictly necessary. 

6. Leaving health documents on printers: A GP letter left on the printer is a breach, plain and simple. Collect documents immediately or use secure print settings. 

7. Discussing sickness in open-plan spaces: Stick to closed-door rooms or private calls. A well-meaning chat in a shared kitchen can land your company in trouble. 

8. Recording too much detail: ‘Flu’ or ‘stress’ is enough for most logs. There’s rarely a valid reason to include diagnosis codes, medication names, or family history. 

9. Not deleting data on time: Keeping absence records for years after someone has left without clear justification creates GDPR risk. Set a deletion schedule and stick to it. 

10. Assuming ‘consent’ covers everything: Relying on employee consent is risky. In most cases, your legal basis will be legal obligation or legitimate interest, and that should be made clear in your privacy notice.

Contact Us  | FAQs | Sustainability | Terms & Conditions