Heads up: when we're dealing with driver health data, it's "special category" under GDPR, so let's make sure you're covered.
To process this kind of sensitive information lawfully, you need two things: an Article 9(2) condition and, for most fleet operators, a UK Data Protection Act 2018 Schedule 1 Part 1 condition. Typically, that's "obligations in connection with employment."
The Documents You Need
Now, that Schedule 1 Part 1 condition isn't just a nod and a wink; it requires you to have two specific documents in writing. This is the one auditors love to see.
- Appropriate Policy Document (APD). This isn't just paperwork; it's your written commitment on how you're complying with data protection principles when handling health data, and crucially, how long you're keeping it. The ICO even has a template to get you started – no need to reinvent the wheel.
- Data Protection Impact Assessment (DPIA). If you're systematically processing employee health data at scale – which many fleets do – this is non-negotiable. Again, the ICO offers guidance and a template.
In the DDIR Platform
Quick one on the DDIR platform: when you enable Tier B or C for medical data, the system will prompt you to confirm that both of these documents are in place and up-to-date. We timestamp your acknowledgement on your `medicalConfig` – that's part of your accountability record, proof you've done your due diligence.
Heads up: if you haven't got these documents ready yet, get them sorted before you switch on Tier B or C. No rush, you can stay on Tier A in the meantime. Tier A is much lighter on the data-protection side as it only stores the D4 certificate – that's a regulatory document, not clinical detail, so it's a different kettle of fish.
Get these foundational documents in place, and managing sensitive driver