Health data in HR: sick leave, medical visits, accommodations — the blind spots
Health data is not always where you expect it
An HRIS isn't supposed to store medical files. In practice: scanned sick notes, workplace accommodations, medical visit proofs — health data moves around.
For more — see our security audit for HR software vendors.
The three angles to review
What should be clear
GDPR treats this data as sensitive (Article 9). Encryption, access and logging should reflect that, not the level of a regular HR file.
For HR & Payroll vendors
CleanIssue specializes in security reviews for HR, payroll, and recruiting software. If you're building an HRIS, payroll tool, or ATS and want an external review of your exposure before a client audit or security questionnaire, see our offer for HR & Payroll vendors.
Go further
Related articles
Three adjacent analyses to keep exploring the same attack surface.
ATS and GDPR: the points many vendors miss
The most frequent misses in recruiting software: retention, recruiter access, attachments, and candidate-data circulation.
GDPR employee data export: what the access request reveals about your product
An employee requesting their GDPR data tests your access control without knowing. Four common traps for HR vendors.
Candidate onboarding and GDPR: common product mistakes
Candidate journeys often suffer from the same issues: excessive collection, weak attachment protection, and more visibility than intended.
Sources
Editorial analysis based on official vendor, project, and regulator documentation.
Related services
If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.