How to process medical information?

A state employee is sent to the doctor by his superiors for a consultation for significant back pain.

The doctor made his report on the ability of the employee's work, in which he advised ergonomic measures. In the same document, he expressed his personal impressions: the problems of the employee are primarily psychological.

The file manager put the entire document into the file. The employee realizes this when he was transferred to a new service, and his boss spoke to him about these elements, and he complained.

The file manager then deleted the sensitive data in the document by censoring the document and by destroying the problematic appendix.

A doctor's personal comments should not be included in personal files, anymore than the personal comments of the medical advisor, which includes diagnosis, impressions etc...
Only the data required to determine an aptitude to work may be kept by the employer. Medical data, and in particular diagnoses, should in principle be processed only by persons subjected to medical confidentiality.
Basic principles
LIPAD 37 al. 1 and 2 ; LPD 4, 7, 12, 13 and 17 ; OLPD 8ss ; CP 321 ; CO 328 and 328b
Principle of legality, proportionality and data security (privacy); medical secrets