Privacy Notice under the General Data Protection Regulations
Occupational Health Services Ltd (OHS Ltd) as both the Data Controller and Data Processor is committed to protecting the rights of the individual and acknowledge that any personal data of yours that we handle will be processed in accordance with the Data Protection Act 1988 (DPA) and the new General Data Protection Regulations (GDPR) 2018. As you occupational health records are also classed as a “clinical record”, OHS Ltd also has a legal and ethical duty (under relevant health professional codes of conduct) to no disclose confidential medical information to third parties, including your employer, without informed consent unless there is a serious risk of harm to others or through a court order.
What data will be collected
The following data may be collected, stored and shared by OHS Ltd:
- Personal information (e.g. Name, Address, Date of Birth)
- Personal characteristics (e.g. ethnicity, gender)
- Past and present job roles
- Health information, which is classed as “special category data” (e.g. medical records and reports, health surveillance records)
Who will it be collected from
- You, the employee
- Your employer e.g. Managers, Human Resources
- Health specialists/services you may be referred to e.g. occupational health professionals (OH doctors, OH nurses)
- Your treating doctors/health professionals (with your consent) e.g. GP, hospital specialists, physiotherapists, psychologists.
How will it be collected
- Verbally e.g. telephone calls, face-to-face consultations
- In writing e.g. forms you and/or your employer may complete e.g. health assessment forms, management referral forms and forms from other parties e.g. GP letters. These may be sent to us by post or email.
Why is it collected
- For the purpose of undertaking preventative or occupational medicine assessments
- To ensure the health and safety of working populations
- For the assessment of the working capacity of an individual
- For the purposes of assessing eligibility for ill health retirement benefits in accordance with the stated criteria of the relevant scheme
- Data may be used for research, audit or statistics but will be anonymised if this is the case.
Lawful basis for processing the information
- Legitimate interest – Legal obligation – The employer has a duty to carry out health surveillance under the Health and Safety Act 1974 and associated regulations. Vital interests – The processing is necessary to protect someone’s life e.g. protect from potential harm that can arise from the work processes e.g. exposure to chemicals.
- Special category – Purposes of Occupational Medicine – Article 9(2)(h) – where processing is required for medical treatment undertaken by health professionals, including assessing the working capacity of employees and the management of health or social care systems and services. Occupational Medicine is a special category and thus ‘processing is necessary for the purposes of preventive or Occupational Medicine” and Article 9(3) states that processing is permitted “when the data is processed by a regulated health professional”.
How will the data be stored
Paper and electronic records will be stored securely and confidentially in accordance with OHS Ltd’s medical records storage policy, incorporating GDPR principles. Every attempt will be made to keep your data secure. Data will be maintained so that it is accurate and relevant to the purposes for which it is intended.
How long will data be held for
- Occupational health records will be held for 6 years after the last entry.
- New employee medical assessments will be discarded after 2 years if the employee doesn’t take up the offer of the job.
- The individual health record for health surveillance purposes will be kept for 40 or 50 years as determined by the relevant Health and Safety Legislation.
Who will my information be shared with
Information will be shared with third parties subject to informed consent by the individual to whom it relates. Third parties would usually include managers, HR, and other health professionals where relevant. It will also include those who provide services such as typing and administration to OHS Ltd and who are bound by the rules of medical confidentiality.
We will not share information about you with third parties without your consent unless the law allows us to (e.g. in the event of a serious risk to life, or under a court order).
What are your rights
- You have the right to see any information we hold about you in your occupational health record. The request should be made in writing and should be responded to within 4 weeks without charge.
- You can request that an amendment is attached to your health record if you believe any of the information is inaccurate or misleading.
What are the rights of the Data Subject?
The individual about whom data is being processed is the Data Subject. The rights of the Data Subject are outlined in GDPR as follows:
- The right to be informed about why and how the data is collected and processed.
- The right of access: The individual has the right to see any information that is held in the occupational health (known as a Subject Access Request or SAR). A request should be made in writing to firstname.lastname@example.org and OHS Ltd is obliged to respond within 4 weeks without charge.
- The right to rectification: The individual is able to request that an amendment is attached to their health records if they believe that any of the information is inaccurate or misleading.
- The right to erasure: The individual has the right to request erasure of their data in certain circumstances (known as the right to be forgotten). Requests for erasure should be sent in writing to email@example.com
- The right to restrict processing: Requests to restrict processing may be made in certain circumstances. Such requests should be made in writing to firstname.lastname@example.org
- Rights related to Data Portability:
- This allows individuals to obtain and reuse their personal data for their own purpose across different services.
- The right to object:
- Individuals have the right to object to the processing of their personal data in certain circumstances
- The right to complain: if the data subject has any concerns about how OHS Ltd processes his or her data, these can be sent to OHS Ltd in the first instance at email@example.com If the individual is not happy with the response, a complaint can be sent to the Information Commissioner’s Office (ICO), using their electronic complaints process: https://ico.org.uk/make-a-complaint/or in writing to: Customer Contact, Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, SK9 5AF.