Privacy Policy
The Occupational Health Practitioner is both a Data Controller and Data Processor and is committed to protecting the rights of the individual, acknowledging that any personal data handled will be processed in accordance with the Data Protection Act 1998 (DPA) and the General Data Protection Regulations (GDPR) 2018.
What Data will be collected
The following data may be collected, held and shared by Occupational Health:
- Personal information (e.g. Name, Address, Date of Birth)
- Characteristics (ethnicity, gender)
- Past and present job roles
- Health information.
Who will it be collected from
- Human Resources
- Managers
- Employees
- Other health professionals (e.g. GP, specialist, physio).
How it will be collected
- Post
- Verbal (Either by telephone or face to face)
Why is it collected
- For the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee.
- To ensure the health and safety of employees at work and to allow consideration of any adjustments that may be required to support their ability to work.
- Data may also be used for research, audit or statistics but will be anonymised if this is the case.
Lawful basis for Processing (from the General Data Protection Regulations) Article 6(1) (f) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Additional condition for the processing of Special Category Data
Article 9(2) (h) Processing is necessary for the purposes of Occupational Medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health and social care or treatment, or the management of health or social care systems and services on the basis of UK law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in para 3 (below).
Article 9(3) Personal data may be processed for the purposes referred to in (2)(h) when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under UK or rules established by national competent bodies.
How long will Data be held for
- Information will be held depending on the process, between 1 and 6 years after the last entry, as recommended by the Faculty of Occupational Medicine (FOM) unless there is a recognised clinical need or statutory requirement to retain it for longer.
- Information will be removed on the annual review of the data store.
How Data will be stored
- Records are currently managed in paper and digital copy. Paper Records are stored in accordance with the BMA’s medical records storage policy and in compliance with GDPR. They are accessible only to Occupational Health.
- Digital records are managed within the Microsoft Office 365 platform, stored within the UK and are password protected.
- Paper records where possible are, with appropriate security and access control, securely scanned to the Microsoft platform and then destroyed by shredding.
- Email is encrypted.
Who will Data be shared with
- Information about you will not be shared with third parties without your consent unless the law allows this, or there is a serious risk to life.
Rights for people with Data held
- You have the right to see any information held about you in your Occupational Health Clinical Record. The request should be made in writing and will be responded to within 4 weeks, without charge.
- You can also request that an amendment is attached to it if you believe any of the information held by Occupational Health is inaccurate or misleading.
- You have the right to withdraw consent at any time, for any reason. In the case of request for erasure, retention may be lawful (e.g. if required for legal compliance).
