Specialists in Occupational Health / Working Age Health and Wellbeing
OccMed Consultants GDPR Privacy Notice
OccMed Consultants is a private occupational health and occupational medicine provider and is the Data Controller and the Data Processor for your Occupational Health (OH) Records.
As your OH records are also classed as a 'clinical record' we also have a legal and ethical duty (under relevant health professional codes of conduct) not to disclose confidential medical information to third parties, including your manager or HR, without your informed written consent, unless there is a grave risk of serious harm to others or is the subject of a court order.
The Data Protection Officer is: Clare Tohill, Occupational Health Nurse Manager, email@example.com.
This GDPR privacy notice explains how we use your personal information and your rights regarding that information.
Why are we collecting your data?
To enable us to provide an Occupational Health and Wellbeing Service to your employer including pre-employment health assessments, health surveillance and annual medicals.
Upon receipt of a detailed management referral form, to which you will already have been made aware by management, to provide Occupational Medicine advice by way of an Occupational Medical report, which you will be consented for and be offered a copy of the report before management.
What information are we collecting?
Personal Information, e.g. Name, Address, Date of birth.
Personal Characteristics e.g. ethnicity, gender etc.
Contact details e.g. telephone and email
GP and/or specialist contact details
Past and present occupational job roles and occupational exposure
Health information that would be classed as ‘special category data’
Details of medical investigations and any other medical information relevant to an Occupational Medicine assessment
Who are we collecting data from?
You (the data subject)
Your manager and Human Resources
Health specialists/services that we may refer you to as part of our assessment process
With your consent, your GP or other specialists from whom you have received treatment
How will it be collected?
In writing in the form of written informed consent to the service which is proposed.
Electronically via forms that you or your manager complete as part of the management referral process or for health surveillance, or via reports sent to us from other parties, e.g. from your GP
How will we use this data?
We use this data to:
Identify you and ensure that your medical information is filed correctly
Assess your health, undertake health surveillance, annual medicals and in the case of Occupational Medicine, your fitness to work (following referral by management)
Provide advice to managers on the impact of your health on work and work on your health in the form of a structured report, which in the case of fitness for work assessment, you will be offered a copy before management
Identify a baseline of your health against which to measure any future changes
Following referral, the basis on which to provide advice to management on fitness for work and any adjustments that would help you to do your work
Identify any additional support that would help you to improve your health and ability to work
Identify health trends to enable further targeted health and wellbeing strategies
What is the legal basis for processing your data?
The information collected by OccMed Consultants is classed as Special Category Data as it is more sensitive than other forms of personal data. In order to process Special Category Data we must have a Lawful Basis under Article 6 and a separate Condition under Article 9
Article 9 (2) condition (h) states:
“Processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3.”
We are processing your data on the following Lawful Basis:
It is necessary to process your health data in order to enable you to comply with your contract of employment.
It is necessary to enable your employer to comply with legal obligations under the Health and Safety at Work Order, to protect your health and safety at work as far as is reasonably practicable.
It is necessary to protect the vital interests of you and your colleagues.
In addition, we will ask for your consent to process your data and ensure that you are kept fully informed.
If you are sharing my data with others, who are you sharing it with?
Information on your fitness to work is shared with your referring manager, and HR with your written informed consent, however where withholding this information could have a severe impact on your health and safety and the health and safety of others, information on your fitness to work will be provided to management and to HR without your consent. You will be informed in this case.
In cases where we are unable to gain your consent, or where your consent is withheld and we need to share information anyway, you will always be informed. Details of your medical conditions will not be shared with anyone outside Occupational Health without your explicit informed written consent.
Anonymised statistical data is shared with senior management to help us to plan the service and monitor health trends in the workplace.
How long will we process my data for?
All data will be retained for the duration of your employment with Foyle Meats and for 6 years following your leaving date, with the exception of Health Surveillance information. This will be stored for 40 years to comply with Health and Safety Legislation including the Control of Hazardous Substances at Work (COSHH) Regulations and Noise at Work Regulations.
Pre-employment Health Declarations for the assessment of fitness to work will be retained for 1 year if you do not take up the offer of employment.
The above will be applied, unless there are good clinical or legal reasons to keep them for a longer period.
Who will be processing my data?
OccMed Consultants administrative staff, Occupational Health Nurses and Occupational Physicians will have access to your data when required and are responsible for processing in line with internal Information Governance protocols, Standard Operating Procedures and Professional Codes of Conduct.
How will the data be stored?
Your records will be stored securely and confidentially in accordance with the OccMed Consultants Information Governance protocol, either in locked filing cabinets, or electronically on secure digital servers.
Every attempt will be made to keep your data secure when we are transmitting it to 3rd parties, for example by encrypted and password protected reports
What are my rights?
You have statutory right of access to your occupational health records (in full or in part), or to authorise a third party, such as a legal adviser, to exercise that right on your behalf.
The request should be made in writing clearly outlining to us what records you wish to see. We will endeavour to provide the information without delay and at the latest within one month of receipt. If the request is complex/numerous we may extend this timeframe by a further two months; if this is the case we will inform you why the extension is necessary within one month of your request.
This information will be provided without charge
We will request additional written consent from you if a third-party request is made under our legal and ethical duty to protect your medical confidentiality.
You can request that an amendment is attached to your OH record if you believe any of the information held by us is inaccurate or misleading.
You do not have a “right to erasure” of your data as the processing is necessary for the purposes of preventative or occupational medicine (e.g. where the processing is necessary for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services). This applies as your data is being processed by and under the responsibility of a health professional under the relevant professional codes of conduct.
If you require any further information, please contact the Occupational Health Manager firstname.lastname@example.org
25 May 2018