OccMed Consultants GDPR Privacy Notice
OccMed Consultants is an independent occupational health & Wellbeing and occupational medicine provider and is the Data Controller and the Data Processor for your Occupational Health (OH) Records.
As your OH records are also classed as a 'clinical record' we also have a legal and ethical duty (under relevant health professional codes of conduct) not to disclose confidential medical information to third parties, including your manager or HR, without your informed consent, unless there is a an immediate and imminent risk of serious harm to others or subject to a court order or other Regulator order.
The Data Protection Officer is the Occupational Health Manager.
This GDPR privacy notice explains how we use your personal information and your rights regarding that information.
Why are we collecting your data?
To enable us to provide an Occupational Health and Wellbeing Service to you and your employer including pre-employment health assessments, health surveillance, fitness for work assessments and annual medicals etc.
Upon receipt of a detailed management referral form, to which you will already have been made aware of the contents by management, to provide Occupational Medicine advice by way of an Occupational Medical report, for which your informed consent will be obtained and you will be offered a copy of the report before it is sent to management.
What information are we collecting?
Personal Information, e.g. Name, Address, Date of birth.
Personal Characteristics e.g. ethnicity, gender etc.
Contact details e.g. telephone and email.
GP and/or specialist contact details.
Past and present occupational job roles and occupational exposures.
Health and medical information that would be classed as ‘special category data’.
Details of medical investigations and any other medical information relevant to an Occupational Medicine assessment.
With informed consent GP and/or specialist reports and aspects of your medical record.
Who are we collecting data from?
You (the data subject).
Your manager and Human Resources.
Health specialists/services that we may refer you to and who report back to us.
With your consent, your GP or other specialists from whom you have received treatment.
You may also provide medical information to us, and this will be processed and held confidentially in your occupational health record.
How will it be collected?
In writing in the form of written informed consent to the service which is proposed.
Electronically via forms that you or your manager complete as part of the management referral process or for health surveillance, or via reports sent to us from other parties, e.g. from your GP. Consent may be verbal if written consent is not received, and this will be recorded contemporaneously in your occupational health clinical notes.
By taking your medical / history and undertaking an examination / assessment and by reviewing any additional health information you provide to us.
This will form your confidential clinical occupational health record.
How will we use this data?
We use this data to: -
Identify you and ensure that your medical information is filed correctly.
Assess your health, undertake health surveillance, annual medicals and in the case of Occupational Medicine, your fitness to work (following referral by management).
Provide advice to managers on the impact of your health on work and work on your health in the form of a structured report, which in the case of fitness for work assessment, you will be offered a copy before management.
Identify a baseline of your health against which to measure any future changes.
Following referral, the basis on which to provide advice to management on fitness for work and any adjustments that would help you to do your work.
Identify any additional support that would help you to improve your health and ability to work.
Identify health trends to enable further targeted health and wellbeing strategies.
What is the legal basis for processing your data?
The information collected by OccMed Consultants is classed as 'Special Category Data' as it is about health and is more sensitive than other forms of personal data. In order to process Special Category Data we must have a Lawful Basis under various parts of Article 6, depending on the service, and a separate Condition under Article 9:-
Article 9 (2) condition (h) states:
“Processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3.”
We are processing your data on the following Lawful Basis:
It is necessary to process your health data in order to enable you to comply with your contract of employment.
It is necessary to enable your employer to comply with legal obligations under the Health and Safety at Work Order, to protect your health and safety at work as far as is reasonably practicable.
It is necessary to protect the vital interests of you and your colleagues (public interest).
In addition, we will ask for your informed consent to process your data and ensure that you are kept fully informed.
If you are sharing my data with others, who are you sharing it with?
Information on your fitness to work is shared with your referring manager, and HR with your informed consent, however where withholding this information could have a severe impact on your health and safety and the health and safety of others, information on your fitness to work will be provided to management and to HR without your consent. You will be fully informed in this exceptional circumstance.
In cases where we are unable to gain your consent, or where your consent is withheld and we need to share information anyway, you will always be informed. Details of your medical conditions will not be shared with anyone outside Occupational Health without your explicit informed written consent.
Anonymised statistical data is shared with senior management to help us to plan the service and monitor health trends in the workplace.
How long will we process my data for?
All data will be retained for the duration of your employment with your employer and for 6 years following your leaving date, with the exception of Health Surveillance information. This will be stored for 40 years to comply with Health and Safety Legislation including the Control of Hazardous Substances at Work (COSHH) Regulations and Noise at Work Regulations etc.
Pre-employment Health Declarations for the assessment of fitness to work will be retained for 1 year if you do not take up the offer of employment.
The above will be applied, unless there are good clinical or legal reasons to keep them for a longer period.
Who will be processing my data?
OccMed Consultants administrative staff, Occupational Health Nurses and Occupational Physicians will have access to your data when required and are responsible for processing in line with internal Information Governance protocols, Standard Operating Procedures and Professional Codes of Conduct.
How will the data be stored?
Your records will be stored securely and confidentially in accordance with the OccMed Consultants Information Governance protocol, either in locked filing cabinets (physical records), or electronically on secure digital systems, which will be frequently backed up.
Every attempt will be made to keep your data secure when we are transmitting information to 3rd parties, for example by encrypted and password protected e-mailed reports.
What are my rights?
You have a statutory right of access to your occupational health records (in full or in part), or to authorise a third party, such as a legal adviser, to exercise that right on your behalf.
The request should be made in writing clearly outlining to us what records you wish to access. We will endeavour to provide the information without delay and at the latest within one month of receipt of the request. If the request is complex/numerous we may extend this timeframe by a further two months; if this is the case we will inform you why the extension is necessary within one month of your request.
This information will be provided without charge.
We will request additional written consent from you if a third-party request is made under our legal and ethical duty to protect your medical confidentiality.
You can request that an amendment is attached to your OH record if you believe any of the information held by us is inaccurate or misleading.
You do not have a “right to erasure” of your occupational health data as the processing is necessary for the purposes of preventative or occupational medicine (e.g. where the processing is necessary for the working capacity of an employee; for medical diagnosis; for the provision of health or social care; or for the management of health or social care systems or services). This applies as your data is being processed by and under the responsibility of a regulated health professional under the relevant professional codes of conduct.
If you require any further information, please contact the Occupational Health Manager on the following e-mail address office@occmedconsultants.com
Medical Director
OccMed Consultants