Occupational Health Privacy Notice
Company Health Management Limited as both the Data Controller and Data Processor is committed to protecting the rights of the individual and acknowledge that any personal data of yours that we handle will be processed in accordance with the Data Protection Act 1998 (DPA) and the new General Data Protection Regulations (GDPR) 2018
What data will be collected?
The following data maybe collected, held and stored by Occupational Health
- Personal information (e.g. Name, Address, Date of Birth)
- Characteristics (ethnicity, gender)
- Past and present job roles
- Medical Records
- Health Surveillance records
Who will it be collected from?
- Human Resources
- Managers
- Employees
- Occupational Health Physicians
- General Practitioners
- Physiotherapists
- Other Health or Allied Professionals
How will it be collected?
- Information received in the post
- Via E-mail
- Verbal (face to face and telephone)
- Health Questionnaires
- Health Assessments. For example, hearing tests, lung functions tests and drug and alcohol testing.
Why is it collected?
- For the purposes of preventative or occupational medicine, for assessing the working capacity of the employee, for medical diagnosis, for the provision of health or social care or treatment, for the management of health or social care systems and services based on Union or Member State law or a contract with a health professional.
- To ensure the health and safety of the employees at work and to allow consideration of any adjustments that may be required to support their ability to work.
- Data may also be used for research, audit, or statistics, but will be anonymised if this is the case.
Lawful basis for processing the information
- The employer has a legal duty to carry out health surveillance under the Health and Safety at Work Act 1974 and associated Regulations.
- Additional condition - Article 9(2)(h), (3) The processing is required for medical treatment undertaken by health professionals, including assessing the working capacity of employees and the management of health or social care systems and services. Occupational Medicine is a special category thus “processing is necessary for the purposes of Occupational Medicine” and Article 9(3) which states that processing is permitted “When the data is processed by a regulated health professional”.
How long will data be held for?
- Management referral and health surveillance information will be held for 6 years after the employee has left their job or 75 years of age (whichever is soonest) as recommended by the British Medical Association (BMA)
- New Employee medicals will be destroyed after 2 years if the employee doesn’t take up the offer of the job
Who will the data be shared with?
- The information will remain within Company Health Management Limited, solely accessed by OH Advisers, OH physicians, and OH administrators, and the outcome report/certificate will be shared with the commissioner of services and appropriate others, with your consent. Only in the event of a serious risk to life will confidentiality be breached.
- Results of Health Surveillance will be passed on to the employer under Reg.11 COSHH Regulations 2002 and ACOP 2013 for retention as required by the Health and Safety Executive (HSE).
How will the personal data be secured?
- Data security is ensured by no one having the keys to the filing cabinets except the Data Controller and appropriate processors (ie. OHP, OHAs, OH technicians and administrators), no one having log-in details to computers other than the Data Controller and appropriate processors, no one having access to shared drives other than the Data Controller and appropriate processors, and all documents are despatched with both encryption and password protection.
Information about rights of access to their data
- You have the right to see any information we hold about you in your occupational health record. The request should be made in writing and will be responded to within 4 weeks, without charge.
- You can also request that an amendment is attached to your health record if you believe any of the information held is inaccurate or misleading.
- In the case of request for erasure, retention may be lawful (ie. if required for legal compliance).