Occupational Health Assessment Ltd Privacy Notice
Last Updated: April 2022
This privacy notice explains what we do with your personal data, why we use it, who we share it with, how long we keep it and the rights that you have regarding the data and its usage.
The notice explains:
- Why we can process your information
- What our reason (or purpose) is for processing your information
- Whether you must provide us with information
- Whether your information is shared to others and under what circumstances
- How long we store your information
- Whether we will transfer your information to another country
- Whether we complete any automated decision-making or profiling
- How we protect your information
- How you can contact us if you need to at any time
References to your “employer” include your employer, your employer’s representative (any person who engages us on behalf of your employer, such as, but not limited to, a manager or HR consultant) or pension trustees.
This privacy notice is for all clients who use our services, any of their employees or agents who are referred to us, and for those employees who become users of our services.
Who are we?
We are Occupational Health Assessment Ltd (“we”, “our”, “us”). This includes its subsidiary Defensio and any appointed representatives, including medical practitioners acting on its behalf. We are registered with the ICO under number ZA783761.
We will be either the data “Controller” or data “Processor” of the personal data provided to us, depending on the context and service provided. This privacy notice is provided with respect to the services for which we act as a data Controller.
For example, for Occupational Health Assessment services we are a Controller, because we determine the means and purposes of processing your data, whereas for on-site testing services (save for where one of our clinicians interprets the results and provides a report), we process your data as a Processor and your employer is the data Controller.
We have contracts or service agreements with our clients that mean that we have a responsibility to look after the health of their workforces and advise them on health matters.
Our purpose for processing your information is to ensure that we can let employers know that their employees are fit to do their jobs, are compliant with Health and Safety Laws, can make ill-health retirement and pensions decisions, and that they have done everything that they need to do to ensure the wellbeing of their employees.
To do this we may need to process and record information relating to you. The lawful basis that we rely on is Article 6 (1 (f) (“Legitimate Interests”) and the special category condition is Article 9 (2) (h) (“Health – including occupational medicine”) of the UK GDPR.
We have a legitimate interest in processing your personal data because we are required to do so in order to provide our services. The specific condition we meet to process your special category data is processing “necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services”.
If you provide us with any information about reasonable adjustments you require when attending an appointment with us, under the Equality Act 2010, the lawful basis we rely on for processing this information is Article 6 (1) (c) of UK GDPR to comply with our legal obligations under the Act.
Data or information we may collect and how we may use it
We collect and use the information that you and your employer provide to us directly. For example, when a referral is made to us from your employer it may include personal information such as your full name, title, date of birth, address, contact telephone numbers, work, or personal email addresses, employment information (such as role and work history) and employee number.
We use this information for the following purposes:
- To arrange and book appointments
- To send you reminders about your appointment
- To contact you if we need to re-arrange an appointment
- To contact you to arrange any reasonable adjustments you may need to attend an appointment
- To contact you for a face-to-face, telephone or video assessment appointment
- To verify that we are speaking to the correct person
- To contact you for feedback about your appointment
- To contact you following any query you may have about your appointment or records
We may also collect and process sensitive information about you. This includes information about your health and will form part of your occupational health record. This information can relate to both your physical and mental health.
It may include past and current medical history, medication that you may be taking or have taken, as well as past and current occupational health records. We may also collect other personal and sensitive data, but only where absolutely necessary. For example, if there is a clinical reason to do so, you may be asked to state your ethnicity, and occupational health records may require information about your family history or lifestyle.
We may also request and collect information from your GP, consultant, or other healthcare professionals. These may be sent directly from your employer, if you have shared this information with them, or you may prefer to share these directly with us. We may also request these directly from relevant healthcare professionals. These will be processed as part of your occupational health record. We will always record your consent to approach other healthcare specialists or to participate in any of our services.
When we use information depends on the nature of the service we are providing when we use the relevant health information, but it may include:
- To determine your fitness to work
- To provide information about your fitness to work back to your employer
- To assess if you need any reasonable adjustments or support in the workplace due to a health condition
- To assess whether any risks in your workplace may have an adverse impact on your health
- To advise your employer on pensions and ill-health retirement matters
- To administer medications or vaccinations
- To analyse diagnostic results and/or medication and interpret them for your employer (for example for alcohol and drug testing services or biological monitoring services)
We will only use aggregated, anonymised data to inform our management reporting and improve and develop the service that we provide. We will not share any personally identifying information with anyone outside our business, other than clinical contractors who have completed identity and security checks and have signed confidentiality agreements, unless you give us express permission to do so.
We may provide our clients with data analysis about their workforce so that they can identify key themes and trends. We will only use anonymised data which means that it is impossible to identify any individual from the information.
We may also need to verify that you are who you say you are if you request information from us in accordance with your rights. To do this we will ask you to supply one or two pieces of identity evidence such as a birth certificate and driving licence. This information will only ever be used to verify your identity.
Information we share and why
Under the English common law of confidentiality, we are required to share information with your employer with your consent, but we will always ask you if you want to see the report before we send it. (N.B. This is not to be confused with the legal basis under UK GDPR, which is expressly not consent but is legitimate interests (see above).)
If you decide that you want to see a report first rather than at the same time as your employer, you have the right to do so. When we provide the report to your employer it is not your full occupational health record, but will include relevant facts and opinions as to whether you are medically fit to do a particular task or job, whether you have a condition which may affect your role and/or whether any adjustments are recommended.
If you choose not to allow your employer to see the report, they will have to make decisions based on the information that they do already have.
Some of our contracts may also require us to transfer information to other specialist clinical services who work in partnership with us, such as laboratory services and therapy services. They may require your personal information to process blood tests or supply treatment to you.
We may be required, in some circumstances, to share information with HSE/DVLA/UK Health Security Agency or other relevant public bodies. We will only do so where we are required to by law or if it is in the public interest.
Our clinicians may share information provided with their colleagues to ensure a high quality of service is provided, for example as part of clinical notes audits, practice meetings and appraisal processes. They may also need to share information where serious safeguarding concerns are raised, and we have a Safeguarding Policy in place to ensure that the right practices are followed.
We may share information with a third party to support and host some of our UK based systems, including our database, website, and telephone system. We also use third party expertise for the electronic scanning of medical records and storage of archived paper records. We may obtain outside IT support.
We have contracts in place with all suppliers that help us to ensure the security and privacy of your personal information in accordance with UK GDPR and they may not use your information for any other purpose. All our third parties are bound by the same strict codes of conduct and confidentiality and have restricted access to occupational health information. We participate in the Commercial Occupational Health Providers Association Code of Conduct.
We will never use personal data that you have shared with us for occupational health purposes for marketing purposes.
In circumstances where your employer changes service provider, we may share your records with the incoming provider. In such circumstances we will ask your employer to inform you that this is going to happen. Once the records are transferred, they will become the responsibility of the incoming provider as data Controller.
How long do we store your information?
How long we store your information will depend on the type of record that we have been processing.
Your occupational health records are processed for the duration of our contract with your employer and for a further six years after you have left their employment. After this time, if we have permission from your employer, then your occupational health record will be securely deleted.
Under Health and Safety law, there is a requirement to keep Health Surveillance records for forty years. These records will be stored separately on our system and will be kept for forty years. Where records have been transferred from a previous provider and it is not possible to tell whether the records are Occupational Health records or Health Surveillance records, the longer retention period will be applied.
If our contract ends with your employer, we will stop processing your information and all personal data and health records will be transferred to your employer’s next occupational health provider (please see above).
Information that is processed about you, but that does not form part of your Occupational Health record, such as internal email communications may be securely deleted as part of our in-house ‘housekeeping’ procedure to ensure that we do not retain your data unnecessarily.
Where do we process your information?
We process your information within the UK, we do not send or store any personal data outside of the United Kingdom (unless your employer is based in or has an office outside of the United Kingdom and we are required to send information to them in order to fulfil our contract – in such circumstances we will only do so in accordance with UK GDPR and the Data Protection Act 2018).
How do we protect your information?
We design our systems with your security and privacy in mind. All information is held on a secure system which is compliant with Cyber Essentials, ISO and HIPAA standards for security and subject to annual penetration testing.
We work to protect the security of your personal information during any communications with you using secure communication methods and secure software procedures. We maintain physical, electronic, and procedural safeguards in connection with storage and disclosure of your personal information. Our security procedures mean that we may ask you to verify your identity before we disclose personal information to you.
Access to any of your personal data held on our systems is restricted to nominated employees within Occupational Health Assessment Ltd who are required to have access to your information to provide our service. Those employees can only access your information using our secure IT network. Our employees are following a strong Password Policy and have annual training on Data Protection and Information Governance.
Where information is shared with a third party, such as a laboratory to process test results, we have data sharing agreements in place, and only those authorised to process your data will be permitted to do so for the purpose of the processing.
We use anti-virus and anti-malware software to reduce the risk of any malicious computer virus or cyber attack on our systems. We also have a process in place to ensure that all security software updates are applied as soon as they are released.
We also ensure that your information is encrypted when it is being moved. For example, when we share a report with you, or when your employer needs to view the report, they access a secure workspace to download a report when it is ready. Your employer will not have access to your Occupational Health record as it is kept securely on our system and visible only to us.
UK GDPR gives you certain rights when it comes to your personal data. However, as we are processing your information for the purpose of Occupational Health not all these rights will apply. The list below details your rights under UK GDPR.
Right of access – this means that you have the right to request a copy of the personal data held about you.
This right applies to information that relates to you and identifies you and we have 30 days to respond once we can verify your identity.
Right to rectification – if you think that any of your personal information that we hold is inaccurate or incomplete you can request it to be updated. We may ask you for evidence to show that it is inaccurate.
This right is often applied where we hold an incorrect email address or telephone number. It only applies where there are factual inaccuracies in your information, and you cannot alter the opinion of a clinical professional. Where documents are rectified and they are medical records, it may be appropriate for us to retain the original version and append the corrected version.
Right to erasure – this is also known as the right to be forgotten. You can request that your personal data is erased, however, this right is not absolute.
As we process your information for the purpose of Occupational Health, we cannot erase these records. You can, however, request that we erase personal information such as an email address, if we are still able to identify your Occupational Health record.
Right to restrict processing – when you have contested the accuracy of your personal data your right to restrict processing will be automatically implemented. That means we will hold your personal data on file, but we will not process it.
Right to data portability – you have the right to ask us to electronically move, copy or transfer your personal information in a machine-readable format.
Right to object – you have the right to object to the processing of your personal data at any time. This right only applies in certain circumstances.
Right to withdraw consent –As we process your information for the purpose of Occupational Health, we have a legitimate reason to process your information and do not rely solely on consent. However, if we have previously informed you that we have relied on consent as a legal basis to process your information (please note this is different to common law consent), you are reminded that you can withdraw your consent at any time.
If you wish to exercise any of your rights, please contact us at email@example.com
We will ask for information to verify your identity, so that we make sure we protect your information. The lawful basis that we rely on is Article 6 (1) (c) of the UK GDPR, which relates to our legal obligation to comply with the law. We will only keep verification information for as long as it is necessary to process your request.
Common law of confidentiality and consent
Health professionals have a duty to comply with the common law of confidentiality which means that you have a right to withdraw your consent for us to share information about your health to your employer (this is separate from and distinct to your rights under UK GDPR).
If you choose to do this, we must notify your employer who may need to make decisions without the benefit of impartial Occupational Health advice. If your job involves a requirement for routine fitness to work medicals or health surveillance screening, then your employer may have to stop you from doing your job.
Information about our website
Our website address is: https://occupationalhealthassessment.com.
What personal data we collect and why we collect it
When visitors leave comments on the site we collect the data shown in the comments form, and also the visitor’s IP address and browser user agent string to help spam detection.
If you upload images to the website, you should avoid uploading images with embedded location data (EXIF GPS) included. Visitors to the website can download and extract any location data from images on the website.
Contact forms & Cookies
If you leave a comment on our site you may opt-in to saving your name, email address and website in cookies. These are for your convenience so that you do not have to fill in your details again when you leave another comment. These cookies will last for one year.
If you visit our login page, we will set a temporary cookie to determine if your browser accepts cookies. This cookie contains no personal data and is discarded when you close your browser.
When you log in, we will also set up several cookies to save your login information and your screen display choices. Login cookies last for two days, and screen options cookies last for a year. If you select “Remember Me”, your login will persist for two weeks. If you log out of your account, the login cookies will be removed.
If you edit or publish an article, an additional cookie will be saved in your browser. This cookie includes no personal data and simply indicates the post ID of the article you just edited. It expires after 1 day.
Embedded content from other websites
Articles on this site may include embedded content (e.g. videos, images, articles, etc.). Embedded content from other websites behaves in the exact same way as if the visitor has visited the other website.
If you leave a comment, the comment and its metadata are retained indefinitely. This is so we can recognize and approve any follow-up comments automatically instead of holding them in a moderation queue.
For users that register on our website (if any), we also store the personal information they provide in their user profile. All users can see, edit, or delete their personal information at any time (except they cannot change their username). Website administrators can also see and edit that information.
What rights you have over your data
If you have an account on this site, or have left comments, you can request to receive an exported file of the personal data we hold about you, including any data you have provided to us. You can also request that we erase any personal data we hold about you. This does not include any data we are obliged to keep for administrative, legal, or security purposes.
Where we send your data
Visitor comments and emails may be checked through an automated spam detection service.
Data Protection Officer contact details and your right to complain
We work to the highest standards when it comes to processing your personal information. If you have any questions about your personal information, or how we use it, you can contact our Data Protection Officer, Magnus Kauders, by email via firstname.lastname@example.org, or by writing to us at Occupational Health Assessment Ltd, Surrey Technology Centre, 40 Occam Road, Guildford. GU2 7YG.
We encourage you to contact us if you have any concerns about how we use your personal information, however, if you are not satisfied with our response or believe we are processing your personal information incorrectly and not in accordance with UK GDPR, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at www.ICO.org.uk.