OCCUPATIONAL HEALTH PRIVACY NOTICE

 

This privacy policy applies to the data held by Occupational Health Business Management Ltd (OHBM) and the use of our site (www.ohbm.co.uk). OHBM understand the use of data and how it is shared must be carefully controlled. We respect the privacy of those who use our website and will only collect data which is consistent with our obligations under GDPR and professional standards.

Please read this privacy policy carefully and ensure that you understand it. Your acceptance of our privacy policy is deemed to occur upon your first use of our site. Please stop using the site if you do not accept and agree with this privacy policy.

Our site may contain links to other websites and we do not have control over how they collect, store and share data, therefore we advise you to check the privacy policies of each website before issuing any data to them.

The Occupational Health Practitioner is both Data Controller and Data Processor and committed to protecting the rights of the individual, acknowledging that any personal data handled will be processed in accordance with the Data Protection Act 1998 (DPA) and the new General Data Protection Regulations (GDPR) 2018.

What Data Will Be Collected

The following data may be collected, held and shared by Occupational Health:

  • Personal information (e.g. Name, Address, Date of Birth, email, National Insurance, telephone numbers, to identify and communicate with the individual and employee’s company.)
  • Characteristics (ethnicity, gender)
  • Past and present job roles
  • Health information

Who It Will Be Collected From

  • Human Resources
  • Managers
  • Employees
  • Other health professionals (e.g. GP, specialist, physio)

How It Will Be Collected

  • Email
  • Face to Face or by phone
  • Health questionnaires
  • Health assessment
  • Post

 Why is it Collected

  • For the purpose of preventative or occupational medicine, for the assessment of the working capacity of the employee.
  • To ensure the health and safety of employees at work and to allow consideration of any adjustments that may be required to support their ability to work.
  • Data may also be used for research, audit or statistics but will be anonymized if this is the case.

Lawful Basis For Processing (from the General Data Protection Regulations)

  1. Article 6(1)

(f) Processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

  1. Additional condition for the processing of Special Category Data

Article 9(2)

(h) Processing is necessary for the purposes of Occupational Medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health and social care or treatment, or the management of health or social care systems and services on the basis of EU or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in in para 3 (below).

Article 9(3)2

Personal data may be processed for the purposes referred to in (2)(h) when those data are processed by or under the responsibility of a professional subject to the obligation of professional secrecy under EU or Member State law or rules established by national competent bodies.

How Long Your Data Will be Held For

  • Information will be held for 6 years after leaving employment, or 75 years of age (whichever is soonest) as recommended by the British Medical Association (BMA) unless there is a recognised clinical need or statutory requirement to retain it for longer.
  • New employee assessments will be discarded after 2 years if the offer of the job is not taken up.

How Your Data Will Be Stored

  • Records are kept mainly on paper as part of a structured filing system and are stored in accordance with the BMA’s medical records storage policy and in compliance with GDPR. They are accessible only to Occupational Heath.
  • Some records are kept digitally on a separate personal drive within the IT system and are password protected.
  • Email is encrypted.
  • Iphone’s are encrypted.

Who Your Information Will Be Shared With

  • Information about you will not be shared with third parties without your consent unless the law allows this, or there is a serious risk to life.
  • Results of Health Surveillance will be passed on to the employer under Reg. 11 COSHH Regulations 2002 and ACOP 2103 for retention as required by the Health and Safety Executive (HSE).
  • In certain circumstances, we may be legally required to share certain data held by us, which may include your personal data, for example, for legal proceedings, where we are complying with legal obligations, a court order, or a governmental authority.

Your Rights

  • You have the right to see any information held about you in your Occupational Health Clinical Record. The request should be made in writing and will be responded to within 4 weeks, without charge.
  • You can also request that an amendment is attached to the OH report if you believe any of the information held by Occupational Health is inaccurate, you cannot change the opinion of the OH professional.
  • You have the right to withdraw consent. Please ensure Occupational Health has received this information in writing prior to the report being released.
  • In the case of request for erasure, retention may be lawful (e.g. if required for legal compliance).
  • The right to data portibility (to pass your data to another health professional).
  • If you have any cause for complaint about our use of your personal data, please contact us and we will do our best to solve the problem for you.
  • For further information about your rights, please contact the Information Commissioner’s Office or your local Citizens Advice Bureau.
  • The right to restrict the use of your personal data, except where lawful.

Changes to Our Privacy Policy

We may change this privacy policy from time to time (for example, if the law changes). Any changes will be posted on our site and you will be deemed to have accepted the terms of the privacy policy on your first use of our site following the alterations. We recommend that you check this page regularly to keep up-to-date.

ICO Registration No. 00013072450